Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1528540
MD5:	9d7ea17aa6d8ec2653fbd07092d2a3d8
SHA1:	87be9a5685f0cb4c5af2ee6edca095403c41a45e
SHA256:	8178437df4f2521009fcf310fbcd17fd7a2084bb6e35cf0f5a52cf456f189a9b
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 5992 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9D7EA17AA6D8EC2653FBD07092D2A3D8)

firefox.exe (PID: 5660 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6756 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6016 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7196 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2208 -prefMapHandle 2200 -prefsLen 25393 -prefMapSize 238472 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf2d1419-78d8-4674-a0a7-5faab0442aeb} 6016 "\\.\pipe\gecko-crash-server-pipe.6016" 21c02a70710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7824 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3548 -parentBuildID 20230927232528 -prefsHandle 1388 -prefMapHandle 1256 -prefsLen 26242 -prefMapSize 238472 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e3e6854-25f5-48be-aca9-16793ff11bca} 6016 "\\.\pipe\gecko-crash-server-pipe.6016" 21c02a42910 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7628 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5000 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5012 -prefMapHandle 4976 -prefsLen 33559 -prefMapSize 238472 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62736bf5-4a6a-402e-9ae1-8f0951dc0690} 6016 "\\.\pipe\gecko-crash-server-pipe.6016" 21c1ab7d110 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 5992	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 1_2_0082EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_0082EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0082ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_0082ED6A

Source: C:\Users\user\Desktop\file.exe

1_2_0082EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0081AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

1_2_0081AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00849576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_00849576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000001.00000000.1272597915.0000000000872000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5717f0c4-8
Source: file.exe, 00000001.00000000.1272597915.0000000000872000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c0ae2aa6-b
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ba368d33-f
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b4f3a3bb-8

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 15_2_000001A235FB4B77 NtQuerySystemInformation,		15_2_000001A235FB4B77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 15_2_000001A235FD9C32 NtQuerySystemInformation,		15_2_000001A235FD9C32

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0081D5EB: CreateFileW,DeviceIoControl,CloseHandle,

1_2_0081D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00811201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_00811201

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0081E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_0081E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B8060	1_2_007B8060
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00822046	1_2_00822046
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00818298	1_2_00818298
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007EE4FF	1_2_007EE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007E676B	1_2_007E676B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00844873	1_2_00844873
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007BCAF0	1_2_007BCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007DCAA0	1_2_007DCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007CCC39	1_2_007CCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007E6DD9	1_2_007E6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007CB119	1_2_007CB119
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B91C0	1_2_007B91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007D1394	1_2_007D1394
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007D1706	1_2_007D1706
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007D781B	1_2_007D781B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007C997D	1_2_007C997D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B7920	1_2_007B7920
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007D19B0	1_2_007D19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007D7A4A	1_2_007D7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007D1C77	1_2_007D1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007D7CA7	1_2_007D7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007E9EEE	1_2_007E9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0083BE44	1_2_0083BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007D1F32	1_2_007D1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 15_2_000001A235FB4B77	15_2_000001A235FB4B77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 15_2_000001A235FD9C32	15_2_000001A235FD9C32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 15_2_000001A235FDA35C	15_2_000001A235FDA35C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 15_2_000001A235FD9C72	15_2_000001A235FD9C72

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007CF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007D0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007B9CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@19/36@71/12

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_008237B5 GetLastError,FormatMessageW,

1_2_008237B5

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_008110BF AdjustTokenPrivileges,CloseHandle,		1_2_008110BF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_008116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_008116C3

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_008251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_008251CD

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0081D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_0081D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0082648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

1_2_0082648E

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007B42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_007B42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 00000007.00000003.1440584553.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1460490933.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1383991789.0000021C1E813000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 00000007.00000003.1440584553.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1460490933.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 00000007.00000003.1440584553.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1460490933.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 00000007.00000003.1440584553.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1460490933.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 00000007.00000003.1440198332.0000021C1DBD7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 00000007.00000003.1440584553.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1460490933.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 00000007.00000003.1440584553.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1460490933.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 00000007.00000003.1440584553.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1460490933.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 00000007.00000003.1440584553.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1460490933.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 00000007.00000003.1440584553.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1460490933.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2208 -prefMapHandle 2200 -prefsLen 25393 -prefMapSize 238472 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf2d1419-78d8-4674-a0a7-5faab0442aeb} 6016 "\\.\pipe\gecko-crash-server-pipe.6016" 21c02a70710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3548 -parentBuildID 20230927232528 -prefsHandle 1388 -prefMapHandle 1256 -prefsLen 26242 -prefMapSize 238472 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e3e6854-25f5-48be-aca9-16793ff11bca} 6016 "\\.\pipe\gecko-crash-server-pipe.6016" 21c02a42910 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5000 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5012 -prefMapHandle 4976 -prefsLen 33559 -prefMapSize 238472 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62736bf5-4a6a-402e-9ae1-8f0951dc0690} 6016 "\\.\pipe\gecko-crash-server-pipe.6016" 21c1ab7d110 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2208 -prefMapHandle 2200 -prefsLen 25393 -prefMapSize 238472 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf2d1419-78d8-4674-a0a7-5faab0442aeb} 6016 "\\.\pipe\gecko-crash-server-pipe.6016" 21c02a70710 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3548 -parentBuildID 20230927232528 -prefsHandle 1388 -prefMapHandle 1256 -prefsLen 26242 -prefMapSize 238472 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e3e6854-25f5-48be-aca9-16793ff11bca} 6016 "\\.\pipe\gecko-crash-server-pipe.6016" 21c02a42910 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5000 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5012 -prefMapHandle 4976 -prefsLen 33559 -prefMapSize 238472 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62736bf5-4a6a-402e-9ae1-8f0951dc0690} 6016 "\\.\pipe\gecko-crash-server-pipe.6016" 21c1ab7d110 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.7.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 00000007.00000003.1381271769.0000021C1E317000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 00000007.00000003.1376876971.0000021C1E309000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 00000007.00000003.1381271769.0000021C1E317000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdbUGP source: firefox.exe, 00000007.00000003.1363989334.0000021C12105000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1365839200.0000021C12110000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 00000007.00000003.1377205619.0000021C1213F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.7.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 00000007.00000003.1376876971.0000021C1E309000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 00000007.00000003.1377205619.0000021C1213F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 00000007.00000003.1363989334.0000021C12105000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1365839200.0000021C12110000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_007B42DE

Source: gmpopenh264.dll.tmp.7.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007D0A76 push ecx; ret

1_2_007D0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007CF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_007CF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00841C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_00841C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_1-95814

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 15_2_000001A235FB4B77 rdtsc

15_2_000001A235FB4B77

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.3 %

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0081DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0081DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007EC2A2 FindFirstFileExW,	1_2_007EC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_008268EE FindFirstFileW,FindClose,	1_2_008268EE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0082698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_0082698F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0081D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0081D076
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0081D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0081D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00829642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00829642
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0082979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0082979D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00829B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_00829B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00825C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_00825C97

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_007B42DE

Source: firefox.exe, 0000000F.00000002.2546314128.000001A236140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: firefox.exe, 00000010.00000002.2542435543.000001B566ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW A
Source: firefox.exe, 0000000B.00000002.2547182629.00000253E0C08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: firefox.exe, 00000010.00000002.2545588906.000001B566D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWt
Source: firefox.exe, 0000000B.00000002.2541646202.00000253E06EA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2546314128.000001A236140000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2540137162.000001A23584A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000B.00000002.2546558078.00000253E0B20000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000B.00000002.2547182629.00000253E0C08000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2546314128.000001A236140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 15_2_000001A235FB4B77 rdtsc

15_2_000001A235FB4B77

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0082EAA2 BlockInput,

1_2_0082EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_007E2622

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_007B42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007D4CE8 mov eax, dword ptr fs:[00000030h]

1_2_007D4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00810B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

1_2_00810B62

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_007E2622
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007D083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_007D083F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007D09D5 SetUnhandledExceptionFilter,	1_2_007D09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007D0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_007D0C21

Source: C:\Users\user\Desktop\file.exe

1_2_00811201

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007F2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_007F2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0081B226 SendInput,keybd_event,

1_2_0081B226

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_008322DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

1_2_008322DA

Source: C:\Users\user\Desktop\file.exe

1_2_00810B62

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00811663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00811663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007D0698 cpuid

1_2_007D0698

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00828195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

1_2_00828195

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0080D27A GetUserNameW,

1_2_0080D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007EB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

1_2_007EB952

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_007B42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5992, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5992, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00831204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		1_2_00831204
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00831806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_00831806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	16%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://login.microsoftonline.com	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.65	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	52.222.236.48	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.185.206	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.186.46	true	false	unknown
reddit.map.fastly.net	151.101.1.140	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
241.42.69.40.in-addr.arpa	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://youtube.comZ	firefox.exe, 00000007.00000003.1450180115.000027CBE4D03000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000F.00000002.2542300904.000001A235AC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2543014174.000001B566CC8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://detectportal.firefox.com/	firefox.exe, 00000007.00000003.1441473682.0000021C1ACF0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 00000007.00000003.1476455854.0000021C14B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1354528903.0000021C1387D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.7.dr	false		unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 00000007.00000003.1399535906.0000021C1AE4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1323619682.0000021C1AE51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1325455698.0000021C1AE51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1324283662.0000021C1AE53000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 0000000F.00000002.2542300904.000001A235ACE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2543014174.000001B566C86000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.leboncoin.fr/	firefox.exe, 00000007.00000003.1327098847.0000021C1326A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/spocs	firefox.exe, 00000007.00000003.1467252079.0000021C151F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1436757446.0000021C11DA0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 00000007.00000003.1475709484.0000021C14B7F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 00000007.00000003.1297878798.0000021C1257C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1296628701.0000021C12300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1296935989.0000021C1251B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1297245119.0000021C12534000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1297522945.0000021C1254D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1297741217.0000021C12567000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 00000007.00000003.1335981919.0000021C1476E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1440923336.0000021C1B3E0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 00000007.00000003.1440584553.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1460490933.0000021C1C5D7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 00000007.00000003.1320469591.0000021C1ACF3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1327098847.0000021C1326A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000007.00000003.1465164881.0000021C1AD90000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1297245119.0000021C12534000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1297522945.0000021C1254D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1297741217.0000021C12567000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 00000007.00000003.1462221047.0000021C15D4F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 00000007.00000003.1296628701.0000021C12300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1296935989.0000021C1251B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1297245119.0000021C12534000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1297522945.0000021C1254D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1297741217.0000021C12567000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 00000007.00000003.1329402239.0000021C15EDD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://youtube.com/	firefox.exe, 00000007.00000003.1321736225.0000021C1AB5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1468348732.0000021C1505A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1442473165.0000021C1AB5E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=htt	file.exe, 00000001.00000003.1293303982.000000000149A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1293056057.000000000149A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1295037757.000000000149A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.instagram.com/	firefox.exe, 00000007.00000003.1346921647.0000021C1E040000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.amazon.com/	firefox.exe, 00000007.00000003.1477916191.0000021C14732000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 00000007.00000003.1470105363.0000021C149AA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.youtube.com/	firefox.exe, 00000010.00000002.2543014174.000001B566C0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 00000007.00000003.1354457811.0000021C13887000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1353513006.0000021C13887000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 00000007.00000003.1461022112.0000021C1B1DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1481179182.0000021C1B1DA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000F.00000002.2542300904.000001A235AC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2543014174.000001B566CC8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:	firefox.exe, 00000007.00000003.1442473165.0000021C1AB6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 00000007.00000003.1354457811.0000021C13887000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1353513006.0000021C13887000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 00000007.00000003.1457348724.0000021C1DD49000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mo	firefox.exe, 00000007.00000003.1481179182.0000021C1B18D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 00000007.00000003.1476548596.0000021C147C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1335981919.0000021C1476E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.7.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 00000007.00000003.1481344340.0000021C1B10B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 0000000B.00000002.2543099438.00000253E09C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2542300904.000001A235AEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2545916635.000001B566F03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.7.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 00000007.00000003.1470105363.0000021C149B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1470105363.0000021C149B0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/	firefox.exe, 00000007.00000003.1321999452.0000021C163B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1473793540.0000021C163B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2542300904.000001A235A12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2543014174.000001B566C13000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 00000007.00000003.1327098847.0000021C1326A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://browser/menubar.ftl	firefox.exe, 00000007.00000003.1459037199.0000021C1E8E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1464029597.0000021C1E8E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1383518010.0000021C1E8E6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/about	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 00000007.00000003.1304232667.0000021C12AD0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1302538767.0000021C1372A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1338150739.0000021C1DD54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1352239751.0000021C16445000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1338150739.0000021C1DD5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1324400223.0000021C1AE46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1301731257.0000021C12AF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1324602154.0000021C1AE28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1405023766.0000021C1E05C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1350797955.0000021C16445000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1322610495.0000021C14983000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1380423235.0000021C16AB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1301855817.0000021C13733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1399535906.0000021C1AE1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1321110944.0000021C1AC2A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1442686455.0000021C16B86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1457348724.0000021C1DD50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1348535056.0000021C1E090000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1402478210.0000021C1444F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1462221047.0000021C15D2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1478311463.0000021C12AD9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 00000007.00000003.1462221047.0000021C15D37000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 00000007.00000003.1462221047.0000021C15D49000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.7.dr	false	URL Reputation: safe	unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	firefox.exe, 00000007.00000003.1329402239.0000021C15EDD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 00000007.00000003.1399535906.0000021C1AE4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1323619682.0000021C1AE51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1325455698.0000021C1AE51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1324283662.0000021C1AE53000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 00000007.00000003.1327098847.0000021C1326A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 00000007.00000003.1299429314.0000021C11D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1433436437.0000021C11D39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1300440958.0000021C11D2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1300339832.0000021C11D18000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1433213601.0000021C11D39000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 00000007.00000003.1477672555.0000021C14770000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 00000007.00000003.1462221047.0000021C15D4F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 00000007.00000003.1354457811.0000021C13887000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1353513006.0000021C13887000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 00000007.00000003.1299429314.0000021C11D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1433436437.0000021C11D39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1300440958.0000021C11D2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1300339832.0000021C11D18000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1433213601.0000021C11D39000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 00000007.00000003.1461022112.0000021C1B1DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1481179182.0000021C1B1DA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 00000007.00000003.1472871445.0000021C1AC38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.amazon.co.uk/	firefox.exe, 00000007.00000003.1327098847.0000021C1326A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 00000007.00000003.1460325058.0000021C1DBDF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://screenshots.firefox.com/	firefox.exe, 00000007.00000003.1297741217.0000021C12567000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/search	firefox.exe, 00000007.00000003.1352846210.0000021C1466B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1397099069.0000021C1466B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1297878798.0000021C1257C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1296628701.0000021C12300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1296935989.0000021C1251B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1297245119.0000021C12534000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1297522945.0000021C1254D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1297741217.0000021C12567000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 00000007.00000003.1327158367.0000021C13267000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000B.00000002.2542679815.00000253E0780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2545287939.000001A235F60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2545687362.000001B566E20000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://twitter.com/	firefox.exe, 00000007.00000003.1477916191.0000021C14732000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 00000007.00000003.1354457811.0000021C13887000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1353513006.0000021C13887000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://poczta.interia.pl/mh/?mailto=%s	firefox.exe, 00000007.00000003.1299429314.0000021C11D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1433436437.0000021C11D39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1300440958.0000021C11D2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1300339832.0000021C11D18000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1433213601.0000021C11D39000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/complete/search	firefox.exe, 00000007.00000003.1324218371.0000021C1AEEE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://watch.sling.com/	firefox.exe, 00000007.00000003.1477797437.0000021C1474D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.com/firefox/new_tab_learn_more/	firefox.exe, 00000007.00000003.1472871445.0000021C1AC38000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	firefox.exe, 0000000B.00000002.2543099438.00000253E09C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2542300904.000001A235AEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2545916635.000001B566F03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.7.dr	false	URL Reputation: safe	unknown
https://github.com/google/closure-compiler/issues/3177	firefox.exe, 00000007.00000003.1399535906.0000021C1AE4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1323619682.0000021C1AE51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1325455698.0000021C1AE51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1324283662.0000021C1AE53000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.206	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false
52.222.236.48	services.addons.mozilla.org	United States	16509	AMAZON-02US	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528540
Start date and time:	2024-10-08 00:49:36 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@19/36@71/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 38 Number of non-executed functions: 316
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.238.148.23, 44.224.63.42, 44.242.27.108, 142.250.184.202, 142.250.185.202, 142.250.185.74, 2.22.61.59, 2.22.61.56, 142.250.185.238, 142.250.186.142
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
18:50:36	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	me.zip	Get hash	malicious	Unknown	Browse
	darkreader-chrome.zip	Get hash	malicious	HTMLPhisher	Browse
	darkreader-chrome.zip	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Amadey, Stealc	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	me.zip	Get hash	malicious	Unknown	Browse
	darkreader-chrome.zip	Get hash	malicious	HTMLPhisher	Browse
	darkreader-chrome.zip	Get hash	malicious	HTMLPhisher	Browse
	http://origin0701.k-mil.net/makers/official_url?m=4293&u=https://quickinaction.click/all284372166724447/284372166724447#ZHdpZ2h0X3Njb3R0QG91dGxvb2suY29t==	Get hash	malicious	HTMLPhisher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	me.zip	Get hash	malicious	Unknown	Browse
	darkreader-chrome.zip	Get hash	malicious	HTMLPhisher	Browse
	darkreader-chrome.zip	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Amadey, Stealc	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	me.zip	Get hash	malicious	Unknown	Browse	93.184.215.14
	darkreader-chrome.zip	Get hash	malicious	HTMLPhisher	Browse	93.184.215.14
	darkreader-chrome.zip	Get hash	malicious	HTMLPhisher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	http://kendellseafoods.com/	Get hash	malicious	Unknown	Browse	157.240.253.35
	DocuSign-Docx.pdf	Get hash	malicious	Unknown	Browse	157.240.253.35
	https://issuu.com/smart_media/docs/die_welt_wirtschaft/19	Get hash	malicious	Unknown	Browse	157.240.251.35
	High Court Summons Notice.pdf	Get hash	malicious	Unknown	Browse	157.240.253.35
	http://patjimmy323.wixsite.com/my-site-1/	Get hash	malicious	HTMLPhisher	Browse	157.240.251.35
	https://coisunibaseaiusignin.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	157.240.253.35
	http://uppholldbcloginn.gitbook.io/us/	Get hash	malicious	HTMLPhisher	Browse	157.240.253.35
	http://stonemartin1001.wixsite.com/sky-result/	Get hash	malicious	Unknown	Browse	157.240.251.35
	http://ashleyproberts.wixsite.com/my-site/	Get hash	malicious	HTMLPhisher	Browse	157.240.0.35
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse	52.222.236.23
	file.exe	Get hash	malicious	Unknown	Browse	52.222.236.80
	file.exe	Get hash	malicious	Unknown	Browse	52.222.236.120
	file.exe	Get hash	malicious	Unknown	Browse	52.222.236.120
	file.exe	Get hash	malicious	Unknown	Browse	52.222.236.80
	me.zip	Get hash	malicious	Unknown	Browse	18.65.39.4
	darkreader-chrome.zip	Get hash	malicious	HTMLPhisher	Browse	52.222.236.120
	darkreader-chrome.zip	Get hash	malicious	HTMLPhisher	Browse	52.222.236.48
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	52.222.236.23

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	High Court Summons Notice.pdf	Get hash	malicious	Unknown	Browse	34.117.162.98
	http://pub-f3922f20d4c74ba1869fd3db906e3295.r2.dev/gsecondcheck.html	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	http://jamesfortune619.wixsite.com/my-site-4/	Get hash	malicious	Unknown	Browse	34.117.77.79
	http://emaildlatt-mailcom-28e2uy93.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	34.117.77.79
	http://pan4477.onrender.com/	Get hash	malicious	Unknown	Browse	34.117.59.81
	https://wtm.entree-plat-dessert.com/r/eNpNj1uTojAQhX8N+6aYG4SHqS0VWHXB9Vbj4stUCAGDXJyQ6OKv38zbdPXDV+d096l+ugGEHqAuED7GiAhQAMooRDiABQc5LH3MCBXCBRQRF/vEzSHiXglnyKdF4RHEwAx6EAQ5w7aC0vVcQNze/WnerlrfBwfNHRjbZlybacuUFLxhUolpqazKjRxkJyxpprSYMDPJVc/7Rk4GZriYcKPUOOFWcuASYD/wCJyy4e6gmOmPVhTStA4KRaE/bIIDPdZab2E9bonJqrPus+F925pGy+8DQ28UF1/LnVZC3BumCzEMQukfBX/zy8terrvuDI76doov9WG1mh1q7Z19Ss3Yb45ZwoN2mR6jT/gv/zsm6EqiYVNXy/EQZy/jwEXrD3tCSLV+be2H/q7u9CuDFsPPMLvmyfr3fPt4l+v9Zb5vg67LCKw31zGsM/JK8GkbJBEGYeWd0hSI4hzT3QPXvyL5x95+7goVLhqqWHqoUVJ9xW00jWrQL3OSnld9f8tv7HEL/wMooptN	Get hash	malicious	Unknown	Browse	34.117.132.248
	licarisan_api.exe	Get hash	malicious	Icarus	Browse	34.117.59.81
	build.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	https://s3.amazonaws.com/r3e1272/Rco.html#4eyOul3510eTKK19nejdimaazo189TBUDIERNFIMTFBQ264510CRSG907S11	Get hash	malicious	Phisher	Browse	34.117.39.58
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	http://xdr.euw31usea1-carbonhelixbytedandomaincontrolpanele-for-github.sentinelone.net/	Get hash	malicious	Unknown	Browse	34.36.213.229
	cenSXPimaG.elf	Get hash	malicious	Mirai, Okiru	Browse	51.250.99.224
	2UngC9fiGa.elf	Get hash	malicious	Mirai, Okiru	Browse	48.131.111.170
	XvAqhy3FO6.elf	Get hash	malicious	Mirai, Okiru	Browse	51.65.109.90
	970Qh1XiFt.elf	Get hash	malicious	Mirai, Okiru	Browse	34.44.37.101
	x86.elf	Get hash	malicious	Mirai	Browse	57.10.146.234
	https://issuu.com/smart_media/docs/die_welt_wirtschaft/19	Get hash	malicious	Unknown	Browse	34.36.216.150
	Portal.msi	Get hash	malicious	Unknown	Browse	34.128.163.126
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	34.187.79.97
AMAZON-02US	http://pay.christinagstewart.com/	Get hash	malicious	Unknown	Browse	18.245.86.11
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.ht.zpdzwq?v=frudxdBjlfmjfqymhfwj.ht.pjd.kwjsy___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzpiNGZlZGFhNjcxOTBhYjU4MTE5MjBlZTRiYTAxZmUwMTo3OmIxYWM6MDg1ODNlNjljZDkwNThkM2ZiM2RjYTI4MzFjZGY4NGFmMTYyZTlhYmVjYWYxY2Q4MmNkZDhiNmFmOWVkOWUxOTpoOlQ6VA#Sm9hbi5LbmlwcGVuQEVsa2F5LkNvbQ==	Get hash	malicious	Unknown	Browse	108.138.7.53
	https://www.dropbox.com/scl/fi/qo6796ed7hlrt0v8k9nr6/Patagonia-Health-Barcode-Scanner-Setup-2024.exe?rlkey=5bmndvx8124ztopqewiogbnlt&st=yvxpokhf&dl=0	Get hash	malicious	Unknown	Browse	35.157.212.223
	https://login.stmarytx.edu/cas/logout?service=http%3A%2F%2Fgoogle.com%2Famp%2Fmatrikaengineeringworks.com/hebc/?#?m=bWVsaXNzYWdAd2Utd29ybGR3aWRlLmNvbQ==	Get hash	malicious	Unknown	Browse	54.70.225.16
	https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.hfdzwq?v=frudxdkniljyAkC.sEd.frl___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzo2MGY0ZmI3MTkzODQ4OWRiOGFlZjY2ODI4ODlkMDk3NDo3OmRlYjY6NjI5YzkxZjFmNmQ3ZjI1NWIxN2UwYTI5ZTNmZjcyMTQyNTg3NmZhMDQyOWZlMDI4MDhmODRlNWVhYWU3MjJhZDpoOlQ6VA#ZHN5aHJlQG9sZ29vbmlrLmNvbQ==	Get hash	malicious	Unknown	Browse	108.156.46.98
	https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.hfdzwq?v=frudxdkniljyAkC.sEd.frl___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzo2MGY0ZmI3MTkzODQ4OWRiOGFlZjY2ODI4ODlkMDk3NDo3OmRlYjY6NjI5YzkxZjFmNmQ3ZjI1NWIxN2UwYTI5ZTNmZjcyMTQyNTg3NmZhMDQyOWZlMDI4MDhmODRlNWVhYWU3MjJhZDpoOlQ6VA#ZHN5aHJlQG9sZ29vbmlrLmNvbQ==	Get hash	malicious	Unknown	Browse	108.138.7.20
	https://statics.teams.cdn.office.net/evergreen-assets/safelinks/1/atp-safelinks.html?url=https%3A%2F%2Fphpstack-1335745-4931432.cloudwaysapps.com%2F%23%26%26%2B~XanJlZEBwcm9hZy5jb20=&locale=en-us&dest=https%3A%2F%2Fteams.microsoft.com%2Fapi%2Fmt%2Fpart%2Famer-03%2Fbeta%2Fatpsafelinks%2Fgeturlreputationsitev2%2F&pc=dqIG3sYngZE8N2eRBkF7CAkOWKg5g3tGjnQGJGQlc61U8QGlKCs5AzH6JKtW7FyetS1g5oEXSNBKJVlJbTCgrea0O041dBSjafsPfOc5KxbMkQRnpwalZQdhHfcjoeWL7rzuDGG%252fj2e7scaAUTCy2PY0WmBb87rgNNPdmEQne%252f00jq9aOpwCvhJrGkNK5f8MP5jaUwccFhr9IIoVaCOrXUhSnuRv%252fw%252bxhUGpneOsAgBs7CjJQbmepBIHfEqwCkqvDbYbxYB4Hm9sLVAOFaz9VFMFSXPJt4MqeWAChikWLAZATmvniptR3h97WVF%252fZtjtm3RxdNyPROzhUvL92w9fdWmSw%252bHBxn5rMHOUpaQU16ZpcfATiVaU51fqKaYO2v4ZnK7axAavLgOpgAJivuE6JO2sqksPH41Z6PVam5c4J%252bwwz5Z2pqrOSxPxEcPGeDff%252bxp9PApNxpvURRLl98WzRw%252ftZEOu%252foKPhjN0OiTGAQDLRWTF%252bMCzSQg37tk7ZYUYYc0Ycs4xDjchhFprJCCSfrZ8WyHq6cjqmnbgDKRQig28xGNFnSDEeWMDBQeeeVyNqDv0FAAxkSAMO%252b7t4Qu1y0h0MHJYEb5pxfOYe8Pyfcsn7pyR%252fkKEqziEQVGlIETrpjVMNyrhJrnX9S%252flWaxf0H3tD%252fqMhzPysO9QdPSJTG054WE4jq5GRqTKu8P25t4KJLY15Oz2j5iCg7Bd5lczhgv4PQevplLuCGckM%252fs5EPk2r2FkSOxHF51EB5FR2TgXQR5UAp2BbaWTm9irKwSSUK5z1MsGMDokVMEB4bQ9mpZrl1%252bDMixJ1mQyyLXpelmEyN8zw1nTsbXAvDQgIvPLPj0QUtphEMnmVEXMkQHiw2WHWUSxIxYcY%252fltyp6bnMrankPAnpChbWQmk95rKsUz8tqtLjNDclK1y1FLy%252fh7sed9duxDDFupXnhmXxGJOmUV6FG1arxXL8urm1F98thG8anfchv3DafKsyVHHgmdUFNH6Uhcu4sB8fo0kqm2y7IWS96w5BeG334JvnFDJPLDPvtK5ojeXfDXh%252boKJdBxXGC9NmPwgDp8XeOavQnNlJRfUAXkhukdjDg1EHGF%252b9luUuTH%252fEbKHniTzx4OvIWUnDvXcdpuEIAnW8mDJzMXpmxpl3nwtTqeQWMeSNzjute9yTZEU%252beQk498EMyU%252fuPUg%252fSOH5r%252fwjGCsPpm%252f%252bUA00SsNvWuDD0AbNIKYubFuNKQ3SX6N7M11wOksoUG%252fz9IheWtOawwl7F0lqN3xkTQhfiiHovdudAPiB%252fzt25Im27XxPQ9s1c%252bnOWOPh6m%252bvaCQcj6bcwkFbNl5Y1KL7XQvirYSFsNXnrYuQvTPMk1n5CRq6dxsl9FRGV9MMdrZduC%252bG4B0zxLA58d8fTW2zfEXnRcMTgQKLK%252fmeZT7K3wwAvQiA%253d%253d%3B%20expires%3DWed%2C%2009%20Oct%202024%2014%3A05%3A23%20GMT%3B%20path%3D%2F%3B%20SameSite%3DNone%3B%20secu	Get hash	malicious	HTMLPhisher	Browse	52.217.68.4
	https://s.craft.me/yB5midhwwaHUPW	Get hash	malicious	HTMLPhisher	Browse	52.37.179.159
	FW_ _EXTERNAL_ Completed_ iNH9Y_Contract_and_Agreement_3509750318S REF ID_iNH9Y.msg	Get hash	malicious	HTMLPhisher	Browse	108.156.46.59
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	http://xdr.euw31usea1-carbonhelixbytedandomaincontrolpanele-for-github.sentinelone.net/	Get hash	malicious	Unknown	Browse	34.36.213.229
	cenSXPimaG.elf	Get hash	malicious	Mirai, Okiru	Browse	51.250.99.224
	2UngC9fiGa.elf	Get hash	malicious	Mirai, Okiru	Browse	48.131.111.170
	XvAqhy3FO6.elf	Get hash	malicious	Mirai, Okiru	Browse	51.65.109.90
	970Qh1XiFt.elf	Get hash	malicious	Mirai, Okiru	Browse	34.44.37.101
	x86.elf	Get hash	malicious	Mirai	Browse	57.10.146.234
	https://issuu.com/smart_media/docs/die_welt_wirtschaft/19	Get hash	malicious	Unknown	Browse	34.36.216.150
	Portal.msi	Get hash	malicious	Unknown	Browse	34.128.163.126
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	34.187.79.97

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	me.zip	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	darkreader-chrome.zip	Get hash	malicious	HTMLPhisher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	darkreader-chrome.zip	Get hash	malicious	HTMLPhisher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	7U5e5iJPJ0.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	me.zip	Get hash	malicious	Unknown	Browse
	darkreader-chrome.zip	Get hash	malicious	HTMLPhisher	Browse
	darkreader-chrome.zip	Get hash	malicious	HTMLPhisher	Browse
	http://origin0701.k-mil.net/makers/official_url?m=4293&u=https://quickinaction.click/all284372166724447/284372166724447#ZHdpZ2h0X3Njb3R0QG91dGxvb2suY29t==	Get hash	malicious	HTMLPhisher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_d3450d45-af27-4057-91d8-01ac5afd9f15.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8056
Entropy (8bit):	5.178344108972574
Encrypted:	false
SSDEEP:	192:1LKMX2wjcbhbVbTbfbRbObtbyEl7nZWFr6JA6unSrDtTkdBSlj:1LPXcNhnzFSJMrJ1nSrDhkdBuj
MD5:	A64D22D630A82B2E8CDA4E306D30B93C
SHA1:	AFB59B52BD9959F2DB43DF1148BEAA83F2607827
SHA-256:	31D7A0B98199F136679C287C9FE940D070434FFA4CF9F0C352582A09D3CC6FB9
SHA-512:	EDCCC8F95B7E2736C77A617611CE85F971CBCD237CF1F6A0BDEDF751E82A09F05AA24821D02B8DEF3EE1E5A80DC52000814623416D813C9EC3D607F7EE83C345
Malicious:	false
Reputation:	low
Preview:	{"type":"uninstall","id":"d3450d45-af27-4057-91d8-01ac5afd9f15","creationDate":"2024-10-08T00:15:59.420Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"73d066a5-c100-48bf-b029-480dc6f75d78","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_d3450d45-af27-4057-91d8-01ac5afd9f15.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8056
Entropy (8bit):	5.178344108972574
Encrypted:	false
SSDEEP:	192:1LKMX2wjcbhbVbTbfbRbObtbyEl7nZWFr6JA6unSrDtTkdBSlj:1LPXcNhnzFSJMrJ1nSrDhkdBuj
MD5:	A64D22D630A82B2E8CDA4E306D30B93C
SHA1:	AFB59B52BD9959F2DB43DF1148BEAA83F2607827
SHA-256:	31D7A0B98199F136679C287C9FE940D070434FFA4CF9F0C352582A09D3CC6FB9
SHA-512:	EDCCC8F95B7E2736C77A617611CE85F971CBCD237CF1F6A0BDEDF751E82A09F05AA24821D02B8DEF3EE1E5A80DC52000814623416D813C9EC3D607F7EE83C345
Malicious:	false
Reputation:	low
Preview:	{"type":"uninstall","id":"d3450d45-af27-4057-91d8-01ac5afd9f15","creationDate":"2024-10-08T00:15:59.420Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"73d066a5-c100-48bf-b029-480dc6f75d78","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6150
Entropy (8bit):	4.938062539650255
Encrypted:	false
SSDEEP:	192:dLFS+OuPUkOdwiOdEiooslH5jV/ZiwBhZ0Xj3L/A8P:HFMXihslH5jVhiwBrA
MD5:	2A45F4D2038B20D7D9B2D927C88A29AA
SHA1:	7F6977F3F0A3BB7D93DAB35D8D311A03136DF0E6
SHA-256:	A3A3EAF2DFDAC8F9F15351332AAE4FABC21CB08F4E1CB30100D2D4555B3BC647
SHA-512:	893F33CAC0887931CB75A190E9520468FFA6F4068DA5EB89A67C8F4C761FB9C46CD8723E66D99C96D5BBB1A787581F181D300297598BC99C305BE6A89914E622
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"7bc86eac-c05c-4545-a5e5-03a2503c064a","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T10:58:21.623Z","featureIds":["bookmarks"],"prefs":[],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"cd0a25e7-ded7-4f19-86ce-bb010938a092","experimentType":"r

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6150
Entropy (8bit):	4.938062539650255
Encrypted:	false
SSDEEP:	192:dLFS+OuPUkOdwiOdEiooslH5jV/ZiwBhZ0Xj3L/A8P:HFMXihslH5jVhiwBrA
MD5:	2A45F4D2038B20D7D9B2D927C88A29AA
SHA1:	7F6977F3F0A3BB7D93DAB35D8D311A03136DF0E6
SHA-256:	A3A3EAF2DFDAC8F9F15351332AAE4FABC21CB08F4E1CB30100D2D4555B3BC647
SHA-512:	893F33CAC0887931CB75A190E9520468FFA6F4068DA5EB89A67C8F4C761FB9C46CD8723E66D99C96D5BBB1A787581F181D300297598BC99C305BE6A89914E622
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"7bc86eac-c05c-4545-a5e5-03a2503c064a","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T10:58:21.623Z","featureIds":["bookmarks"],"prefs":[],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"cd0a25e7-ded7-4f19-86ce-bb010938a092","experimentType":"r

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5317
Entropy (8bit):	6.6001890334338125
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6q+m:zTx2x2t0FDJ4NpkuvjdeplTMHm
MD5:	BB43EF1E7A5E32AB89416BF2B4856129
SHA1:	FB32DEEB5BAC138A427FFD4728327A68E18FAD82
SHA-256:	FFA8720630B79E63B854F6EB1C17BFEC588294DF4C87EACC2FF1DC80DDC7CF0A
SHA-512:	AA1CC532C583C70EA2332E19D261B3CE13C159B11DBC0D7DD9BE38594BE6060A30929ECA0B1938498A5A271BE4772E78B75CB9BD4D52D33DE094182DF52DCB10
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5317
Entropy (8bit):	6.6001890334338125
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6q+m:zTx2x2t0FDJ4NpkuvjdeplTMHm
MD5:	BB43EF1E7A5E32AB89416BF2B4856129
SHA1:	FB32DEEB5BAC138A427FFD4728327A68E18FAD82
SHA-256:	FFA8720630B79E63B854F6EB1C17BFEC588294DF4C87EACC2FF1DC80DDC7CF0A
SHA-512:	AA1CC532C583C70EA2332E19D261B3CE13C159B11DBC0D7DD9BE38594BE6060A30929ECA0B1938498A5A271BE4772E78B75CB9BD4D52D33DE094182DF52DCB10
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1853922070675935
Encrypted:	false
SSDEEP:	768:YI4dvfBXf4H6J4/4nN4O4amoavf4w4lB484QS4S4T:Y9mtvq
MD5:	A51B8E1B0ED704E954E172A7E926B5A6
SHA1:	EE8C7A958C82763917A79E242C76932B887759D8
SHA-256:	C4778491FA50712379FB7482F4D5F609EE0613A95E1ABCEDD9F6DE3302832C66
SHA-512:	D81C254A47EBE59CF4943EA1100CD688B45257B2D20AEE59BC0A8251B3BF1894F85B80248FA60259DD051819B7C4B68182D0AFD30ADFAD311042B3F131C8AF25
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{8defec20-1d2a-4e92-a8ca-6ec63d483a92}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1853922070675935
Encrypted:	false
SSDEEP:	768:YI4dvfBXf4H6J4/4nN4O4amoavf4w4lB484QS4S4T:Y9mtvq
MD5:	A51B8E1B0ED704E954E172A7E926B5A6
SHA1:	EE8C7A958C82763917A79E242C76932B887759D8
SHA-256:	C4778491FA50712379FB7482F4D5F609EE0613A95E1ABCEDD9F6DE3302832C66
SHA-512:	D81C254A47EBE59CF4943EA1100CD688B45257B2D20AEE59BC0A8251B3BF1894F85B80248FA60259DD051819B7C4B68182D0AFD30ADFAD311042B3F131C8AF25
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{8defec20-1d2a-4e92-a8ca-6ec63d483a92}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: me.zip, Detection: malicious, Browse Filename: darkreader-chrome.zip, Detection: malicious, Browse Filename: darkreader-chrome.zip, Detection: malicious, Browse Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07326826949284501
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiYt:DLhesh7Owd4+jiI
MD5:	80C0FAE2D539307046AD9BFBC12F8DC4
SHA1:	0D9CD0E03F0515E48EECCEDF636B56F63E326A40
SHA-256:	F084767687E5E306116BB712BD0B1D6B51DAD68D48A020F4B818E20DE333E938
SHA-512:	A858582890CE730AB9404494AF80EE825D24234D299C09C3C2EAA7B26AFA14AFEF8E0B62F5772DCC5AD2B0252600C31719B54F3861BC7FB84726E347929F9954
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035577876577226504
Encrypted:	false
SSDEEP:	3:GtlstF+4tbhQmYlstF+4tbhQc/L89//alEl:GtWt84YmYWt84YcD89XuM
MD5:	62B3D6A933F260EF0618BEBC8212F03D
SHA1:	BE94472B8837DCDA4BD3B480DC42C7B99747BA12
SHA-256:	3C41EE5807AA78DF92B99570D355151DCDB72A36421F73B7ADC5F32D1B8D7974
SHA-512:	F1C6B61CD49EA0622C292EAAD7669EF4A3C7B258737FC900C4E22BC067C645D770E9BA5C93E1D8220E41722C3BE9CAD687E242ACF0E869780C98881E28F5AFC1
Malicious:	false
Preview:	..-......................c......w.>.........G..-......................c......w.>.........G........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03992025326209769
Encrypted:	false
SSDEEP:	3:Ol12Gw+Mtla3zSdKx9GZ0tl8rEXsxdwhml8XW3R2:KIv4DSgLGKl8dMhm93w
MD5:	7B0BDE7FAEFCF5FCD6187A8BA4FBF386
SHA1:	FEFDD73E0F8E9B1F2B8BC034975FE036F544DC50
SHA-256:	6D8A5772E2EB086CEFFAFCD4C57ED50BB7AB1C0C4E841E2C5EFFE93C8C35CA09
SHA-512:	A15234B95860F69C1969A11722C748D18D0F5871A445A77DBFDC641DBC9AF5151FEC444426D4ACF5578BA50A1CAA92B1F420A2B1153D20DD58A82B718644AADD
Malicious:	false
Preview:	7....-...........w.>.....z...:(.........w.>....c....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1765), with CRLF line terminators
Category:	dropped
Size (bytes):	13990
Entropy (8bit):	5.4697662512717455
Encrypted:	false
SSDEEP:	192:ntngRHsE1ibqp6GPQ77QCVUgaXp6iP+K/4a3T5R3NBw8dSkSl:nnAZQPQCVUeiPbV/fwtk0
MD5:	0D17918B9672B1A09DABC81D017D8058
SHA1:	744D50058FAA306F0F8D68A6155A259DFD75469D
SHA-256:	A11007FF3C7DB8E4549D2D42136E4DA3E9413A231C951894FDA1F7FDEB321AC9
SHA-512:	EC0FA1F2369F07AC5E7DFB128C75E4C6D5AF93AA5751175F307AEBF4A30608201C9F0EA5479A1C0E2F9D051C332A74676F6EBD19C49C3733371920EDA7A26EA3
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "4cbb0eca-22b0-45bf-8c7b-17c3580947ca");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728346529);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728346529);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728346529);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172834

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1765), with CRLF line terminators
Category:	dropped
Size (bytes):	13990
Entropy (8bit):	5.4697662512717455
Encrypted:	false
SSDEEP:	192:ntngRHsE1ibqp6GPQ77QCVUgaXp6iP+K/4a3T5R3NBw8dSkSl:nnAZQPQCVUeiPbV/fwtk0
MD5:	0D17918B9672B1A09DABC81D017D8058
SHA1:	744D50058FAA306F0F8D68A6155A259DFD75469D
SHA-256:	A11007FF3C7DB8E4549D2D42136E4DA3E9413A231C951894FDA1F7FDEB321AC9
SHA-512:	EC0FA1F2369F07AC5E7DFB128C75E4C6D5AF93AA5751175F307AEBF4A30608201C9F0EA5479A1C0E2F9D051C332A74676F6EBD19C49C3733371920EDA7A26EA3
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "4cbb0eca-22b0-45bf-8c7b-17c3580947ca");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728346529);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728346529);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728346529);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172834

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\saved-telemetry-pings\07134cc5-5a30-4414-8d77-09b523f924b2 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.973190911575987
Encrypted:	false
SSDEEP:	12:YZFggEW4+HcIVHlW8cOlZGV1AQIYzvZcyBuLZnFsXan:YR4OcSlCOlZGV1AQIWZcy6ZCq
MD5:	040D10DC91DCB95A826928C94A142C6A
SHA1:	5B4C236883D86F6D806616284601AC927468DAE8
SHA-256:	70268F4F862B902D918A1F3AFCBF22265628D5439E9C33B5689CF54DA5C6B198
SHA-512:	9942366F1D3B49E2451399E915532B0ABD4E21A99B7B09C671D5411CC980BE6F1818C89C9B21499C260F056379C66140B0C4D4C27CE32CC766AB839DCDAF9AF5
Malicious:	false
Preview:	{"type":"health","id":"07134cc5-5a30-4414-8d77-09b523f924b2","creationDate":"2024-10-08T00:16:00.142Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"73d066a5-c100-48bf-b029-480dc6f75d78"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\saved-telemetry-pings\07134cc5-5a30-4414-8d77-09b523f924b2.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.973190911575987
Encrypted:	false
SSDEEP:	12:YZFggEW4+HcIVHlW8cOlZGV1AQIYzvZcyBuLZnFsXan:YR4OcSlCOlZGV1AQIWZcy6ZCq
MD5:	040D10DC91DCB95A826928C94A142C6A
SHA1:	5B4C236883D86F6D806616284601AC927468DAE8
SHA-256:	70268F4F862B902D918A1F3AFCBF22265628D5439E9C33B5689CF54DA5C6B198
SHA-512:	9942366F1D3B49E2451399E915532B0ABD4E21A99B7B09C671D5411CC980BE6F1818C89C9B21499C260F056379C66140B0C4D4C27CE32CC766AB839DCDAF9AF5
Malicious:	false
Preview:	{"type":"health","id":"07134cc5-5a30-4414-8d77-09b523f924b2","creationDate":"2024-10-08T00:16:00.142Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"73d066a5-c100-48bf-b029-480dc6f75d78"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.331694921872974
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSPHLXnIgaK/pnxQwRlszT5sKpL8H3eHVPGVXTK6amhujJXXYzOBaFs:GUpOx+PnR6RC3eQZTK64JHaTv4/f
MD5:	C330866B130C07328120845D62A1C3E3
SHA1:	896FE0795AA2BB7FA1CC7258A784C4953297B6BB
SHA-256:	5E80807C31B6FA342B0B840BBD4C77627114FEA8341EBB61745DDA489BB89E96
SHA-512:	8EAA193D4BC5BB1CA769ED2AA06FEF211268375263E2EE4FF302F7D53AFAAB1E31F8F46EE259B565F7B6ACB6A34B952500E064E6682437E1E259C73A3C53303D
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a136fefd-398d-402a-a220-5181a6411791}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728346533622,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...901dfca9-0933-49dd-b8ad-c128d9fd5ae7","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`499128...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A51e19de0ffa8528fa1d4335ed7f73fa3f4df6437c31aaee3b1be0ea3fc874673","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...05457,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.331694921872974
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSPHLXnIgaK/pnxQwRlszT5sKpL8H3eHVPGVXTK6amhujJXXYzOBaFs:GUpOx+PnR6RC3eQZTK64JHaTv4/f
MD5:	C330866B130C07328120845D62A1C3E3
SHA1:	896FE0795AA2BB7FA1CC7258A784C4953297B6BB
SHA-256:	5E80807C31B6FA342B0B840BBD4C77627114FEA8341EBB61745DDA489BB89E96
SHA-512:	8EAA193D4BC5BB1CA769ED2AA06FEF211268375263E2EE4FF302F7D53AFAAB1E31F8F46EE259B565F7B6ACB6A34B952500E064E6682437E1E259C73A3C53303D
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a136fefd-398d-402a-a220-5181a6411791}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728346533622,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...901dfca9-0933-49dd-b8ad-c128d9fd5ae7","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`499128...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A51e19de0ffa8528fa1d4335ed7f73fa3f4df6437c31aaee3b1be0ea3fc874673","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...05457,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.331694921872974
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSPHLXnIgaK/pnxQwRlszT5sKpL8H3eHVPGVXTK6amhujJXXYzOBaFs:GUpOx+PnR6RC3eQZTK64JHaTv4/f
MD5:	C330866B130C07328120845D62A1C3E3
SHA1:	896FE0795AA2BB7FA1CC7258A784C4953297B6BB
SHA-256:	5E80807C31B6FA342B0B840BBD4C77627114FEA8341EBB61745DDA489BB89E96
SHA-512:	8EAA193D4BC5BB1CA769ED2AA06FEF211268375263E2EE4FF302F7D53AFAAB1E31F8F46EE259B565F7B6ACB6A34B952500E064E6682437E1E259C73A3C53303D
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a136fefd-398d-402a-a220-5181a6411791}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728346533622,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...901dfca9-0933-49dd-b8ad-c128d9fd5ae7","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`499128...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A51e19de0ffa8528fa1d4335ed7f73fa3f4df6437c31aaee3b1be0ea3fc874673","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...05457,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.030795329643462
Encrypted:	false
SSDEEP:	48:YrSAY/jhUQZpExB1+anOqW5VhpZVjWKzzc8cyYMsku7f86SLAVL7sKsM5FtsfAct:yc/5TEr5i+Kzzczvbw6KkMKXrc2Rn27
MD5:	51EFB02E959F829A89063D9005B165BA
SHA1:	24516B8590E24D62151D2239C861A1A0262C6B56
SHA-256:	39464F651359A5AA6095B5D6EED80314E64CBBE3C129F0C05211AD5F944FFD67
SHA-512:	3527ABCCF17E54DC238B557BDB649752C53A6EDA764BA45A85981A9AC810420D5A98CC42C31F9A3069191F89E155D6438A003527EB2928F69F86B77C584ED055
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-08T00:15:08.212Z","profileAgeCreated":1696503493780,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.030795329643462
Encrypted:	false
SSDEEP:	48:YrSAY/jhUQZpExB1+anOqW5VhpZVjWKzzc8cyYMsku7f86SLAVL7sKsM5FtsfAct:yc/5TEr5i+Kzzczvbw6KkMKXrc2Rn27
MD5:	51EFB02E959F829A89063D9005B165BA
SHA1:	24516B8590E24D62151D2239C861A1A0262C6B56
SHA-256:	39464F651359A5AA6095B5D6EED80314E64CBBE3C129F0C05211AD5F944FFD67
SHA-512:	3527ABCCF17E54DC238B557BDB649752C53A6EDA764BA45A85981A9AC810420D5A98CC42C31F9A3069191F89E155D6438A003527EB2928F69F86B77C584ED055
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-08T00:15:08.212Z","profileAgeCreated":1696503493780,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.583736000539422
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'040 bytes
MD5:	9d7ea17aa6d8ec2653fbd07092d2a3d8
SHA1:	87be9a5685f0cb4c5af2ee6edca095403c41a45e
SHA256:	8178437df4f2521009fcf310fbcd17fd7a2084bb6e35cf0f5a52cf456f189a9b
SHA512:	4ef98e2223501aa358ca9f37b1ad364f131c2b0456eb15efe8109bf0b1b8bedaa14429ab1ef300abe68891c0af93d5d44b51dd3f4824314be806809b62f56ebb
SSDEEP:	12288:kqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga6Tw:kqDEvCTbMWu7rQYlBQcBiT6rprG8aKw
TLSH:	A2159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67046130 [Mon Oct 7 22:31:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FEAD0AF5273h
jmp 00007FEAD0AF4B7Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FEAD0AF4D5Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FEAD0AF4D2Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FEAD0AF791Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FEAD0AF7968h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FEAD0AF7951h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9bc0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9bc0	0x9c00	24518c5ddaa27e3830b6c29e4cf490ed	False	0.31700721153846156	data	5.331432947920383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xe88	data			1.0029569892473118
RT_GROUP_ICON	0xdd640	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd6b8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd6cc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd6e0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd6f4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd7d0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 00:50:34.343544006 CEST	49714	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:50:34.343580008 CEST	443	49714	35.190.72.216	192.168.2.11
Oct 8, 2024 00:50:34.343660116 CEST	49714	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:50:34.349195957 CEST	49714	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:50:34.349209070 CEST	443	49714	35.190.72.216	192.168.2.11
Oct 8, 2024 00:50:34.349503040 CEST	49715	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:34.349530935 CEST	443	49715	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:34.360199928 CEST	49715	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:34.361624002 CEST	49715	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:34.361640930 CEST	443	49715	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:34.699873924 CEST	49716	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:34.699903965 CEST	443	49716	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:34.703768969 CEST	49717	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:34.705817938 CEST	49716	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:34.707412004 CEST	49716	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:34.707429886 CEST	443	49716	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:34.914194107 CEST	80	49717	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:34.914266109 CEST	49717	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:34.914448977 CEST	49717	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:34.920011997 CEST	443	49714	35.190.72.216	192.168.2.11
Oct 8, 2024 00:50:34.921691895 CEST	49714	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:50:34.921952009 CEST	80	49717	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:34.931132078 CEST	49714	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:50:34.931144953 CEST	443	49714	35.190.72.216	192.168.2.11
Oct 8, 2024 00:50:34.931346893 CEST	49714	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:50:34.931485891 CEST	443	49714	35.190.72.216	192.168.2.11
Oct 8, 2024 00:50:34.931540012 CEST	49714	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:50:34.931660891 CEST	49719	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:50:34.931680918 CEST	443	49719	35.190.72.216	192.168.2.11
Oct 8, 2024 00:50:34.931781054 CEST	49719	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:50:34.933505058 CEST	49719	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:50:34.933522940 CEST	443	49719	35.190.72.216	192.168.2.11
Oct 8, 2024 00:50:35.014446020 CEST	49720	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.014465094 CEST	443	49720	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:35.015162945 CEST	49720	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.016710997 CEST	49720	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.016721010 CEST	443	49720	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:35.035298109 CEST	49721	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.035316944 CEST	443	49721	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:35.035782099 CEST	49721	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.037429094 CEST	49721	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.037441969 CEST	443	49721	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:35.049426079 CEST	49722	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:50:35.049455881 CEST	443	49722	35.244.181.201	192.168.2.11
Oct 8, 2024 00:50:35.050057888 CEST	49722	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:50:35.050282001 CEST	49722	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:50:35.050296068 CEST	443	49722	35.244.181.201	192.168.2.11
Oct 8, 2024 00:50:35.340626955 CEST	49723	443	192.168.2.11	34.160.144.191
Oct 8, 2024 00:50:35.340665102 CEST	443	49723	34.160.144.191	192.168.2.11
Oct 8, 2024 00:50:35.340887070 CEST	49723	443	192.168.2.11	34.160.144.191
Oct 8, 2024 00:50:35.341072083 CEST	49723	443	192.168.2.11	34.160.144.191
Oct 8, 2024 00:50:35.341090918 CEST	443	49723	34.160.144.191	192.168.2.11
Oct 8, 2024 00:50:35.373485088 CEST	80	49717	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:35.373868942 CEST	49717	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:35.379282951 CEST	80	49717	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:35.382025003 CEST	49717	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:35.387651920 CEST	443	49719	35.190.72.216	192.168.2.11
Oct 8, 2024 00:50:35.387891054 CEST	49719	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:50:35.392442942 CEST	49719	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:50:35.392450094 CEST	443	49719	35.190.72.216	192.168.2.11
Oct 8, 2024 00:50:35.392580032 CEST	49719	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:50:35.392616987 CEST	443	49719	35.190.72.216	192.168.2.11
Oct 8, 2024 00:50:35.392687082 CEST	49719	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:50:35.486138105 CEST	443	49720	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:35.489331961 CEST	49720	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.494201899 CEST	49720	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.494209051 CEST	443	49720	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:35.494338989 CEST	49720	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.494395971 CEST	443	49720	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:35.494699955 CEST	49724	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.494731903 CEST	443	49724	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:35.495242119 CEST	49724	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.495265961 CEST	49720	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.496721029 CEST	49724	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.496732950 CEST	443	49724	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:35.500267982 CEST	443	49722	35.244.181.201	192.168.2.11
Oct 8, 2024 00:50:35.502996922 CEST	49722	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:50:35.506216049 CEST	49722	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:50:35.506223917 CEST	443	49722	35.244.181.201	192.168.2.11
Oct 8, 2024 00:50:35.506495953 CEST	443	49722	35.244.181.201	192.168.2.11
Oct 8, 2024 00:50:35.508208990 CEST	443	49721	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:35.510289907 CEST	49721	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.510344028 CEST	49722	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:50:35.510523081 CEST	443	49722	35.244.181.201	192.168.2.11
Oct 8, 2024 00:50:35.510879993 CEST	49722	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:50:35.511967897 CEST	49722	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:50:35.514476061 CEST	49725	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:35.514579058 CEST	49726	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:35.517257929 CEST	49721	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.517257929 CEST	49721	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.517270088 CEST	443	49721	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:35.517463923 CEST	443	49721	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:35.519594908 CEST	49721	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.523159981 CEST	80	49725	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:35.523237944 CEST	49725	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:35.523332119 CEST	80	49726	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:35.523363113 CEST	49725	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:35.523471117 CEST	49726	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:35.523552895 CEST	49726	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:35.530436993 CEST	80	49725	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:35.530647039 CEST	80	49726	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:35.546854019 CEST	443	49716	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:35.547605038 CEST	443	49716	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:35.548655033 CEST	49716	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:35.548676014 CEST	443	49716	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:35.553714037 CEST	49727	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.553738117 CEST	443	49727	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:35.555540085 CEST	49716	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:35.555562973 CEST	443	49716	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:35.555624962 CEST	49716	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:35.555749893 CEST	443	49716	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:35.556508064 CEST	49716	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:35.557991028 CEST	49727	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.557991028 CEST	49727	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.558016062 CEST	443	49727	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:35.867268085 CEST	443	49723	34.160.144.191	192.168.2.11
Oct 8, 2024 00:50:35.868032932 CEST	49723	443	192.168.2.11	34.160.144.191
Oct 8, 2024 00:50:35.873553991 CEST	49723	443	192.168.2.11	34.160.144.191
Oct 8, 2024 00:50:35.873567104 CEST	443	49723	34.160.144.191	192.168.2.11
Oct 8, 2024 00:50:35.873871088 CEST	443	49723	34.160.144.191	192.168.2.11
Oct 8, 2024 00:50:35.876218081 CEST	49723	443	192.168.2.11	34.160.144.191
Oct 8, 2024 00:50:35.876341105 CEST	49723	443	192.168.2.11	34.160.144.191
Oct 8, 2024 00:50:35.876374960 CEST	443	49723	34.160.144.191	192.168.2.11
Oct 8, 2024 00:50:35.876699924 CEST	49728	443	192.168.2.11	34.160.144.191
Oct 8, 2024 00:50:35.876729012 CEST	443	49728	34.160.144.191	192.168.2.11
Oct 8, 2024 00:50:35.877661943 CEST	49723	443	192.168.2.11	34.160.144.191
Oct 8, 2024 00:50:35.877713919 CEST	49728	443	192.168.2.11	34.160.144.191
Oct 8, 2024 00:50:35.877849102 CEST	49728	443	192.168.2.11	34.160.144.191
Oct 8, 2024 00:50:35.877863884 CEST	443	49728	34.160.144.191	192.168.2.11
Oct 8, 2024 00:50:35.941224098 CEST	443	49724	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:35.941365004 CEST	49724	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.947196960 CEST	49724	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.947201967 CEST	443	49724	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:35.947222948 CEST	49724	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.947341919 CEST	443	49724	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:35.947767973 CEST	49724	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:35.965022087 CEST	80	49726	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:35.965536118 CEST	49726	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:35.967286110 CEST	80	49725	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:35.971446037 CEST	80	49726	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:35.979149103 CEST	49726	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:36.004940987 CEST	443	49727	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:36.005012989 CEST	49727	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:36.025017977 CEST	49725	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:36.030903101 CEST	49727	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:36.030925035 CEST	443	49727	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:36.031021118 CEST	49727	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:36.031127930 CEST	443	49727	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:36.031186104 CEST	49727	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:36.031584978 CEST	49734	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:36.031627893 CEST	443	49734	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:36.031727076 CEST	49734	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:36.033157110 CEST	49734	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:36.033174038 CEST	443	49734	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:36.033647060 CEST	80	49725	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:36.033857107 CEST	49725	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:36.314357042 CEST	443	49728	34.160.144.191	192.168.2.11
Oct 8, 2024 00:50:36.314431906 CEST	49728	443	192.168.2.11	34.160.144.191
Oct 8, 2024 00:50:36.317841053 CEST	49728	443	192.168.2.11	34.160.144.191
Oct 8, 2024 00:50:36.317863941 CEST	443	49728	34.160.144.191	192.168.2.11
Oct 8, 2024 00:50:36.318169117 CEST	443	49728	34.160.144.191	192.168.2.11
Oct 8, 2024 00:50:36.320842981 CEST	49728	443	192.168.2.11	34.160.144.191
Oct 8, 2024 00:50:36.320914984 CEST	49728	443	192.168.2.11	34.160.144.191
Oct 8, 2024 00:50:36.321053982 CEST	443	49728	34.160.144.191	192.168.2.11
Oct 8, 2024 00:50:36.321172953 CEST	49728	443	192.168.2.11	34.160.144.191
Oct 8, 2024 00:50:36.485546112 CEST	443	49734	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:36.495405912 CEST	443	49734	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:36.498164892 CEST	49734	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:36.498286963 CEST	49734	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:36.505286932 CEST	49734	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:36.505306959 CEST	443	49734	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:36.505387068 CEST	49734	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:36.505605936 CEST	443	49734	34.117.188.166	192.168.2.11
Oct 8, 2024 00:50:36.514666080 CEST	49734	443	192.168.2.11	34.117.188.166
Oct 8, 2024 00:50:36.960621119 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:36.965698004 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:36.965791941 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:36.965902090 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:36.970905066 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:37.037106037 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:37.041996956 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:37.042604923 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:37.042737961 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:37.047594070 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:37.418450117 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:37.464960098 CEST	49745	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:37.464998960 CEST	443	49745	34.107.243.93	192.168.2.11
Oct 8, 2024 00:50:37.465734005 CEST	49745	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:37.465747118 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:37.467736006 CEST	49745	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:37.467756033 CEST	443	49745	34.107.243.93	192.168.2.11
Oct 8, 2024 00:50:37.498074055 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:37.546900034 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:37.616198063 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:37.623059988 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:37.714293003 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:37.759028912 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:37.920522928 CEST	443	49745	34.107.243.93	192.168.2.11
Oct 8, 2024 00:50:37.920604944 CEST	49745	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:37.924650908 CEST	49745	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:37.924659014 CEST	443	49745	34.107.243.93	192.168.2.11
Oct 8, 2024 00:50:37.924734116 CEST	49745	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:37.924825907 CEST	443	49745	34.107.243.93	192.168.2.11
Oct 8, 2024 00:50:37.927222013 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:37.928781986 CEST	49745	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:37.933423042 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:38.024832010 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:38.027900934 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:38.034059048 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:38.067452908 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:38.125057936 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:38.128113985 CEST	49751	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:50:38.128154993 CEST	443	49751	35.244.181.201	192.168.2.11
Oct 8, 2024 00:50:38.130412102 CEST	49751	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:50:38.130412102 CEST	49751	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:50:38.130445957 CEST	443	49751	35.244.181.201	192.168.2.11
Oct 8, 2024 00:50:38.138493061 CEST	49752	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:38.138524055 CEST	443	49752	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:38.138816118 CEST	49752	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:38.140396118 CEST	49752	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:38.140418053 CEST	443	49752	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:38.183406115 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:38.267529964 CEST	49753	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:50:38.267574072 CEST	443	49753	34.149.100.209	192.168.2.11
Oct 8, 2024 00:50:38.283082962 CEST	49753	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:50:38.286914110 CEST	49753	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:50:38.286926985 CEST	443	49753	34.149.100.209	192.168.2.11
Oct 8, 2024 00:50:38.319468021 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:38.325973034 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:38.419893980 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:38.448437929 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:38.453268051 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:38.464694023 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:38.545165062 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:38.572566032 CEST	443	49751	35.244.181.201	192.168.2.11
Oct 8, 2024 00:50:38.574070930 CEST	49751	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:50:38.592542887 CEST	49751	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:50:38.592581987 CEST	443	49751	35.244.181.201	192.168.2.11
Oct 8, 2024 00:50:38.592849016 CEST	443	49751	35.244.181.201	192.168.2.11
Oct 8, 2024 00:50:38.594569921 CEST	49751	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:50:38.594569921 CEST	49751	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:50:38.594719887 CEST	443	49751	35.244.181.201	192.168.2.11
Oct 8, 2024 00:50:38.595429897 CEST	49751	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:50:38.595477104 CEST	49751	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:50:38.597750902 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:38.607812881 CEST	443	49752	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:38.607887030 CEST	49752	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:38.614492893 CEST	49752	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:38.614500999 CEST	443	49752	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:38.614518881 CEST	49752	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:38.614736080 CEST	443	49752	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:38.614929914 CEST	49752	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:38.620297909 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:38.625324011 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:38.635658026 CEST	49759	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:38.635684967 CEST	443	49759	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:38.635793924 CEST	49759	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:38.637171984 CEST	49759	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:38.637183905 CEST	443	49759	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:38.716607094 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:38.741533995 CEST	443	49753	34.149.100.209	192.168.2.11
Oct 8, 2024 00:50:38.741555929 CEST	443	49753	34.149.100.209	192.168.2.11
Oct 8, 2024 00:50:38.741760969 CEST	49753	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:50:38.767409086 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:38.805475950 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:38.807261944 CEST	49753	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:50:38.807279110 CEST	443	49753	34.149.100.209	192.168.2.11
Oct 8, 2024 00:50:38.807344913 CEST	49753	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:50:38.807634115 CEST	443	49753	34.149.100.209	192.168.2.11
Oct 8, 2024 00:50:38.809863091 CEST	49753	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:50:38.810379982 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:38.819000006 CEST	49760	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:50:38.819062948 CEST	443	49760	34.149.100.209	192.168.2.11
Oct 8, 2024 00:50:38.820770025 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:38.822148085 CEST	49760	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:50:38.823645115 CEST	49760	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:50:38.823683977 CEST	443	49760	34.149.100.209	192.168.2.11
Oct 8, 2024 00:50:38.825007915 CEST	49761	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:38.825046062 CEST	443	49761	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:38.825406075 CEST	49761	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:38.825544119 CEST	49761	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:38.825567007 CEST	443	49761	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:38.825661898 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:38.838620901 CEST	49762	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:38.838677883 CEST	443	49762	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:38.840466022 CEST	49762	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:38.840639114 CEST	49762	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:38.840656996 CEST	443	49762	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:38.901593924 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:38.917007923 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:38.952007055 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:38.970372915 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:38.997487068 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:39.002300024 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:39.093545914 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:39.098721027 CEST	443	49759	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.099224091 CEST	49759	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.152570009 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:39.156317949 CEST	49759	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.156336069 CEST	443	49759	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.156423092 CEST	49759	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.156639099 CEST	443	49759	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.158061981 CEST	49759	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.158893108 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:39.163808107 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:39.235966921 CEST	49768	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.236020088 CEST	443	49768	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.236274004 CEST	49768	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.237624884 CEST	49768	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.237643003 CEST	443	49768	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.255100012 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:39.259598017 CEST	443	49761	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.267123938 CEST	49761	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.267792940 CEST	443	49760	34.149.100.209	192.168.2.11
Oct 8, 2024 00:50:39.267885923 CEST	49760	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:50:39.285881042 CEST	443	49762	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.285943985 CEST	49762	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.308864117 CEST	49761	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.308890104 CEST	443	49761	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.309187889 CEST	443	49761	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.311506987 CEST	49762	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.311520100 CEST	443	49762	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.312254906 CEST	443	49762	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.315407038 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:39.315629959 CEST	49761	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.315629959 CEST	49761	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.315882921 CEST	443	49761	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.316102982 CEST	49762	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.316191912 CEST	49762	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.316498041 CEST	443	49762	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.317418098 CEST	49761	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.317455053 CEST	49762	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.318650961 CEST	49760	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:50:39.318665028 CEST	443	49760	34.149.100.209	192.168.2.11
Oct 8, 2024 00:50:39.318727970 CEST	49760	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:50:39.318911076 CEST	443	49760	34.149.100.209	192.168.2.11
Oct 8, 2024 00:50:39.321084976 CEST	49760	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:50:39.326090097 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:39.331137896 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:39.331459045 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:39.337133884 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:39.355015993 CEST	49769	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.355057955 CEST	443	49769	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.355165958 CEST	49770	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.355174065 CEST	443	49770	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.355622053 CEST	49769	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.355622053 CEST	49770	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.355737925 CEST	49769	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.355745077 CEST	443	49769	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.355885983 CEST	49770	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.355896950 CEST	443	49770	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.423644066 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:39.428888083 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:39.433064938 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:39.437858105 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:39.459512949 CEST	443	49715	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:39.459532976 CEST	443	49715	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:39.459599018 CEST	49715	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:39.460530996 CEST	443	49715	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:39.460669041 CEST	49715	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:39.463774920 CEST	49715	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:39.463784933 CEST	443	49715	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:39.464149952 CEST	443	49715	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:39.464154005 CEST	49715	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:39.464163065 CEST	443	49715	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:39.464771986 CEST	49771	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:39.464803934 CEST	443	49771	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:39.467308998 CEST	49771	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:39.468975067 CEST	49771	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:39.468993902 CEST	443	49771	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:39.469063997 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:39.528903008 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:39.569361925 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:39.677366972 CEST	443	49768	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.677786112 CEST	49768	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.679441929 CEST	443	49715	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:39.679749966 CEST	49715	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:39.681415081 CEST	49768	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.681420088 CEST	443	49768	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.681567907 CEST	49768	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.681596041 CEST	443	49768	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.682626009 CEST	49768	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.684278011 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:39.689105034 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:39.780605078 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:39.783715963 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:39.788621902 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:39.807167053 CEST	443	49770	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.807298899 CEST	49770	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.809680939 CEST	443	49769	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.809938908 CEST	49770	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.809945107 CEST	443	49770	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.810220957 CEST	49769	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.810347080 CEST	443	49770	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.812434912 CEST	49769	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.812439919 CEST	443	49769	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.812764883 CEST	443	49769	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.815299988 CEST	49770	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.815408945 CEST	49770	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.815589905 CEST	443	49770	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.815891981 CEST	49769	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.815963030 CEST	49769	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.816080093 CEST	443	49769	34.120.208.123	192.168.2.11
Oct 8, 2024 00:50:39.816092014 CEST	49770	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.816797018 CEST	49769	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:50:39.832639933 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:39.852176905 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:39.856920958 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:39.879525900 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:39.932694912 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:39.948920012 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:39.958329916 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:39.963098049 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:40.001785040 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:40.054115057 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:40.102054119 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:40.163641930 CEST	443	49771	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:40.164679050 CEST	49771	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:40.164683104 CEST	443	49771	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:40.164699078 CEST	443	49771	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:40.164851904 CEST	49771	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:40.189603090 CEST	49771	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:40.189603090 CEST	49771	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:40.189621925 CEST	443	49771	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:40.189855099 CEST	443	49771	142.250.185.206	192.168.2.11
Oct 8, 2024 00:50:40.190635920 CEST	49771	443	192.168.2.11	142.250.185.206
Oct 8, 2024 00:50:40.200110912 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:40.205029011 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:40.297208071 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:40.356157064 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:40.586873055 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:40.593466997 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:40.685048103 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:40.735038042 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:45.880387068 CEST	49817	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:45.880426884 CEST	443	49817	34.107.243.93	192.168.2.11
Oct 8, 2024 00:50:45.883543015 CEST	49817	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:45.885050058 CEST	49817	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:45.885071039 CEST	443	49817	34.107.243.93	192.168.2.11
Oct 8, 2024 00:50:46.319577932 CEST	443	49817	34.107.243.93	192.168.2.11
Oct 8, 2024 00:50:46.320564985 CEST	49817	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:46.738807917 CEST	49817	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:46.738828897 CEST	443	49817	34.107.243.93	192.168.2.11
Oct 8, 2024 00:50:46.738974094 CEST	49817	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:46.739141941 CEST	443	49817	34.107.243.93	192.168.2.11
Oct 8, 2024 00:50:46.743146896 CEST	49817	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:48.790023088 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:48.794868946 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:48.886446953 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:48.946065903 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:50.194088936 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:50.200261116 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:50.286056042 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:50.291565895 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:50.292507887 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:50.349340916 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:50.385894060 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:50.398085117 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:50.404309988 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:50.427541971 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:50.495240927 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:50.550028086 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:58.308643103 CEST	49905	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:58.308657885 CEST	443	49905	34.107.243.93	192.168.2.11
Oct 8, 2024 00:50:58.309009075 CEST	49905	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:58.310489893 CEST	49905	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:58.310504913 CEST	443	49905	34.107.243.93	192.168.2.11
Oct 8, 2024 00:50:58.824531078 CEST	443	49905	34.107.243.93	192.168.2.11
Oct 8, 2024 00:50:58.824614048 CEST	49905	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:58.829938889 CEST	49905	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:58.829952955 CEST	443	49905	34.107.243.93	192.168.2.11
Oct 8, 2024 00:50:58.830025911 CEST	49905	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:58.830104113 CEST	443	49905	34.107.243.93	192.168.2.11
Oct 8, 2024 00:50:58.830985069 CEST	49905	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:50:58.833604097 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:58.840590954 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:58.933695078 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:58.937591076 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:58.944722891 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:58.974474907 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:50:59.035851002 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:50:59.090384007 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:01.353434086 CEST	49925	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:01.353467941 CEST	443	49925	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:01.354516983 CEST	49925	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:01.354721069 CEST	49925	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:01.354739904 CEST	443	49925	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:01.359325886 CEST	49926	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:51:01.359354019 CEST	443	49926	34.149.100.209	192.168.2.11
Oct 8, 2024 00:51:01.360150099 CEST	49926	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:51:01.360150099 CEST	49926	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:51:01.360183954 CEST	443	49926	34.149.100.209	192.168.2.11
Oct 8, 2024 00:51:01.361762047 CEST	49927	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:51:01.361794949 CEST	443	49927	35.190.72.216	192.168.2.11
Oct 8, 2024 00:51:01.364433050 CEST	49927	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:51:01.370277882 CEST	49927	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:51:01.370305061 CEST	443	49927	35.190.72.216	192.168.2.11
Oct 8, 2024 00:51:01.370724916 CEST	49928	443	192.168.2.11	52.222.236.48
Oct 8, 2024 00:51:01.370742083 CEST	443	49928	52.222.236.48	192.168.2.11
Oct 8, 2024 00:51:01.378334999 CEST	49928	443	192.168.2.11	52.222.236.48
Oct 8, 2024 00:51:01.378700972 CEST	49928	443	192.168.2.11	52.222.236.48
Oct 8, 2024 00:51:01.378722906 CEST	443	49928	52.222.236.48	192.168.2.11
Oct 8, 2024 00:51:01.379903078 CEST	49929	443	192.168.2.11	35.201.103.21
Oct 8, 2024 00:51:01.379930973 CEST	443	49929	35.201.103.21	192.168.2.11
Oct 8, 2024 00:51:01.380474091 CEST	49929	443	192.168.2.11	35.201.103.21
Oct 8, 2024 00:51:01.381982088 CEST	49929	443	192.168.2.11	35.201.103.21
Oct 8, 2024 00:51:01.381998062 CEST	443	49929	35.201.103.21	192.168.2.11
Oct 8, 2024 00:51:01.804419041 CEST	443	49925	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:01.804600000 CEST	49925	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:01.808254957 CEST	49925	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:01.808263063 CEST	443	49925	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:01.808507919 CEST	443	49925	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:01.810992956 CEST	49925	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:01.811093092 CEST	49925	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:01.811136961 CEST	443	49925	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:01.811273098 CEST	49925	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:01.814604998 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:01.821863890 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:01.821933985 CEST	443	49926	34.149.100.209	192.168.2.11
Oct 8, 2024 00:51:01.822046995 CEST	49926	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:51:01.825676918 CEST	49926	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:51:01.825685024 CEST	443	49926	34.149.100.209	192.168.2.11
Oct 8, 2024 00:51:01.825933933 CEST	443	49926	34.149.100.209	192.168.2.11
Oct 8, 2024 00:51:01.828624010 CEST	49926	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:51:01.828741074 CEST	49926	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:51:01.828795910 CEST	443	49926	34.149.100.209	192.168.2.11
Oct 8, 2024 00:51:01.829099894 CEST	49926	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:51:01.836551905 CEST	443	49929	35.201.103.21	192.168.2.11
Oct 8, 2024 00:51:01.836633921 CEST	49929	443	192.168.2.11	35.201.103.21
Oct 8, 2024 00:51:01.839844942 CEST	443	49927	35.190.72.216	192.168.2.11
Oct 8, 2024 00:51:01.840049028 CEST	49927	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:51:01.843199968 CEST	49929	443	192.168.2.11	35.201.103.21
Oct 8, 2024 00:51:01.843209028 CEST	443	49929	35.201.103.21	192.168.2.11
Oct 8, 2024 00:51:01.843292952 CEST	49929	443	192.168.2.11	35.201.103.21
Oct 8, 2024 00:51:01.843470097 CEST	443	49929	35.201.103.21	192.168.2.11
Oct 8, 2024 00:51:01.844095945 CEST	49929	443	192.168.2.11	35.201.103.21
Oct 8, 2024 00:51:01.845088005 CEST	49927	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:51:01.845088959 CEST	49927	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:51:01.845102072 CEST	443	49927	35.190.72.216	192.168.2.11
Oct 8, 2024 00:51:01.845271111 CEST	443	49927	35.190.72.216	192.168.2.11
Oct 8, 2024 00:51:01.845520973 CEST	49927	443	192.168.2.11	35.190.72.216
Oct 8, 2024 00:51:01.855680943 CEST	49935	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:51:01.855729103 CEST	443	49935	34.149.100.209	192.168.2.11
Oct 8, 2024 00:51:01.855802059 CEST	49935	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:51:01.855931044 CEST	49935	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:51:01.855938911 CEST	443	49935	34.149.100.209	192.168.2.11
Oct 8, 2024 00:51:01.915437937 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:01.918277979 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:01.924828053 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:01.957439899 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:02.016205072 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:02.060267925 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:02.080045938 CEST	443	49928	52.222.236.48	192.168.2.11
Oct 8, 2024 00:51:02.080060959 CEST	443	49928	52.222.236.48	192.168.2.11
Oct 8, 2024 00:51:02.080262899 CEST	49928	443	192.168.2.11	52.222.236.48
Oct 8, 2024 00:51:02.083750963 CEST	49928	443	192.168.2.11	52.222.236.48
Oct 8, 2024 00:51:02.083765984 CEST	443	49928	52.222.236.48	192.168.2.11
Oct 8, 2024 00:51:02.083990097 CEST	443	49928	52.222.236.48	192.168.2.11
Oct 8, 2024 00:51:02.086639881 CEST	49928	443	192.168.2.11	52.222.236.48
Oct 8, 2024 00:51:02.086735964 CEST	49928	443	192.168.2.11	52.222.236.48
Oct 8, 2024 00:51:02.086796999 CEST	443	49928	52.222.236.48	192.168.2.11
Oct 8, 2024 00:51:02.086951017 CEST	49928	443	192.168.2.11	52.222.236.48
Oct 8, 2024 00:51:02.095824957 CEST	49936	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.095849037 CEST	443	49936	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:02.097702980 CEST	49937	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.097747087 CEST	443	49937	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:02.098167896 CEST	49937	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.098213911 CEST	49936	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.098304987 CEST	49936	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.098310947 CEST	443	49936	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:02.098431110 CEST	49937	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.098448038 CEST	443	49937	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:02.100034952 CEST	49938	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.100044966 CEST	443	49938	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:02.100387096 CEST	49938	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.100521088 CEST	49938	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.100537062 CEST	443	49938	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:02.102022886 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:02.108325005 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:02.199771881 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:02.203135014 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:02.210253000 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:02.240318060 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:02.296386957 CEST	443	49935	34.149.100.209	192.168.2.11
Oct 8, 2024 00:51:02.302330971 CEST	49935	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:51:02.306288004 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:02.309917927 CEST	49935	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:51:02.309937954 CEST	443	49935	34.149.100.209	192.168.2.11
Oct 8, 2024 00:51:02.310208082 CEST	443	49935	34.149.100.209	192.168.2.11
Oct 8, 2024 00:51:02.312469006 CEST	49935	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:51:02.312576056 CEST	49935	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:51:02.312649012 CEST	443	49935	34.149.100.209	192.168.2.11
Oct 8, 2024 00:51:02.313432932 CEST	49935	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:51:02.313432932 CEST	49935	443	192.168.2.11	34.149.100.209
Oct 8, 2024 00:51:02.317017078 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:02.324193001 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:02.356193066 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:02.417184114 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:02.420416117 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:02.426593065 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:02.471985102 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:02.517770052 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:02.556293011 CEST	443	49936	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:02.556380987 CEST	49936	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.559406042 CEST	49936	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.559412003 CEST	443	49936	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:02.559650898 CEST	443	49936	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:02.561939001 CEST	443	49937	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:02.562032938 CEST	49937	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.564412117 CEST	49937	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.564421892 CEST	443	49937	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:02.564663887 CEST	443	49937	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:02.564690113 CEST	49936	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.564692020 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:02.564779997 CEST	49936	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.564816952 CEST	443	49938	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:02.564874887 CEST	443	49936	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:02.567643881 CEST	49937	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.567722082 CEST	49937	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.567759991 CEST	443	49937	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:02.570358038 CEST	49937	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.570395947 CEST	49937	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.570415974 CEST	49936	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.570573092 CEST	49938	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.574677944 CEST	49938	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.574692011 CEST	443	49938	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:02.574907064 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:02.575056076 CEST	443	49938	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:02.578051090 CEST	49938	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.578113079 CEST	49938	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.578294992 CEST	443	49938	35.244.181.201	192.168.2.11
Oct 8, 2024 00:51:02.578896999 CEST	49938	443	192.168.2.11	35.244.181.201
Oct 8, 2024 00:51:02.581304073 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:02.673223019 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:02.682171106 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:02.689316034 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:02.726036072 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:02.780761957 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:02.826409101 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:12.686945915 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:12.695173025 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:12.787256002 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:12.793811083 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:19.863322020 CEST	62876	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:51:19.863382101 CEST	443	62876	34.107.243.93	192.168.2.11
Oct 8, 2024 00:51:19.863934040 CEST	62876	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:51:19.865300894 CEST	62876	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:51:19.865318060 CEST	443	62876	34.107.243.93	192.168.2.11
Oct 8, 2024 00:51:20.301017046 CEST	443	62876	34.107.243.93	192.168.2.11
Oct 8, 2024 00:51:20.303421021 CEST	62876	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:51:20.307419062 CEST	62876	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:51:20.307419062 CEST	62876	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:51:20.307441950 CEST	443	62876	34.107.243.93	192.168.2.11
Oct 8, 2024 00:51:20.307588100 CEST	443	62876	34.107.243.93	192.168.2.11
Oct 8, 2024 00:51:20.308135986 CEST	62876	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:51:20.308689117 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:20.313513994 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:20.407133102 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:20.410742998 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:20.415680885 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:20.456859112 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:20.506584883 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:20.557233095 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:30.421888113 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:30.428136110 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:30.522300959 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:30.529534101 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:31.395757914 CEST	62877	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.395806074 CEST	443	62877	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.396049023 CEST	62878	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.396068096 CEST	443	62878	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.396306038 CEST	62877	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.396579981 CEST	62878	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.396586895 CEST	62879	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.396635056 CEST	443	62879	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.396785975 CEST	62877	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.396799088 CEST	443	62877	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.396898031 CEST	62878	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.396908045 CEST	443	62878	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.397161007 CEST	62880	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.397170067 CEST	443	62880	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.397294998 CEST	62881	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.397313118 CEST	443	62881	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.407749891 CEST	62879	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.407767057 CEST	62881	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.407785892 CEST	62880	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.408076048 CEST	62879	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.408088923 CEST	443	62879	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.408308029 CEST	62881	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.408329010 CEST	443	62881	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.408411026 CEST	62880	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.408420086 CEST	443	62880	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.410274029 CEST	62882	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.410303116 CEST	443	62882	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.410355091 CEST	62882	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.410527945 CEST	62882	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.410540104 CEST	443	62882	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.961935043 CEST	443	62877	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.962265968 CEST	62877	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.963586092 CEST	443	62878	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.965039015 CEST	443	62879	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.965058088 CEST	443	62879	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.965487957 CEST	62878	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.965497971 CEST	62879	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.965924978 CEST	62877	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.965936899 CEST	443	62877	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.966212988 CEST	443	62877	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.966641903 CEST	443	62881	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.966656923 CEST	443	62881	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.966701984 CEST	443	62882	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.966731071 CEST	62881	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.966806889 CEST	62882	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.967550039 CEST	443	62880	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.967559099 CEST	443	62880	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.969073057 CEST	62878	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.969080925 CEST	443	62878	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.969400883 CEST	443	62878	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.972134113 CEST	62879	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.972165108 CEST	443	62879	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.972392082 CEST	62880	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.972632885 CEST	443	62879	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.975424051 CEST	62881	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.975433111 CEST	443	62881	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.975783110 CEST	443	62881	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.977957964 CEST	62880	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.978012085 CEST	443	62880	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.978380919 CEST	443	62880	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.980391026 CEST	62882	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.980410099 CEST	443	62882	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.980748892 CEST	443	62882	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.988840103 CEST	62877	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.989170074 CEST	443	62877	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.989480019 CEST	62877	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.989492893 CEST	443	62877	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.991225004 CEST	62878	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.991400003 CEST	62879	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.991535902 CEST	62879	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.991540909 CEST	443	62878	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.991626024 CEST	62878	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.991631985 CEST	443	62878	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.991735935 CEST	443	62879	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.992710114 CEST	62881	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.992737055 CEST	62880	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.992872953 CEST	62880	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.992955923 CEST	62881	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.992994070 CEST	443	62880	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.993271112 CEST	443	62881	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.995199919 CEST	62882	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.995304108 CEST	62882	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.995553970 CEST	62879	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.995578051 CEST	62881	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.995579004 CEST	443	62882	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:31.995584011 CEST	62880	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.995598078 CEST	62877	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.995621920 CEST	62878	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:31.995695114 CEST	62882	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.120564938 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:32.127562046 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:32.154337883 CEST	62883	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.154441118 CEST	443	62883	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.162921906 CEST	62884	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.162981987 CEST	443	62884	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.163069010 CEST	62885	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.163116932 CEST	443	62885	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.163367987 CEST	62886	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.163376093 CEST	443	62886	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.163486958 CEST	62887	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.163501978 CEST	443	62887	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.163635969 CEST	62888	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.163681030 CEST	443	62888	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.163800955 CEST	62883	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.163809061 CEST	62884	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.163815022 CEST	62885	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.163815022 CEST	62886	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.163995981 CEST	62887	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.164006948 CEST	62883	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.164026022 CEST	443	62883	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.164113045 CEST	62885	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.164119959 CEST	443	62885	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.164176941 CEST	62884	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.164190054 CEST	443	62884	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.164247036 CEST	62887	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.164254904 CEST	443	62887	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.164308071 CEST	62886	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.164320946 CEST	443	62886	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.164562941 CEST	62888	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.164724112 CEST	62888	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.164733887 CEST	443	62888	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.219002962 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:32.259658098 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:32.266751051 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:32.267893076 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:32.358043909 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:32.399524927 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:32.713490009 CEST	443	62883	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.713505030 CEST	443	62883	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.713861942 CEST	443	62885	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.714139938 CEST	443	62888	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.714636087 CEST	443	62886	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.714919090 CEST	443	62884	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.716264963 CEST	443	62887	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.719402075 CEST	443	62885	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.719403028 CEST	443	62884	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.719403982 CEST	443	62886	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.722510099 CEST	62883	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.722515106 CEST	62885	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.722515106 CEST	62888	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.722987890 CEST	62886	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.723006010 CEST	62884	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.723057032 CEST	62887	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.723057032 CEST	62884	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.723094940 CEST	62885	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.726322889 CEST	62883	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.726336002 CEST	443	62883	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.726691961 CEST	443	62883	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.728569031 CEST	62885	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.728580952 CEST	443	62885	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.728874922 CEST	443	62885	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.730747938 CEST	62884	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.730765104 CEST	443	62884	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.731054068 CEST	443	62884	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.732877016 CEST	62888	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.732894897 CEST	443	62888	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.733185053 CEST	443	62888	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.735110998 CEST	62887	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.735131025 CEST	443	62887	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.735363960 CEST	443	62887	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.737245083 CEST	62886	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.737252951 CEST	443	62886	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.737634897 CEST	443	62886	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.744647980 CEST	62883	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.744896889 CEST	62888	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.744982004 CEST	443	62883	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.745098114 CEST	62888	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.745112896 CEST	443	62888	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.745186090 CEST	62883	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.745197058 CEST	443	62883	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.745264053 CEST	62885	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.745510101 CEST	443	62885	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.745740891 CEST	62885	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.745748997 CEST	443	62885	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.745851994 CEST	62884	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.745965004 CEST	62884	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.746052980 CEST	443	62884	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.746747971 CEST	62889	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.746779919 CEST	443	62889	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.748936892 CEST	62887	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.749025106 CEST	62887	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.749106884 CEST	443	62887	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.751415968 CEST	62886	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.751487017 CEST	62886	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.751648903 CEST	443	62886	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.752944946 CEST	62888	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.752958059 CEST	62884	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.753007889 CEST	62885	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.753026009 CEST	62887	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.753066063 CEST	62889	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.753196955 CEST	62889	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.753205061 CEST	443	62889	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.753225088 CEST	62886	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:32.755342960 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:32.761481047 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:32.853126049 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:32.859553099 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:32.866230965 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:32.894637108 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:32.957513094 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:32.963411093 CEST	443	62883	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:32.963471889 CEST	62883	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:33.010557890 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:33.199363947 CEST	443	62889	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:33.199436903 CEST	62889	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:33.202712059 CEST	62889	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:33.202722073 CEST	443	62889	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:33.202963114 CEST	443	62889	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:33.205092907 CEST	62889	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:33.205235958 CEST	62889	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:33.205282927 CEST	443	62889	34.120.208.123	192.168.2.11
Oct 8, 2024 00:51:33.205456018 CEST	62889	443	192.168.2.11	34.120.208.123
Oct 8, 2024 00:51:33.209414005 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:33.216108084 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:33.318001986 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:33.321922064 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:33.328891993 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:33.358398914 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:33.419971943 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:33.474353075 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:43.326297998 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:43.331360102 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:43.426584005 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:43.431583881 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:53.353122950 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:53.359610081 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:51:53.453504086 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:51:53.458390951 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:52:00.382782936 CEST	62890	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:52:00.382844925 CEST	443	62890	34.107.243.93	192.168.2.11
Oct 8, 2024 00:52:00.383316040 CEST	62890	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:52:00.385548115 CEST	62890	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:52:00.385576010 CEST	443	62890	34.107.243.93	192.168.2.11
Oct 8, 2024 00:52:00.845289946 CEST	443	62890	34.107.243.93	192.168.2.11
Oct 8, 2024 00:52:00.845402956 CEST	62890	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:52:00.851557970 CEST	62890	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:52:00.851593018 CEST	443	62890	34.107.243.93	192.168.2.11
Oct 8, 2024 00:52:00.851727962 CEST	62890	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:52:00.851828098 CEST	443	62890	34.107.243.93	192.168.2.11
Oct 8, 2024 00:52:00.852235079 CEST	62890	443	192.168.2.11	34.107.243.93
Oct 8, 2024 00:52:00.855865955 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:52:00.863502979 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:52:00.955041885 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:52:00.960212946 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:52:00.967686892 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:52:01.006611109 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:52:01.058573961 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:52:01.106806993 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:52:10.965780020 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:52:10.972526073 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:52:11.066140890 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:52:11.073313951 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:52:20.978110075 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:52:20.984872103 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:52:21.078372955 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:52:21.085299015 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:52:31.002825975 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:52:31.009049892 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:52:31.103187084 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:52:31.109308004 CEST	80	49741	34.107.221.82	192.168.2.11
Oct 8, 2024 00:52:41.015824080 CEST	49742	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:52:41.020946026 CEST	80	49742	34.107.221.82	192.168.2.11
Oct 8, 2024 00:52:41.116039038 CEST	49741	80	192.168.2.11	34.107.221.82
Oct 8, 2024 00:52:41.120945930 CEST	80	49741	34.107.221.82	192.168.2.11

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 00:50:34.333551884 CEST	61487	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:34.333729982 CEST	61725	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:34.340742111 CEST	53	61725	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:34.346209049 CEST	60537	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:34.346209049 CEST	58141	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:34.347547054 CEST	59104	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:34.353605986 CEST	53	58141	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:34.354120016 CEST	53	60537	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:34.355160952 CEST	53	59104	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:34.360783100 CEST	57707	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:34.361393929 CEST	56326	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:34.362175941 CEST	50807	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:34.368017912 CEST	53	57707	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:34.368520975 CEST	53	56326	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:34.369241953 CEST	53	50807	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:35.003839970 CEST	58396	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:35.010656118 CEST	53	58396	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:35.014933109 CEST	59087	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:35.017330885 CEST	63198	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:35.023529053 CEST	53	59087	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:35.024080992 CEST	57893	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:35.026057959 CEST	53	63198	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:35.030736923 CEST	53	57893	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:35.035726070 CEST	64996	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:35.043612957 CEST	53	64996	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:35.048836946 CEST	50484	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:35.050179005 CEST	56177	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:35.056042910 CEST	53	50484	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:35.057755947 CEST	53	56177	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:35.078114033 CEST	62306	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:35.086643934 CEST	53	62306	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:35.332025051 CEST	60172	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:35.339682102 CEST	53	60172	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:35.340830088 CEST	52688	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:35.348381996 CEST	53	52688	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:35.350913048 CEST	64513	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:35.358001947 CEST	53	64513	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:35.486912966 CEST	58513	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:35.487539053 CEST	54036	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:35.497282982 CEST	53	58513	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:35.497844934 CEST	53	54036	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:35.499336958 CEST	63168	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:37.442195892 CEST	63207	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:37.451747894 CEST	53218	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:37.460354090 CEST	53	53218	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:37.465249062 CEST	58406	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:37.474437952 CEST	53	58406	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:37.475028992 CEST	49536	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:37.484204054 CEST	53	49536	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:37.532401085 CEST	53	49685	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:38.138700962 CEST	58063	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:38.147577047 CEST	53	58063	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:38.150940895 CEST	53269	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:38.159684896 CEST	53	53269	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:38.239798069 CEST	64900	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:38.247999907 CEST	53	64900	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:38.270740032 CEST	56145	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:38.278990030 CEST	53	56145	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:38.286672115 CEST	51124	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:38.295492887 CEST	53	51124	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:40.743572950 CEST	64603	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:40.743855953 CEST	62509	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:40.744098902 CEST	62746	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:40.751882076 CEST	53	64603	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:40.752432108 CEST	53	62509	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:40.752468109 CEST	53	62746	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:41.380012989 CEST	58691	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:41.382122993 CEST	59393	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:41.384233952 CEST	59398	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:41.386924028 CEST	53	58691	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:41.387461901 CEST	49474	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:41.389394045 CEST	53	59393	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:41.389832020 CEST	52063	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:41.390714884 CEST	53	59398	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:41.391921997 CEST	52788	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:41.394088984 CEST	53	49474	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:41.394721985 CEST	55267	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:41.396847010 CEST	53	52063	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:41.397553921 CEST	65203	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:41.398961067 CEST	53	52788	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:41.402108908 CEST	53	55267	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:41.402801991 CEST	64096	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:41.404366016 CEST	53	65203	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:41.405131102 CEST	61653	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:41.409615993 CEST	53	64096	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:41.410132885 CEST	65501	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:41.411633015 CEST	53	61653	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:41.412898064 CEST	58941	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:41.417336941 CEST	53	65501	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:41.419667006 CEST	53	58941	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:45.636251926 CEST	54879	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:45.642976999 CEST	53	54879	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:45.650918007 CEST	63029	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:45.657418966 CEST	53	63029	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:45.670969963 CEST	55616	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:45.678358078 CEST	53	55616	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:45.881014109 CEST	60831	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:45.888045073 CEST	53	60831	1.1.1.1	192.168.2.11
Oct 8, 2024 00:50:48.789064884 CEST	50735	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:58.308938026 CEST	59407	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:50:58.317620039 CEST	53	59407	1.1.1.1	192.168.2.11
Oct 8, 2024 00:51:01.331275940 CEST	52037	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:51:01.343518972 CEST	53	52037	1.1.1.1	192.168.2.11
Oct 8, 2024 00:51:01.351066113 CEST	57791	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:51:01.363708019 CEST	53	57791	1.1.1.1	192.168.2.11
Oct 8, 2024 00:51:01.364144087 CEST	58546	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:51:01.365385056 CEST	55724	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:51:01.375096083 CEST	53	55724	1.1.1.1	192.168.2.11
Oct 8, 2024 00:51:01.376925945 CEST	53	58546	1.1.1.1	192.168.2.11
Oct 8, 2024 00:51:01.379185915 CEST	51687	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:51:01.380415916 CEST	51068	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:51:01.388711929 CEST	53	51687	1.1.1.1	192.168.2.11
Oct 8, 2024 00:51:01.391046047 CEST	53	51068	1.1.1.1	192.168.2.11
Oct 8, 2024 00:51:01.400734901 CEST	65206	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:51:01.410499096 CEST	53	65206	1.1.1.1	192.168.2.11
Oct 8, 2024 00:51:01.815135956 CEST	51737	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:51:03.299685955 CEST	53	59151	162.159.36.2	192.168.2.11
Oct 8, 2024 00:51:03.768955946 CEST	57344	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:51:03.778477907 CEST	53	57344	1.1.1.1	192.168.2.11
Oct 8, 2024 00:51:19.645415068 CEST	65287	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:51:19.855925083 CEST	53	65287	1.1.1.1	192.168.2.11
Oct 8, 2024 00:51:19.863688946 CEST	60873	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:51:19.871052027 CEST	53	60873	1.1.1.1	192.168.2.11
Oct 8, 2024 00:51:20.308926105 CEST	52329	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:51:20.316643953 CEST	56446	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:51:20.323796988 CEST	53	56446	1.1.1.1	192.168.2.11
Oct 8, 2024 00:51:20.324306965 CEST	49626	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:51:20.331283092 CEST	53	49626	1.1.1.1	192.168.2.11
Oct 8, 2024 00:51:20.408277988 CEST	51083	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:51:20.408477068 CEST	62014	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:51:20.415486097 CEST	53	51083	1.1.1.1	192.168.2.11
Oct 8, 2024 00:51:20.415620089 CEST	53	62014	1.1.1.1	192.168.2.11
Oct 8, 2024 00:51:31.398343086 CEST	51075	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:51:31.409300089 CEST	53	51075	1.1.1.1	192.168.2.11
Oct 8, 2024 00:51:31.410187960 CEST	53388	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:51:31.419858932 CEST	53	53388	1.1.1.1	192.168.2.11
Oct 8, 2024 00:52:00.383203983 CEST	56204	53	192.168.2.11	1.1.1.1
Oct 8, 2024 00:52:00.392870903 CEST	53	56204	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 00:50:34.333551884 CEST	192.168.2.11	1.1.1.1	0xdc06	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:34.333729982 CEST	192.168.2.11	1.1.1.1	0xe9a4	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:34.346209049 CEST	192.168.2.11	1.1.1.1	0x6568	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:34.346209049 CEST	192.168.2.11	1.1.1.1	0x9ac5	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:34.347547054 CEST	192.168.2.11	1.1.1.1	0xf44e	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:34.360783100 CEST	192.168.2.11	1.1.1.1	0x643	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 00:50:34.361393929 CEST	192.168.2.11	1.1.1.1	0x75a4	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 00:50:34.362175941 CEST	192.168.2.11	1.1.1.1	0x94cd	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 8, 2024 00:50:35.003839970 CEST	192.168.2.11	1.1.1.1	0x6a79	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.014933109 CEST	192.168.2.11	1.1.1.1	0x41f2	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.017330885 CEST	192.168.2.11	1.1.1.1	0x979f	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.024080992 CEST	192.168.2.11	1.1.1.1	0xd6e1	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 00:50:35.035726070 CEST	192.168.2.11	1.1.1.1	0x6b54	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.048836946 CEST	192.168.2.11	1.1.1.1	0x9b25	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 00:50:35.050179005 CEST	192.168.2.11	1.1.1.1	0x7de9	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.078114033 CEST	192.168.2.11	1.1.1.1	0xed47	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 00:50:35.332025051 CEST	192.168.2.11	1.1.1.1	0xda5a	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.340830088 CEST	192.168.2.11	1.1.1.1	0x1432	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.350913048 CEST	192.168.2.11	1.1.1.1	0x5ee8	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 00:50:35.486912966 CEST	192.168.2.11	1.1.1.1	0x2cce	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.487539053 CEST	192.168.2.11	1.1.1.1	0x3b28	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.499336958 CEST	192.168.2.11	1.1.1.1	0x3abb	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:37.442195892 CEST	192.168.2.11	1.1.1.1	0x6a8c	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:37.451747894 CEST	192.168.2.11	1.1.1.1	0xcc6c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:37.465249062 CEST	192.168.2.11	1.1.1.1	0xc161	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:37.475028992 CEST	192.168.2.11	1.1.1.1	0x9359	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 00:50:38.138700962 CEST	192.168.2.11	1.1.1.1	0xe14a	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:38.150940895 CEST	192.168.2.11	1.1.1.1	0x775c	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 00:50:38.239798069 CEST	192.168.2.11	1.1.1.1	0xbae1	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:38.270740032 CEST	192.168.2.11	1.1.1.1	0x67a0	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:38.286672115 CEST	192.168.2.11	1.1.1.1	0x2351	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 00:50:40.743572950 CEST	192.168.2.11	1.1.1.1	0xecf6	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.743855953 CEST	192.168.2.11	1.1.1.1	0xdcd0	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.744098902 CEST	192.168.2.11	1.1.1.1	0xfdab	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.380012989 CEST	192.168.2.11	1.1.1.1	0x759c	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.382122993 CEST	192.168.2.11	1.1.1.1	0x28c0	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.384233952 CEST	192.168.2.11	1.1.1.1	0x20b3	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.387461901 CEST	192.168.2.11	1.1.1.1	0x9f0d	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 8, 2024 00:50:41.389832020 CEST	192.168.2.11	1.1.1.1	0x55f0	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 8, 2024 00:50:41.391921997 CEST	192.168.2.11	1.1.1.1	0x7ddd	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 8, 2024 00:50:41.394721985 CEST	192.168.2.11	1.1.1.1	0xd4bf	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.397553921 CEST	192.168.2.11	1.1.1.1	0xc599	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.402801991 CEST	192.168.2.11	1.1.1.1	0x90d1	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.405131102 CEST	192.168.2.11	1.1.1.1	0x819e	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.410132885 CEST	192.168.2.11	1.1.1.1	0x2252	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 8, 2024 00:50:41.412898064 CEST	192.168.2.11	1.1.1.1	0x5679	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 8, 2024 00:50:45.636251926 CEST	192.168.2.11	1.1.1.1	0x714f	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:45.650918007 CEST	192.168.2.11	1.1.1.1	0x2e11	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:45.670969963 CEST	192.168.2.11	1.1.1.1	0x1d29	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 00:50:45.881014109 CEST	192.168.2.11	1.1.1.1	0xcdc	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 00:50:48.789064884 CEST	192.168.2.11	1.1.1.1	0x9535	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:58.308938026 CEST	192.168.2.11	1.1.1.1	0x1ddf	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 00:51:01.331275940 CEST	192.168.2.11	1.1.1.1	0xe374	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 00:51:01.351066113 CEST	192.168.2.11	1.1.1.1	0x194c	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:01.364144087 CEST	192.168.2.11	1.1.1.1	0x71ed	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:01.365385056 CEST	192.168.2.11	1.1.1.1	0xaab	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:01.379185915 CEST	192.168.2.11	1.1.1.1	0x26bf	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 8, 2024 00:51:01.380415916 CEST	192.168.2.11	1.1.1.1	0xbc3e	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:01.400734901 CEST	192.168.2.11	1.1.1.1	0x8198	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 00:51:01.815135956 CEST	192.168.2.11	1.1.1.1	0xf16a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:03.768955946 CEST	192.168.2.11	1.1.1.1	0xe5c0	Standard query (0)	241.42.69.40.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 8, 2024 00:51:19.645415068 CEST	192.168.2.11	1.1.1.1	0xcaa0	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:19.863688946 CEST	192.168.2.11	1.1.1.1	0x85d3	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 00:51:20.308926105 CEST	192.168.2.11	1.1.1.1	0xe23f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:20.316643953 CEST	192.168.2.11	1.1.1.1	0xf35f	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:20.324306965 CEST	192.168.2.11	1.1.1.1	0x6702	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 00:51:20.408277988 CEST	192.168.2.11	1.1.1.1	0x7c51	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:20.408477068 CEST	192.168.2.11	1.1.1.1	0x4d96	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:31.398343086 CEST	192.168.2.11	1.1.1.1	0xb9c7	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:31.410187960 CEST	192.168.2.11	1.1.1.1	0xb170	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 00:52:00.383203983 CEST	192.168.2.11	1.1.1.1	0x922f	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 00:50:34.340655088 CEST	1.1.1.1	192.168.2.11	0xdc06	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:50:34.340655088 CEST	1.1.1.1	192.168.2.11	0xdc06	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:34.340717077 CEST	1.1.1.1	192.168.2.11	0x877	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:34.340742111 CEST	1.1.1.1	192.168.2.11	0xe9a4	No error (0)	youtube.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:34.353605986 CEST	1.1.1.1	192.168.2.11	0x9ac5	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:34.354120016 CEST	1.1.1.1	192.168.2.11	0x6568	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:34.355160952 CEST	1.1.1.1	192.168.2.11	0xf44e	No error (0)	youtube.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:34.368520975 CEST	1.1.1.1	192.168.2.11	0x75a4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 8, 2024 00:50:34.369241953 CEST	1.1.1.1	192.168.2.11	0x94cd	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 8, 2024 00:50:35.010656118 CEST	1.1.1.1	192.168.2.11	0x6a79	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.023529053 CEST	1.1.1.1	192.168.2.11	0x41f2	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.026057959 CEST	1.1.1.1	192.168.2.11	0x979f	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:50:35.026057959 CEST	1.1.1.1	192.168.2.11	0x979f	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.043612957 CEST	1.1.1.1	192.168.2.11	0x6b54	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.046091080 CEST	1.1.1.1	192.168.2.11	0x578b	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:50:35.046091080 CEST	1.1.1.1	192.168.2.11	0x578b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.057755947 CEST	1.1.1.1	192.168.2.11	0x7de9	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.339682102 CEST	1.1.1.1	192.168.2.11	0xda5a	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:50:35.339682102 CEST	1.1.1.1	192.168.2.11	0xda5a	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:50:35.339682102 CEST	1.1.1.1	192.168.2.11	0xda5a	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.348381996 CEST	1.1.1.1	192.168.2.11	0x1432	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.358001947 CEST	1.1.1.1	192.168.2.11	0x5ee8	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 8, 2024 00:50:35.497282982 CEST	1.1.1.1	192.168.2.11	0x2cce	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.497844934 CEST	1.1.1.1	192.168.2.11	0x3b28	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.497844934 CEST	1.1.1.1	192.168.2.11	0x3b28	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:35.507095098 CEST	1.1.1.1	192.168.2.11	0x3abb	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:50:35.507095098 CEST	1.1.1.1	192.168.2.11	0x3abb	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:37.451359034 CEST	1.1.1.1	192.168.2.11	0x6a8c	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:50:37.460354090 CEST	1.1.1.1	192.168.2.11	0xcc6c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:37.474437952 CEST	1.1.1.1	192.168.2.11	0xc161	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:38.101078987 CEST	1.1.1.1	192.168.2.11	0xcacc	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:50:38.101078987 CEST	1.1.1.1	192.168.2.11	0xcacc	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:38.136462927 CEST	1.1.1.1	192.168.2.11	0x5b2d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:38.147577047 CEST	1.1.1.1	192.168.2.11	0xe14a	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:38.247999907 CEST	1.1.1.1	192.168.2.11	0xbae1	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:50:38.247999907 CEST	1.1.1.1	192.168.2.11	0xbae1	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:38.278990030 CEST	1.1.1.1	192.168.2.11	0x67a0	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:38.634825945 CEST	1.1.1.1	192.168.2.11	0xe472	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.751882076 CEST	1.1.1.1	192.168.2.11	0xecf6	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:50:40.751882076 CEST	1.1.1.1	192.168.2.11	0xecf6	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.751882076 CEST	1.1.1.1	192.168.2.11	0xecf6	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.751882076 CEST	1.1.1.1	192.168.2.11	0xecf6	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.751882076 CEST	1.1.1.1	192.168.2.11	0xecf6	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.751882076 CEST	1.1.1.1	192.168.2.11	0xecf6	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.751882076 CEST	1.1.1.1	192.168.2.11	0xecf6	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.751882076 CEST	1.1.1.1	192.168.2.11	0xecf6	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.751882076 CEST	1.1.1.1	192.168.2.11	0xecf6	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.751882076 CEST	1.1.1.1	192.168.2.11	0xecf6	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.751882076 CEST	1.1.1.1	192.168.2.11	0xecf6	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.751882076 CEST	1.1.1.1	192.168.2.11	0xecf6	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.751882076 CEST	1.1.1.1	192.168.2.11	0xecf6	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.751882076 CEST	1.1.1.1	192.168.2.11	0xecf6	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.751882076 CEST	1.1.1.1	192.168.2.11	0xecf6	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.751882076 CEST	1.1.1.1	192.168.2.11	0xecf6	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.751882076 CEST	1.1.1.1	192.168.2.11	0xecf6	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.752432108 CEST	1.1.1.1	192.168.2.11	0xdcd0	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:50:40.752432108 CEST	1.1.1.1	192.168.2.11	0xdcd0	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:40.752468109 CEST	1.1.1.1	192.168.2.11	0xfdab	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:50:40.752468109 CEST	1.1.1.1	192.168.2.11	0xfdab	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.386924028 CEST	1.1.1.1	192.168.2.11	0x759c	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.386924028 CEST	1.1.1.1	192.168.2.11	0x759c	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.386924028 CEST	1.1.1.1	192.168.2.11	0x759c	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.386924028 CEST	1.1.1.1	192.168.2.11	0x759c	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.386924028 CEST	1.1.1.1	192.168.2.11	0x759c	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.386924028 CEST	1.1.1.1	192.168.2.11	0x759c	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.386924028 CEST	1.1.1.1	192.168.2.11	0x759c	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.386924028 CEST	1.1.1.1	192.168.2.11	0x759c	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.386924028 CEST	1.1.1.1	192.168.2.11	0x759c	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.386924028 CEST	1.1.1.1	192.168.2.11	0x759c	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.386924028 CEST	1.1.1.1	192.168.2.11	0x759c	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.386924028 CEST	1.1.1.1	192.168.2.11	0x759c	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.386924028 CEST	1.1.1.1	192.168.2.11	0x759c	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.386924028 CEST	1.1.1.1	192.168.2.11	0x759c	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.386924028 CEST	1.1.1.1	192.168.2.11	0x759c	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.386924028 CEST	1.1.1.1	192.168.2.11	0x759c	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.389394045 CEST	1.1.1.1	192.168.2.11	0x28c0	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.390714884 CEST	1.1.1.1	192.168.2.11	0x20b3	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.394088984 CEST	1.1.1.1	192.168.2.11	0x9f0d	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 8, 2024 00:50:41.394088984 CEST	1.1.1.1	192.168.2.11	0x9f0d	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 8, 2024 00:50:41.394088984 CEST	1.1.1.1	192.168.2.11	0x9f0d	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 8, 2024 00:50:41.394088984 CEST	1.1.1.1	192.168.2.11	0x9f0d	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 8, 2024 00:50:41.396847010 CEST	1.1.1.1	192.168.2.11	0x55f0	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 8, 2024 00:50:41.398961067 CEST	1.1.1.1	192.168.2.11	0x7ddd	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 8, 2024 00:50:41.402108908 CEST	1.1.1.1	192.168.2.11	0xd4bf	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:50:41.402108908 CEST	1.1.1.1	192.168.2.11	0xd4bf	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.402108908 CEST	1.1.1.1	192.168.2.11	0xd4bf	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.402108908 CEST	1.1.1.1	192.168.2.11	0xd4bf	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.402108908 CEST	1.1.1.1	192.168.2.11	0xd4bf	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.404366016 CEST	1.1.1.1	192.168.2.11	0xc599	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.409615993 CEST	1.1.1.1	192.168.2.11	0x90d1	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.409615993 CEST	1.1.1.1	192.168.2.11	0x90d1	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.409615993 CEST	1.1.1.1	192.168.2.11	0x90d1	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.409615993 CEST	1.1.1.1	192.168.2.11	0x90d1	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:41.411633015 CEST	1.1.1.1	192.168.2.11	0x819e	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:45.642976999 CEST	1.1.1.1	192.168.2.11	0x714f	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:50:45.642976999 CEST	1.1.1.1	192.168.2.11	0x714f	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:50:45.642976999 CEST	1.1.1.1	192.168.2.11	0x714f	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:45.657418966 CEST	1.1.1.1	192.168.2.11	0x2e11	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:50:48.795840025 CEST	1.1.1.1	192.168.2.11	0x9535	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:50:48.795840025 CEST	1.1.1.1	192.168.2.11	0x9535	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:01.344444036 CEST	1.1.1.1	192.168.2.11	0xb505	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:51:01.344444036 CEST	1.1.1.1	192.168.2.11	0xb505	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:01.363708019 CEST	1.1.1.1	192.168.2.11	0x194c	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:01.363708019 CEST	1.1.1.1	192.168.2.11	0x194c	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:01.363708019 CEST	1.1.1.1	192.168.2.11	0x194c	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:01.363708019 CEST	1.1.1.1	192.168.2.11	0x194c	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:01.375096083 CEST	1.1.1.1	192.168.2.11	0xaab	No error (0)	services.addons.mozilla.org		18.245.162.100	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:01.375096083 CEST	1.1.1.1	192.168.2.11	0xaab	No error (0)	services.addons.mozilla.org		18.245.162.3	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:01.375096083 CEST	1.1.1.1	192.168.2.11	0xaab	No error (0)	services.addons.mozilla.org		18.245.162.105	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:01.375096083 CEST	1.1.1.1	192.168.2.11	0xaab	No error (0)	services.addons.mozilla.org		18.245.162.43	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:01.376925945 CEST	1.1.1.1	192.168.2.11	0x71ed	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:51:01.376925945 CEST	1.1.1.1	192.168.2.11	0x71ed	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:01.391046047 CEST	1.1.1.1	192.168.2.11	0xbc3e	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:01.824258089 CEST	1.1.1.1	192.168.2.11	0xf16a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:51:01.824258089 CEST	1.1.1.1	192.168.2.11	0xf16a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:02.584176064 CEST	1.1.1.1	192.168.2.11	0x154	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:51:02.584176064 CEST	1.1.1.1	192.168.2.11	0x154	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:51:03.778477907 CEST	1.1.1.1	192.168.2.11	0xe5c0	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 8, 2024 00:51:19.855925083 CEST	1.1.1.1	192.168.2.11	0xcaa0	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:20.315567017 CEST	1.1.1.1	192.168.2.11	0xe23f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:51:20.315567017 CEST	1.1.1.1	192.168.2.11	0xe23f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:20.323796988 CEST	1.1.1.1	192.168.2.11	0xf35f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:20.331283092 CEST	1.1.1.1	192.168.2.11	0x6702	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 8, 2024 00:51:20.415486097 CEST	1.1.1.1	192.168.2.11	0x7c51	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:20.415620089 CEST	1.1.1.1	192.168.2.11	0x4d96	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:20.415620089 CEST	1.1.1.1	192.168.2.11	0x4d96	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:31.386642933 CEST	1.1.1.1	192.168.2.11	0x4940	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:51:31.409300089 CEST	1.1.1.1	192.168.2.11	0xb9c7	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49717	34.107.221.82	80	6016	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 00:50:34.914448977 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:50:35.373485088 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 62702 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49725	34.107.221.82	80	6016	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 00:50:35.523363113 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:50:35.967286110 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 44777 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49726	34.107.221.82	80	6016	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 00:50:35.523552895 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:50:35.965022087 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44803 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49741	34.107.221.82	80	6016	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 00:50:36.965902090 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:50:37.418450117 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52031 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:50:37.616198063 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:50:37.714293003 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52031 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:50:38.027900934 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:50:38.125057936 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52032 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:50:38.448437929 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:50:38.545165062 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52032 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:50:38.805475950 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:50:38.901593924 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52032 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:50:38.997487068 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:50:39.093545914 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52033 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:50:39.326090097 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:50:39.423644066 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52033 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:50:39.433064938 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:50:39.528903008 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52033 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:50:39.783715963 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:50:39.879525900 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52033 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:50:39.958329916 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:50:40.054115057 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52034 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:50:40.586873055 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:50:40.685048103 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52034 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:50:50.194088936 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:50:50.291565895 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52044 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:50:50.398085117 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:50:50.495240927 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52044 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:50:58.937591076 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:50:59.035851002 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52052 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:51:01.918277979 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:51:02.016205072 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52055 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:51:02.203135014 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:51:02.306288004 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52056 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:51:02.420416117 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:51:02.517770052 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52056 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:51:02.682171106 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:51:02.780761957 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52056 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:51:12.787256002 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 00:51:20.410742998 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:51:20.506584883 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52074 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:51:30.522300959 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 00:51:32.259658098 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:51:32.358043909 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52086 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:51:32.859553099 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:51:32.957513094 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52086 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:51:33.321922064 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:51:33.419971943 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52087 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:51:43.426584005 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 00:51:53.453504086 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 00:52:00.960212946 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 00:52:01.058573961 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 52115 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 00:52:11.066140890 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 00:52:21.078372955 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 00:52:31.103187084 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 00:52:41.116039038 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.11	49742	34.107.221.82	80	6016	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 00:50:37.042737961 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:50:37.498074055 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44805 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:50:37.927222013 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:50:38.024832010 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44805 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:50:38.319468021 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:50:38.419893980 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44806 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:50:38.620297909 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:50:38.716607094 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44806 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:50:38.820770025 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:50:38.917007923 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44806 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:50:39.158893108 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:50:39.255100012 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44807 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:50:39.331459045 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:50:39.428888083 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44807 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:50:39.684278011 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:50:39.780605078 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44807 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:50:39.852176905 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:50:39.948920012 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44807 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:50:40.200110912 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:50:40.297208071 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44808 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:50:48.790023088 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:50:48.886446953 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44816 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:50:50.286056042 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:50:50.385894060 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44818 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:50:58.833604097 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:50:58.933695078 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44826 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:51:01.814604998 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:51:01.915437937 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44829 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:51:02.102022886 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:51:02.199771881 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44830 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:51:02.317017078 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:51:02.417184114 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44830 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:51:02.574907064 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:51:02.673223019 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44830 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:51:12.686945915 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 00:51:20.308689117 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:51:20.407133102 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44848 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:51:30.421888113 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 00:51:32.120564938 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:51:32.219002962 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44860 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:51:32.755342960 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:51:32.853126049 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44860 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:51:33.209414005 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:51:33.318001986 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44861 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:51:43.326297998 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 00:51:53.353122950 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 00:52:00.855865955 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 00:52:00.955041885 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 44888 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 00:52:10.965780020 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 00:52:20.978110075 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 00:52:31.002825975 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 00:52:41.015824080 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	1
Start time:	18:50:28
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7b0000
File size:	919'040 bytes
MD5 hash:	9D7EA17AA6D8EC2653FBD07092D2A3D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:50:28
Start date:	07/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6de060000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:50:29
Start date:	07/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6de060000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:50:29
Start date:	07/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6de060000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	18:50:30
Start date:	07/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2208 -prefMapHandle 2200 -prefsLen 25393 -prefMapSize 238472 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf2d1419-78d8-4674-a0a7-5faab0442aeb} 6016 "\\.\pipe\gecko-crash-server-pipe.6016" 21c02a70710 socket
Imagebase:	0x7ff6de060000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	18:50:32
Start date:	07/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3548 -parentBuildID 20230927232528 -prefsHandle 1388 -prefMapHandle 1256 -prefsLen 26242 -prefMapSize 238472 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e3e6854-25f5-48be-aca9-16793ff11bca} 6016 "\\.\pipe\gecko-crash-server-pipe.6016" 21c02a42910 rdd
Imagebase:	0x7ff6de060000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	18:50:37
Start date:	07/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5000 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5012 -prefMapHandle 4976 -prefsLen 33559 -prefMapSize 238472 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62736bf5-4a6a-402e-9ae1-8f0951dc0690} 6016 "\\.\pipe\gecko-crash-server-pipe.6016" 21c1ab7d110 utility
Imagebase:	0x7ff6de060000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.8%
Total number of Nodes:	1504
Total number of Limit Nodes:	55

Executed Functions

Function 007B42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 007B430D

Part of subcall function 007B6B57: _wcslen.LIBCMT ref: 007B6B6A

GetCurrentProcess.KERNEL32(?,0084CB64,00000000,?,?), ref: 007B4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 007B4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 007B4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 007B4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 007B4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 007B447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007B44A0

Strings

|O, xrefs: 007F36F8
kernel32.dll, xrefs: 007B444F
GetNativeSystemInfo, xrefs: 007B4460

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 31c10f58583c204bf89f278d7d2773f985706a9e11b57451ca549c14679100e9
Instruction ID: 61ec2583f1aaf40ba2d2d5b8f74cc5127ade140d97c6b80256baa2f274d974ae
Opcode Fuzzy Hash: 31c10f58583c204bf89f278d7d2773f985706a9e11b57451ca549c14679100e9
Instruction Fuzzy Hash: A7A1737690A2C4DFCF12D76D7C8D6E67FAC7B26740B184899D18193B23DE6C460ACB21

Function 007B42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007B50AA,?,?,00000000,00000000), ref: 007B42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007B50AA,?,?,00000000,00000000), ref: 007B42C9
LoadResource.KERNEL32(?,00000000,?,?,007B50AA,?,?,00000000,00000000,?,?,?,?,?,?,007B4F20), ref: 007F35BE
SizeofResource.KERNEL32(?,00000000,?,?,007B50AA,?,?,00000000,00000000,?,?,?,?,?,?,007B4F20), ref: 007F35D3
LockResource.KERNEL32(007B50AA,?,?,007B50AA,?,?,00000000,00000000,?,?,?,?,?,?,007B4F20,?), ref: 007F35E6

Strings

SCRIPT, xrefs: 007B42BF

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: cf4bbba20324b258387833fd08b62981aea744ae5bb7e1d5baaf0f0c933de58b
Instruction ID: 9dc274f03fe5e6c1ad48d25770722103672931bd6b9fee83b357adfcf5360853
Opcode Fuzzy Hash: cf4bbba20324b258387833fd08b62981aea744ae5bb7e1d5baaf0f0c933de58b
Instruction Fuzzy Hash: 41117C75201700BFEB218FA5DC49FA77BBDFBC6B51F104169B412D6260DBB1D800D620

Function 007F2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 007B2B6B

Part of subcall function 007B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00881418,?,007B2E7F,?,?,?,00000000), ref: 007B3A78

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00872224), ref: 007F2C10
ShellExecuteW.SHELL32(00000000,?,?,00872224), ref: 007F2C17

Strings

runas, xrefs: 007F2C0B

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 2694e82f5ba4045dbc9d9f64798f5717c707d6bab01aa909cc4224f7c2f580bd
Instruction ID: 7ac80b73e449079be8b94949505e84ee727149f2b9ca01b8cbae699e9eb4802c
Opcode Fuzzy Hash: 2694e82f5ba4045dbc9d9f64798f5717c707d6bab01aa909cc4224f7c2f580bd
Instruction Fuzzy Hash: 1611D571209305EAC704FF60D859BEEBBA9AB91700F44042DF256431A3DF2C898AC712

Function 0081D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0081D501
Process32FirstW.KERNEL32(00000000,?), ref: 0081D50F
Process32NextW.KERNEL32(00000000,?), ref: 0081D52F
CloseHandle.KERNELBASE(00000000), ref: 0081D5DC

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: a1ccf2014cc592bab459987a593b026a3ea143ba6fd07ef37e8f8eeb29746ffd
Instruction ID: 3aeea90104eb74051dd1f5db9c70921e7c62b55fc94638c7c2f57f4c9a66b9a1
Opcode Fuzzy Hash: a1ccf2014cc592bab459987a593b026a3ea143ba6fd07ef37e8f8eeb29746ffd
Instruction Fuzzy Hash: B1314D711083009FD301EF54C889BEABBE9FF99354F14092DF685861A1EB719985CB92

Function 0081DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,007F5222), ref: 0081DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0081DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0081DBEE
FindClose.KERNEL32(00000000), ref: 0081DBFA

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 3d48c97496f11d05d3582c45ee4bc749237b0d9ad5c021e5b7f5f790f585a59f
Instruction ID: 36c2b104dfb7976c156c182724837bb5210a72e3bfd13ab95c398a7b0f847fa2
Opcode Fuzzy Hash: 3d48c97496f11d05d3582c45ee4bc749237b0d9ad5c021e5b7f5f790f585a59f
Instruction Fuzzy Hash: BAF0A038811A245782206B78AC0D9EA376CFF02334B104B02F936C22E0FBF05994C6D5

Function 007D4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(007E28E9,?,007D4CBE,007E28E9,008788B8,0000000C,007D4E15,007E28E9,00000002,00000000,?,007E28E9), ref: 007D4D09
TerminateProcess.KERNEL32(00000000,?,007D4CBE,007E28E9,008788B8,0000000C,007D4E15,007E28E9,00000002,00000000,?,007E28E9), ref: 007D4D10
ExitProcess.KERNEL32 ref: 007D4D22

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dce429a0df2e16f58f25ba3119464e8b76d42070d0f0f1a3e67919aedbaa87bb
Instruction ID: a2c2ab1ec915e69465f933999e2f24e945c0cb0d0ed57f2f6f8fe7142d9bc3c6
Opcode Fuzzy Hash: dce429a0df2e16f58f25ba3119464e8b76d42070d0f0f1a3e67919aedbaa87bb
Instruction Fuzzy Hash: 8CE0B635101588ABCF61AF64DD0DA583B7EFB46785B144015FD058B222CB39DD42CA90

Function 0083AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0083B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0083B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0083B1D4
_wcslen.LIBCMT ref: 0083B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0083B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0083B236
_wcslen.LIBCMT ref: 0083B332

Part of subcall function 008205A7: GetStdHandle.KERNEL32(000000F6), ref: 008205C6

_wcslen.LIBCMT ref: 0083B34B
_wcslen.LIBCMT ref: 0083B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0083B3B6
GetLastError.KERNEL32(00000000), ref: 0083B407
CloseHandle.KERNEL32(?), ref: 0083B439
CloseHandle.KERNEL32(00000000), ref: 0083B44A
CloseHandle.KERNEL32(00000000), ref: 0083B45C
CloseHandle.KERNEL32(00000000), ref: 0083B46E
CloseHandle.KERNEL32(?), ref: 0083B4E3

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: fb9857db3f2af7f6ce7bdb43f41309ea7d3dce4f43c0f08feee97bb1151c8b0b
Instruction ID: bfba125c42c2d90b8d22faba33be38814aadcdcf8a012eabf3d6b031a481c1b6
Opcode Fuzzy Hash: fb9857db3f2af7f6ce7bdb43f41309ea7d3dce4f43c0f08feee97bb1151c8b0b
Instruction Fuzzy Hash: A9F17871608200DFC724EF24C895B6ABBE5FF85314F14855DF99A8B2A2DB35EC40CB92

Function 007BD730 Relevance: 21.6, APIs: 14, Instructions: 625sleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007BD807
timeGetTime.WINMM ref: 007BDA07
Sleep.KERNELBASE(0000000A), ref: 007BDBB1
Sleep.KERNEL32(0000000A), ref: 00802B76

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Sleep$InputStateTimetime
String ID:
API String ID: 2764417729-0
Opcode ID: 55273827dc364a07f5e7ba8bb95e2c0a4b23a24d13fa307e99e19d278bfef39f
Instruction ID: 4125d85a3dc46137871eff63ddfb2b394bf8149a8ea515fa9fc83bf85e5de62c
Opcode Fuzzy Hash: 55273827dc364a07f5e7ba8bb95e2c0a4b23a24d13fa307e99e19d278bfef39f
Instruction Fuzzy Hash: 6342F170608241DFDB78CF28C898BAABBA5FF45314F14855DE456C7291EBB8EC44CB92

Function 007B2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007B2D07
RegisterClassExW.USER32(00000030), ref: 007B2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007B2D42
InitCommonControlsEx.COMCTL32(?), ref: 007B2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007B2D6F
LoadIconW.USER32(000000A9), ref: 007B2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007B2D94

Strings

TaskbarCreated, xrefs: 007B2D37
+, xrefs: 007B2CF0
AutoIt v3 GUI, xrefs: 007B2D23
0, xrefs: 007B2CE9

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5c9c7066c3ee1da42398b0de6f60ee8415a81a220b1ad89d780fe10640f7be95
Instruction ID: 8879d03ee50ffe2237a71d7ec4411db2416d1c514cb5eaa59a6f2174bf05b97b
Opcode Fuzzy Hash: 5c9c7066c3ee1da42398b0de6f60ee8415a81a220b1ad89d780fe10640f7be95
Instruction Fuzzy Hash: F421BFB5912318AFDF40DFA8EC89BDDBFB8FB09700F00811AE611A62A0DBB55545CF91

Function 007F065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007F039A: CreateFileW.KERNELBASE(00000000,00000000,?,007F0704,?,?,00000000,?,007F0704,00000000,0000000C), ref: 007F03B7

GetLastError.KERNEL32 ref: 007F076F
__dosmaperr.LIBCMT ref: 007F0776
GetFileType.KERNELBASE(00000000), ref: 007F0782
GetLastError.KERNEL32 ref: 007F078C
__dosmaperr.LIBCMT ref: 007F0795
CloseHandle.KERNEL32(00000000), ref: 007F07B5
CloseHandle.KERNEL32(?), ref: 007F08FF
GetLastError.KERNEL32 ref: 007F0931
__dosmaperr.LIBCMT ref: 007F0938

Strings

H, xrefs: 007F08BD

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d4680d2a229a141b0ed13f6f578cfc159a766640b16e3c78f19a6708fe1e7274
Instruction ID: 8a588d23177dece8688b7e48c3c2da8e2802d26e9bc10e0f19c3715b25a87639
Opcode Fuzzy Hash: d4680d2a229a141b0ed13f6f578cfc159a766640b16e3c78f19a6708fe1e7274
Instruction Fuzzy Hash: 00A12136A001088FDF19EF68D855BBE7BA0AB06320F14419EF9159F3D2DB399912CB91

Function 007B344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00881418,?,007B2E7F,?,?,?,00000000), ref: 007B3A78

Part of subcall function 007B3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007B3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007B356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 007F318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007F31CE
RegCloseKey.ADVAPI32(?), ref: 007F3210
_wcslen.LIBCMT ref: 007F3277
_wcslen.LIBCMT ref: 007F3286

Strings

Include, xrefs: 007F3184, 007F31C5
\Include\, xrefs: 007B3527
Software\AutoIt v3\AutoIt, xrefs: 007B3560
\, xrefs: 007F328C

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: e5194119d128190a150897f9a2ee91f8df9f234c8b7952931ae49dd3955772b9
Instruction ID: 1236ad3a734e0ee10517d16f7ea4996bb8f5b3dd570e88656f6d5a9256f23afd
Opcode Fuzzy Hash: e5194119d128190a150897f9a2ee91f8df9f234c8b7952931ae49dd3955772b9
Instruction Fuzzy Hash: FD716A71405305EEC314EF69EC95AABBBE8FF85740B40042EF655C3271EB389A48CB62

Function 007B2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007B2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 007B2B9D
LoadIconW.USER32(00000063), ref: 007B2BB3
LoadIconW.USER32(000000A4), ref: 007B2BC5
LoadIconW.USER32(000000A2), ref: 007B2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007B2BEF
RegisterClassExW.USER32(?), ref: 007B2C40

Part of subcall function 007B2CD4: GetSysColorBrush.USER32(0000000F), ref: 007B2D07
Part of subcall function 007B2CD4: RegisterClassExW.USER32(00000030), ref: 007B2D31
Part of subcall function 007B2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007B2D42
Part of subcall function 007B2CD4: InitCommonControlsEx.COMCTL32(?), ref: 007B2D5F
Part of subcall function 007B2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007B2D6F
Part of subcall function 007B2CD4: LoadIconW.USER32(000000A9), ref: 007B2D85
Part of subcall function 007B2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007B2D94

Strings

0, xrefs: 007B2C0F
AutoIt v3, xrefs: 007B2C2F
#, xrefs: 007B2C16

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d36d145775cf70a54cd6a93cdd3c0554e2b37fddffb127c3d916665bce99116b
Instruction ID: e1a53c659e09ba698b868a48229e5b1025f05cc04d19d0575434c9adc7912632
Opcode Fuzzy Hash: d36d145775cf70a54cd6a93cdd3c0554e2b37fddffb127c3d916665bce99116b
Instruction Fuzzy Hash: 03211874E01318ABDF109FA9EC59BA97FB8FB48B50F00402AE600A67A0DBB90541CF90

Function 007B3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,007B316A,?,?), ref: 007B31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,007B316A,?,?), ref: 007B3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007B3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,007B316A,?,?), ref: 007B3232
CreatePopupMenu.USER32 ref: 007B3246
PostQuitMessage.USER32(00000000), ref: 007B3267

Strings

TaskbarCreated, xrefs: 007B322D

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 1259b21afa4a67701613f79caa8e3dd8923d90c87be23ebc42326a5417029e3a
Instruction ID: 5be5e475e4282f107cdbd0c368ab8e9007d225c3a477824adee4ca5d5b6b3240
Opcode Fuzzy Hash: 1259b21afa4a67701613f79caa8e3dd8923d90c87be23ebc42326a5417029e3a
Instruction Fuzzy Hash: C541DF3524060CABDF146BACDC1EBF93A5DFB06340F040125FA02C62A2DF7D9E8297A1

Function 007B1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007B1459
CoUninitialize.COMBASE ref: 007B14F8
UnregisterHotKey.USER32(?), ref: 007B16DD
DestroyWindow.USER32(?), ref: 007F24B9
FreeLibrary.KERNEL32(?), ref: 007F251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 007F254B

Strings

close all, xrefs: 007B1454

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: d6ed8506042d0a081d3b19510ba05b43e728a7c3a68a57620b1ab6a9830b981b
Instruction ID: cc7d8b2197844ac0e58605ec304b2ea3c3872b41510639b8d0aa08ce5ba6b43c
Opcode Fuzzy Hash: d6ed8506042d0a081d3b19510ba05b43e728a7c3a68a57620b1ab6a9830b981b
Instruction Fuzzy Hash: C8D15E31702212DFCB29DF14C4A9B69F7A5BF05700F9441ADE54AAB352DB38AD22CF51

Function 007B2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007B2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007B2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,007B1CAD,?), ref: 007B2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,007B1CAD,?), ref: 007B2CCF

Strings

edit, xrefs: 007B2CAC
AutoIt v3, xrefs: 007B2C89, 007B2C8E, 007B2C8F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: f8a239ab4a8b37928b49ee257c92cae3bc18d85d01d30a449f6b0c38a79a9260
Instruction ID: 60fda538a2e8d333e4d7b47389421d17f7ca04c3680a8707d71cbaa5833db533
Opcode Fuzzy Hash: f8a239ab4a8b37928b49ee257c92cae3bc18d85d01d30a449f6b0c38a79a9260
Instruction Fuzzy Hash: 43F0DA755413947AEB71171BAC0CEB72EBDF7C7F50B00005AF900A26A0CA791852DBB0

Function 007B3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,007B3B0F,SwapMouseButtons,00000004,?), ref: 007B3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,007B3B0F,SwapMouseButtons,00000004,?), ref: 007B3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,007B3B0F,SwapMouseButtons,00000004,?), ref: 007B3B83

Strings

Control Panel\Mouse, xrefs: 007B3B3E

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: aaec3f81ff09898a84b9ad4fe0d4ea5fcafb8922b79fe6c25e47f39e2e0a5db9
Instruction ID: 9d38b0f5344b554f51f5e0ab528a7cd7a5a17e3e46a56bf46c7cab4f0add6402
Opcode Fuzzy Hash: aaec3f81ff09898a84b9ad4fe0d4ea5fcafb8922b79fe6c25e47f39e2e0a5db9
Instruction Fuzzy Hash: 63112AB5511208FFDB208FA5DC44AEFB7BCEF05744B104559A805D7114E6359E809760

Function 007B3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007F33A2

Part of subcall function 007B6B57: _wcslen.LIBCMT ref: 007B6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 007B3A04

Strings

Line: , xrefs: 007F33EB

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: b219c1129509365c63f19b04f35ea8d8f7d2bb6dbb4f070d5462fa94264963ec
Instruction ID: c2d9a5d3c2a3724d77f4dce91b8d5b7178161273fced04ebf02d287a016a00d4
Opcode Fuzzy Hash: b219c1129509365c63f19b04f35ea8d8f7d2bb6dbb4f070d5462fa94264963ec
Instruction Fuzzy Hash: 8831A571408304AAD725EB14DC49BEBB7ECBF40714F10451AF59993291EF7CAA89C7C2

Function 007CFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 007D0668

Part of subcall function 007D32A4: RaiseException.KERNEL32(?,?,?,007D068A,?,00881444,?,?,?,?,?,?,007D068A,007B1129,00878738,007B1129), ref: 007D3304

__CxxThrowException@8.LIBVCRUNTIME ref: 007D0685

Strings

Unknown exception, xrefs: 007D0692

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 403e9e9922bec64525fcc52fc3b760283e5c9e2ca23a2276e1a5ee4aca278e82
Instruction ID: 2ba0eed18da7c6e991da94069f5c0a75968269e1c7b7ba0a096af79c6d66e1cc
Opcode Fuzzy Hash: 403e9e9922bec64525fcc52fc3b760283e5c9e2ca23a2276e1a5ee4aca278e82
Instruction Fuzzy Hash: 27F0F42490020DF38B04B664E84EE5D777CAE00350B60803AB929D6795EF38EA2585C0

Function 007B10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 007B1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007B1BF4
Part of subcall function 007B1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 007B1BFC
Part of subcall function 007B1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007B1C07
Part of subcall function 007B1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007B1C12
Part of subcall function 007B1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 007B1C1A
Part of subcall function 007B1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 007B1C22

Part of subcall function 007B1B4A: RegisterWindowMessageW.USER32(00000004,?,007B12C4), ref: 007B1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007B136A
OleInitialize.OLE32 ref: 007B1388
CloseHandle.KERNEL32(00000000,00000000), ref: 007F24AB

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: c0dae7988f3bfd3e9336ec9da35489214642f4a51d118ac9ff2bba423e50abd2
Instruction ID: 2a8378fe63216dd94af72982eb9a9d8d69743d40b6effe0dad25e46b102256fe
Opcode Fuzzy Hash: c0dae7988f3bfd3e9336ec9da35489214642f4a51d118ac9ff2bba423e50abd2
Instruction Fuzzy Hash: 1871A7B49122009ECB84EFBDE95EA953AEDFB88344794823AD10AC7262EF344447CF45

Function 0081C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007B3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 007B3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0081C259
KillTimer.USER32(?,00000001,?,?), ref: 0081C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0081C270

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 964d78b3f0c26f7d178fcfe11abdc4de4b65d45201251040ef2b621ed2325d75
Instruction ID: 90a0d2653d503d4944459ea0177ef50b17e8cbcacc58fcd4569eec99e69304b6
Opcode Fuzzy Hash: 964d78b3f0c26f7d178fcfe11abdc4de4b65d45201251040ef2b621ed2325d75
Instruction Fuzzy Hash: D1318170944344AFEB629F648859BEABBECFF16308F00049AD59AD7241C7746AC5CB51

Function 007E86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,007E85CC,?,00878CC8,0000000C), ref: 007E8704
GetLastError.KERNEL32(?,007E85CC,?,00878CC8,0000000C), ref: 007E870E
__dosmaperr.LIBCMT ref: 007E8739

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: f5644c105a932bab965377306b92cbbe992053e6d738618300ba1049150bd1f2
Instruction ID: 35639846571ea60e7556ceb2e599b3bc1fa38c7882d36c369d90a3c6c1a8ddcb
Opcode Fuzzy Hash: f5644c105a932bab965377306b92cbbe992053e6d738618300ba1049150bd1f2
Instruction Fuzzy Hash: 61018E326072E056C2E06376694977E67494B8E77CF390119F81C8B1D3DEACCC81C252

Function 007BDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 007BDB7B
DispatchMessageW.USER32(?), ref: 007BDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007BDB9F
Sleep.KERNELBASE(0000000A), ref: 007BDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00801CC9

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 813e0a7861990b16c54a5dac34dcf60ee2ce7a60d1a0886368226fcc9a72a924
Instruction ID: e4f47c47336a62e1463a136132c0c43af8a71ea40d637dfeaaf6e5361819339e
Opcode Fuzzy Hash: 813e0a7861990b16c54a5dac34dcf60ee2ce7a60d1a0886368226fcc9a72a924
Instruction Fuzzy Hash: 2CF05E306453409BEB70CBA48C4DFEA73ACFB45310F104628E61AC30C0EB349848CB25

Function 007C1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007C17F6

Strings

CALL, xrefs: 007C17C6

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 947f90e525a3178c7186af9d846e014ce1b12f2f4ed22d195d6617353ed0648d
Instruction ID: cafe3a304a03d0293577203725c671af39c01d09fbb21efc5572f62f5c856d8b
Opcode Fuzzy Hash: 947f90e525a3178c7186af9d846e014ce1b12f2f4ed22d195d6617353ed0648d
Instruction Fuzzy Hash: 22226870608241DFC714DF14C894F2ABBE1FF86314F64896DE4968B3A2D739E961CB92

Function 007B2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 007F2C8C

Part of subcall function 007B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007B3A97,?,?,007B2E7F,?,?,?,00000000), ref: 007B3AC2

Part of subcall function 007B2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007B2DC4

Strings

X, xrefs: 007F2C5A

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: dd658ede7d605a0d6f10dc25efd02c48eacab03035d2efcaf562261b1b1f4ee4
Instruction ID: 10f3d2c0e7e985bb5eb1991a23a38f256f952c6aee1e8d1ada9d2b0d514219f7
Opcode Fuzzy Hash: dd658ede7d605a0d6f10dc25efd02c48eacab03035d2efcaf562261b1b1f4ee4
Instruction Fuzzy Hash: 68218471A002589ACB419F94C8497EE7BF8AF49704F108059E505A7345EBB89A8A8F61

Function 007B3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 007B3908

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: e3db5b9feb45201bc3323ffaae4b3365c3d8f94a2cd7344bbd0d8adb601a5007
Instruction ID: df33565e570c24ec0ab75f2d69afd495e636fc64f8d39664cf9192ee67be9680
Opcode Fuzzy Hash: e3db5b9feb45201bc3323ffaae4b3365c3d8f94a2cd7344bbd0d8adb601a5007
Instruction Fuzzy Hash: 4E314B705047019FD761DF28D8897D7BBE8FB49708F00092EF59987250E779AA85CB52

Function 007CF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 007CF661

Part of subcall function 007BD730: GetInputState.USER32 ref: 007BD807

Sleep.KERNEL32(00000000), ref: 0080F2DE

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 4970ad3803d86da19200ac83d54c2a3d649c6730887acee500e343d1fe9a05a0
Instruction ID: dcbc74672a9ec7867914542cb0cd79649f38e54f84843ab70401282a19d0b591
Opcode Fuzzy Hash: 4970ad3803d86da19200ac83d54c2a3d649c6730887acee500e343d1fe9a05a0
Instruction Fuzzy Hash: 5EF08C352402059FD360EF69D849BAAB7E8FF4A760F004029E85AC72A1DBB0A800CB91

Function 007B4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 007B4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,007B4EDD,?,00881418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007B4E9C
Part of subcall function 007B4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007B4EAE
Part of subcall function 007B4E90: FreeLibrary.KERNEL32(00000000,?,?,007B4EDD,?,00881418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007B4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00881418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007B4EFD

Part of subcall function 007B4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,007F3CDE,?,00881418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007B4E62
Part of subcall function 007B4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007B4E74
Part of subcall function 007B4E59: FreeLibrary.KERNEL32(00000000,?,?,007F3CDE,?,00881418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007B4E87

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 635c82eb9184576e9e06d0f7ea5f5b9d0bdf1cb7005edcea2c48a96de9a469ef
Instruction ID: f39bb18074390a2396b92a63e87437c692f9dd7d5700f41b38081963b2b192de
Opcode Fuzzy Hash: 635c82eb9184576e9e06d0f7ea5f5b9d0bdf1cb7005edcea2c48a96de9a469ef
Instruction Fuzzy Hash: 23119132610219EADB14BB64DC0ABFD77A5AF40B10F148429F542AB2D2EEB8DA459B50

Function 007E8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 007E8440

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 48cd4ce9dd3c3a9c8f2d37773703f26335cc45b27659d5aeb0d35d79e37b44f7
Instruction ID: 19c8dad1ae945c52cf00985d9f9c5ca92f61fca66a11f58615c14e53e089d38f
Opcode Fuzzy Hash: 48cd4ce9dd3c3a9c8f2d37773703f26335cc45b27659d5aeb0d35d79e37b44f7
Instruction Fuzzy Hash: B711487190414AEFCB05DF59E94099A7BF4FF49310F104059F808AB352DA30EA11CBA5

Function 007E5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007E4C7D: RtlAllocateHeap.NTDLL(00000008,007B1129,00000000,?,007E2E29,00000001,00000364,?,?,?,007DF2DE,007E3863,00881444,?,007CFDF5,?), ref: 007E4CBE

_free.LIBCMT ref: 007E506C

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 1b047f7810a48538705bd989243e77eb370b89b13573f9134d7fb08d3f518431
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 29012B722057489BE3218E66984595AFBECFB8D374F25061DF184932C0E674A805C674

Function 007DE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: ea18de7b83e1c395e7701adc6edcabc862f7046c42db6bf5be5b3a23b2ee40f7
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 35F02D32511A14D6C7323A668C0DB5A33BC9F52334F10071BF525973D2DB7CE80285A6

Function 007E4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,007B1129,00000000,?,007E2E29,00000001,00000364,?,?,?,007DF2DE,007E3863,00881444,?,007CFDF5,?), ref: 007E4CBE

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c6f8d53a5a609c4af1f35b772a75a4987f4809cc9ef738a78c3cf4a4d8180228
Instruction ID: dbac7ee847919760a726093c3af6e86d14240725c9dfb424580813b2a28b93de
Opcode Fuzzy Hash: c6f8d53a5a609c4af1f35b772a75a4987f4809cc9ef738a78c3cf4a4d8180228
Instruction Fuzzy Hash: 6AF0E9326032A4A7DB315F679D09B5A3798BF457A0B385512F81AA76B1CA3CD80186F0

Function 007E3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00881444,?,007CFDF5,?,?,007BA976,00000010,00881440,007B13FC,?,007B13C6,?,007B1129), ref: 007E3852

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9cdb24ab57ee2d66a88d578fc3cb559b09a81f302ffec679f242f051037c038a
Instruction ID: 9fac118bfbabbf2e9f875c06f57fba4abcd4b713562dcc3be7837c1025fb3c69
Opcode Fuzzy Hash: 9cdb24ab57ee2d66a88d578fc3cb559b09a81f302ffec679f242f051037c038a
Instruction Fuzzy Hash: 26E065321032A4ABE63126A79D0DB9A3759AB867B0F190123BC1597691DB2DDD0182F1

Function 007B4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00881418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007B4F6D

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 39da7279b185725aab6ba2d80a57a8d5b1770773a7b243db8621b95d806bdb3d
Instruction ID: db4ad80747efecfdadd3329c095c3d8defde3b3c0a65fe3ae13450e5a87b7cef
Opcode Fuzzy Hash: 39da7279b185725aab6ba2d80a57a8d5b1770773a7b243db8621b95d806bdb3d
Instruction Fuzzy Hash: D4F03971505752CFDB349F64D494AA2BBF4FF14329328897EE1EA83622C7399844DF10

Function 007B30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 007B314E

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 62e9eec14f0dde55a2f273c9b18f82b81c6839c8a2e3b72a52ec1084ff2faaa9
Instruction ID: d3a3a4d931ad5432b3029dbc190efe177d839bb227aeda24295183e75ee7da3d
Opcode Fuzzy Hash: 62e9eec14f0dde55a2f273c9b18f82b81c6839c8a2e3b72a52ec1084ff2faaa9
Instruction Fuzzy Hash: 99F037709143189FEB529B28DC4A7D57BBCB701708F0000E5A54896292DB785789CF51

Function 007B2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007B2DC4

Part of subcall function 007B6B57: _wcslen.LIBCMT ref: 007B6B6A

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 6cf9934e50a66d46a1edf6523045a476b49e83081b569989b97c762570c74d9f
Instruction ID: b3f7c9bbff3f365484ad9ca56525ff18cf532009276b01c8933a953149444733
Opcode Fuzzy Hash: 6cf9934e50a66d46a1edf6523045a476b49e83081b569989b97c762570c74d9f
Instruction Fuzzy Hash: 29E0CD766011249BC71092589C09FEA77EDDFC8790F040071FE09D7248DAA4AD80C550

Function 007B2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007B3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007B3908

Part of subcall function 007BD730: GetInputState.USER32 ref: 007BD807

SetCurrentDirectoryW.KERNEL32(?), ref: 007B2B6B

Part of subcall function 007B30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 007B314E

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 239cf67fbfeae930ab4691ac15a90aec66e9909731f19716ef892bece4d87d15
Instruction ID: b560895cf7c5647bce0ec895f962b894b6cb2d3b75af866a4e33fb29ee46d7d2
Opcode Fuzzy Hash: 239cf67fbfeae930ab4691ac15a90aec66e9909731f19716ef892bece4d87d15
Instruction Fuzzy Hash: 27E0863130424486CA04BBB4985E7EDA75EABD1751F40153EF24283163DE2D498A8352

Function 007F039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,007F0704,?,?,00000000,?,007F0704,00000000,0000000C), ref: 007F03B7

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 863bca47567c81481c8770c676942e9efd103e18faa43f2b984bc456a4368d84
Instruction ID: 754634fb71f6034882e362a0cc5cb08bfc37607b2adb99d32f34c98cb0075d29
Opcode Fuzzy Hash: 863bca47567c81481c8770c676942e9efd103e18faa43f2b984bc456a4368d84
Instruction Fuzzy Hash: FDD06C3204010DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C732E821EB90

Function 007B1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 007B1CBC

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: be112453b1a50494ff87e7b10596b1d32751c5e35702e2d38d76967e7903fee9
Instruction ID: 0d648e9656b78ef6b0d63044c8c3925663222103df78edc5e0dfa631605da1d8
Opcode Fuzzy Hash: be112453b1a50494ff87e7b10596b1d32751c5e35702e2d38d76967e7903fee9
Instruction Fuzzy Hash: 02C0923A2C0304AFF6548B88FC4EF547768B348B00F048001F709A96E3C7A22820EB50

Non-executed Functions

Function 00849576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007C9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0084961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0084965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0084969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008496C9
SendMessageW.USER32 ref: 008496F2
GetKeyState.USER32(00000011), ref: 0084978B
GetKeyState.USER32(00000009), ref: 00849798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008497AE
GetKeyState.USER32(00000010), ref: 008497B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008497E9
SendMessageW.USER32 ref: 00849810
SendMessageW.USER32(?,00001030,?,00847E95), ref: 00849918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0084992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00849941
SetCapture.USER32(?), ref: 0084994A
ClientToScreen.USER32(?,?), ref: 008499AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008499BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008499D6
ReleaseCapture.USER32 ref: 008499E1
GetCursorPos.USER32(?), ref: 00849A19
ScreenToClient.USER32(?,?), ref: 00849A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00849A80
SendMessageW.USER32 ref: 00849AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00849AEB
SendMessageW.USER32 ref: 00849B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00849B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00849B4A
GetCursorPos.USER32(?), ref: 00849B68
ScreenToClient.USER32(?,?), ref: 00849B75
GetParent.USER32(?), ref: 00849B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00849BFA
SendMessageW.USER32 ref: 00849C2B
ClientToScreen.USER32(?,?), ref: 00849C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00849CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00849CDE
SendMessageW.USER32 ref: 00849D01
ClientToScreen.USER32(?,?), ref: 00849D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00849D82

Part of subcall function 007C9944: GetWindowLongW.USER32(?,000000EB), ref: 007C9952

GetWindowLongW.USER32(?,000000F0), ref: 00849E05

Strings

F, xrefs: 00849D07
@GUI_DRAGID, xrefs: 0084997D

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 1e8a45da8b3bab601a96c25d6e683745d0a36805c0cca96be036a90e457de754
Instruction ID: a2b2a6dc32ec33dfe7574b9e76dc95a8f42d96c71219bd29a2cc688098abe6ca
Opcode Fuzzy Hash: 1e8a45da8b3bab601a96c25d6e683745d0a36805c0cca96be036a90e457de754
Instruction Fuzzy Hash: 0E427834204209AFDB60CF68CC88EABBBE9FF59314F114619F699C72A1E731A850CF51

Function 00844873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008448F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00844908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00844927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0084494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0084495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0084497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008449AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008449D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00844A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00844A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00844A7E
IsMenu.USER32(?), ref: 00844A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00844AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00844B20
GetWindowLongW.USER32(?,000000F0), ref: 00844B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00844BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00844C82
wsprintfW.USER32 ref: 00844CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00844CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00844CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00844D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00844D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00844D5A

Strings

%d/%02d/%02d, xrefs: 00844CA8

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: a434b73d4d7d42a63076f3e09aa64fd846393f9b66a08f4771d7c56cde1092d4
Instruction ID: 2d76dbcbfb1c467eaede8a8a6eebf3288cd8e3f7bdd12fba6de3ce3e65db71d8
Opcode Fuzzy Hash: a434b73d4d7d42a63076f3e09aa64fd846393f9b66a08f4771d7c56cde1092d4
Instruction Fuzzy Hash: 4B12ED71A00618ABEB249F28CC49FAE7BF8FF45714F105129F916EB2E1DB789941CB50

Function 007CF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 007CF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0080F474
IsIconic.USER32(00000000), ref: 0080F47D
ShowWindow.USER32(00000000,00000009), ref: 0080F48A
SetForegroundWindow.USER32(00000000), ref: 0080F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0080F4AA
GetCurrentThreadId.KERNEL32 ref: 0080F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0080F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0080F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0080F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0080F4DE
SetForegroundWindow.USER32(00000000), ref: 0080F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0080F4F6
keybd_event.USER32(00000012,00000000), ref: 0080F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0080F50B
keybd_event.USER32(00000012,00000000), ref: 0080F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0080F519
keybd_event.USER32(00000012,00000000), ref: 0080F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0080F528
keybd_event.USER32(00000012,00000000), ref: 0080F52D
SetForegroundWindow.USER32(00000000), ref: 0080F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0080F557

Strings

Shell_TrayWnd, xrefs: 0080F46F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 41aaca6f352644f508968b125e64c89777d2f0a14f8677a0544ec519bbcc793c
Instruction ID: 8f1286e31ad4cc59d2319fa426ea0de351e031c5736c12bdc7ecc7a262a87d08
Opcode Fuzzy Hash: 41aaca6f352644f508968b125e64c89777d2f0a14f8677a0544ec519bbcc793c
Instruction Fuzzy Hash: BC315E75A41218BBEB706BB55C4AFBF7E6CFB45B50F114029FA05E61D2C6B06D00EAA0

Function 00811201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0081170D
Part of subcall function 008116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0081173A
Part of subcall function 008116C3: GetLastError.KERNEL32 ref: 0081174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00811286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008112A8
CloseHandle.KERNEL32(?), ref: 008112B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008112D1
GetProcessWindowStation.USER32 ref: 008112EA
SetProcessWindowStation.USER32(00000000), ref: 008112F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00811310

Part of subcall function 008110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008111FC), ref: 008110D4
Part of subcall function 008110BF: CloseHandle.KERNEL32(?,?,008111FC), ref: 008110E9

Strings

winsta0, xrefs: 008112CC
default, xrefs: 0081130B
, xrefs: 0081125A

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 073a010d8cd6413368c564edc700e770aff1bb55a93fb4eadf82d03e7ce55c74
Instruction ID: c7241843eba24ea5ca14d90ddefd302ada9300f71624874dfec6e8beff8b884e
Opcode Fuzzy Hash: 073a010d8cd6413368c564edc700e770aff1bb55a93fb4eadf82d03e7ce55c74
Instruction Fuzzy Hash: 9F818D71900209ABDF109FA8DC4DBEE7BBEFF05B04F144129FA10E62A0D7758984CB25

Function 00810B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00811114
Part of subcall function 008110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00810B9B,?,?,?), ref: 00811120
Part of subcall function 008110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00810B9B,?,?,?), ref: 0081112F
Part of subcall function 008110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00810B9B,?,?,?), ref: 00811136
Part of subcall function 008110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0081114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00810BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00810C00
GetLengthSid.ADVAPI32(?), ref: 00810C17
GetAce.ADVAPI32(?,00000000,?), ref: 00810C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00810C6D
GetLengthSid.ADVAPI32(?), ref: 00810C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00810C8C
HeapAlloc.KERNEL32(00000000), ref: 00810C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00810CB4
CopySid.ADVAPI32(00000000), ref: 00810CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00810CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00810D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00810D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00810D45
HeapFree.KERNEL32(00000000), ref: 00810D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00810D55
HeapFree.KERNEL32(00000000), ref: 00810D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00810D65
HeapFree.KERNEL32(00000000), ref: 00810D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00810D78
HeapFree.KERNEL32(00000000), ref: 00810D7F

Part of subcall function 00811193: GetProcessHeap.KERNEL32(00000008,00810BB1,?,00000000,?,00810BB1,?), ref: 008111A1
Part of subcall function 00811193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00810BB1,?), ref: 008111A8
Part of subcall function 00811193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00810BB1,?), ref: 008111B7

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: d1799a26887fade3429e3cdb037bee204b548328eb4c2cd62acf4434b849098c
Instruction ID: 8b09cbb75c6769ae384a2d5dc96db1eb726c9f5735e92be48380aaf8011057e9
Opcode Fuzzy Hash: d1799a26887fade3429e3cdb037bee204b548328eb4c2cd62acf4434b849098c
Instruction Fuzzy Hash: A4715CB690120AABDF10DFA4EC48BEEBBBCFF05300F144615E915E6191D7B5A985CFA0

Function 0082EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0084CC08), ref: 0082EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0082EB37
GetClipboardData.USER32(0000000D), ref: 0082EB43
CloseClipboard.USER32 ref: 0082EB4F
GlobalLock.KERNEL32(00000000), ref: 0082EB87
CloseClipboard.USER32 ref: 0082EB91
GlobalUnlock.KERNEL32(00000000), ref: 0082EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0082EBC9
GetClipboardData.USER32(00000001), ref: 0082EBD1
GlobalLock.KERNEL32(00000000), ref: 0082EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0082EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0082EC38
GetClipboardData.USER32(0000000F), ref: 0082EC44
GlobalLock.KERNEL32(00000000), ref: 0082EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0082EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0082EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0082ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0082ECF3
CountClipboardFormats.USER32 ref: 0082ED14
CloseClipboard.USER32 ref: 0082ED59

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 1d98e9f0f2eff1943ea2fc5d60627db7539f5ec9868f9768dbc750fd3e35d347
Instruction ID: 70d26ad48a605bd91c8d96eeaf04639676e02377722b521ce965b4de1a8722eb
Opcode Fuzzy Hash: 1d98e9f0f2eff1943ea2fc5d60627db7539f5ec9868f9768dbc750fd3e35d347
Instruction Fuzzy Hash: 3C61EE38204301AFD300EF24E888F6ABBA8FF85714F14441DF956D72A2CB75E985CB66

Function 0082698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008269BE
FindClose.KERNEL32(00000000), ref: 00826A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00826A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00826A75

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00826AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00826ADF

Strings

%02d, xrefs: 00826C00, 00826C0A, 00826C5A, 00826CAA, 00826CFA, 00826D4A
%4d, xrefs: 00826BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00826B6A
%03d, xrefs: 00826DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00826B32

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: daa5dd59ef565ac3564eae9c7c897fad44d51b0add3f2f8fc8d83dd560099b59
Instruction ID: ed90acc4aeb2a21a10b72b3fc399f026b19da73d77c2113dcdb23d7b4317ce26
Opcode Fuzzy Hash: daa5dd59ef565ac3564eae9c7c897fad44d51b0add3f2f8fc8d83dd560099b59
Instruction Fuzzy Hash: FCD15172508350EFC314EBA4D885EABB7ECBF88704F04491DF699D6191EB78DA44CB62

Function 00829642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00829663
GetFileAttributesW.KERNEL32(?), ref: 008296A1
SetFileAttributesW.KERNEL32(?,?), ref: 008296BB
FindNextFileW.KERNEL32(00000000,?), ref: 008296D3
FindClose.KERNEL32(00000000), ref: 008296DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008296FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0082974A
SetCurrentDirectoryW.KERNEL32(00876B7C), ref: 00829768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00829772
FindClose.KERNEL32(00000000), ref: 0082977F
FindClose.KERNEL32(00000000), ref: 0082978F

Strings

*.*, xrefs: 008296F5

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: dd0f80fcafb6b06a82d5abcade86095e01ae9253bfbadce2d238f0f4904a830e
Instruction ID: a4eabb6f3b957525a1e0d0f1fca76b82c4190295822f59410e6870ee7d641fc0
Opcode Fuzzy Hash: dd0f80fcafb6b06a82d5abcade86095e01ae9253bfbadce2d238f0f4904a830e
Instruction Fuzzy Hash: 4A31D3365016296FDB10AFB4EC48ADE77BCFF0A320F144156F955E2190EB74DD84CA14

Function 0082979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 008297BE
FindNextFileW.KERNEL32(00000000,?), ref: 00829819
FindClose.KERNEL32(00000000), ref: 00829824
FindFirstFileW.KERNEL32(*.*,?), ref: 00829840
SetCurrentDirectoryW.KERNEL32(?), ref: 00829890
SetCurrentDirectoryW.KERNEL32(00876B7C), ref: 008298AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008298B8
FindClose.KERNEL32(00000000), ref: 008298C5
FindClose.KERNEL32(00000000), ref: 008298D5

Part of subcall function 0081DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0081DB00

Strings

*.*, xrefs: 0082983B

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: a748d0f29ed6b0314ecff41715ab36c61ab2c75d1eaf524cbb939a85339f79de
Instruction ID: 7e0e3106991e1674fe1058e4c1251df1acec521ed94aa7b3b2f577fc8bdef7eb
Opcode Fuzzy Hash: a748d0f29ed6b0314ecff41715ab36c61ab2c75d1eaf524cbb939a85339f79de
Instruction Fuzzy Hash: B531C3315016296FDB14EFB4EC48ADE77BCFF06330F184166E994E2290EB75D984CA24

Function 0083BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0083C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0083B6AE,?,?), ref: 0083C9B5
Part of subcall function 0083C998: _wcslen.LIBCMT ref: 0083C9F1
Part of subcall function 0083C998: _wcslen.LIBCMT ref: 0083CA68
Part of subcall function 0083C998: _wcslen.LIBCMT ref: 0083CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0083BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0083BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0083BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0083C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0083C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0083C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0083C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0083C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0083C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0083C382
RegCloseKey.ADVAPI32(00000000), ref: 0083C38F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: bfa82da31a739400e8d03d4bc6d023aa8d880ea7d81e262c09b08af62245697b
Instruction ID: 5e2dfdf008dbd6dfe70dcdf02a6c6d47944671222260474cea57d0a48a30e435
Opcode Fuzzy Hash: bfa82da31a739400e8d03d4bc6d023aa8d880ea7d81e262c09b08af62245697b
Instruction Fuzzy Hash: A8020B716042009FD714DF28C895E2ABBE5FF89318F18849DF84ADB2A2DB35ED45CB91

Function 00828195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00828257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00828267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00828273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00828310
SetCurrentDirectoryW.KERNEL32(?), ref: 00828324
SetCurrentDirectoryW.KERNEL32(?), ref: 00828356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0082838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00828395

Strings

*.*, xrefs: 0082839B

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: f367a6cad3911eea264db868a3cc08a5596261d8784aac0b1990c7e6ae2c03b7
Instruction ID: dea6c7f11a398fcb72b7037e5e2bc77df8fc9faa8ef28f06cf2e392f1f438c6f
Opcode Fuzzy Hash: f367a6cad3911eea264db868a3cc08a5596261d8784aac0b1990c7e6ae2c03b7
Instruction Fuzzy Hash: 99614972504315DFCB10EF64D848AAEB3E8FF89314F04891AF999C7251EB35E985CB92

Function 0081D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007B3A97,?,?,007B2E7F,?,?,?,00000000), ref: 007B3AC2

Part of subcall function 0081E199: GetFileAttributesW.KERNEL32(?,0081CF95), ref: 0081E19A

FindFirstFileW.KERNEL32(?,?), ref: 0081D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0081D1DD
MoveFileW.KERNEL32(?,?), ref: 0081D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0081D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0081D237

Part of subcall function 0081D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0081D21C,?,?), ref: 0081D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0081D253
FindClose.KERNEL32(00000000), ref: 0081D264

Strings

\*.*, xrefs: 0081D0CD, 0081D0D6, 0081D0EB

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 161cfc07d4372b4f91d790e984c96cab9b67171a26ec4324f677fbaa3a429048
Instruction ID: e49f302a25271c7ac3816de4f1782a724c02ec216c230a78ba32f49f66f75e14
Opcode Fuzzy Hash: 161cfc07d4372b4f91d790e984c96cab9b67171a26ec4324f677fbaa3a429048
Instruction Fuzzy Hash: 4A617B3180120DABCF05EBE4D996AEDB7B9FF15300F204165E512B7191EB34AF89CB61

Function 0082ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0082ED91
EmptyClipboard.USER32 ref: 0082ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0082EDAC
CloseClipboard.USER32 ref: 0082EEA3

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 3bcd0783a50432ccf3d0753468cd39f40426e13fffae51f504e4fffc7c0f9ee6
Instruction ID: 3ff1f48c32f14d47a0e6de395c9607a1fd91ef17d9bb7008202ec32c13f61d73
Opcode Fuzzy Hash: 3bcd0783a50432ccf3d0753468cd39f40426e13fffae51f504e4fffc7c0f9ee6
Instruction Fuzzy Hash: FC419D39205621AFD720DF19E888B29BBE5FF45318F15C099E419CB762C779EC81CB94

Function 0081E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0081170D
Part of subcall function 008116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0081173A
Part of subcall function 008116C3: GetLastError.KERNEL32 ref: 0081174A

ExitWindowsEx.USER32(?,00000000), ref: 0081E932

Strings

SeShutdownPrivilege, xrefs: 0081E902
, xrefs: 0081E920
@, xrefs: 0081E925
, xrefs: 0081E95C

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: cb0c26ebf1a2fffccbd555dfa1ff09c2477707705d2a957453906c707ef07568
Instruction ID: f05e902cbe1d76b5fab7efaa79a9f1252d2d62bb1f6d34d90c7d2a4b6a704466
Opcode Fuzzy Hash: cb0c26ebf1a2fffccbd555dfa1ff09c2477707705d2a957453906c707ef07568
Instruction Fuzzy Hash: 2A014932A10315ABEB5426B8AC8AFFF765CFF18744F150422FD13E21D1D6A55CC085A0

Function 00831204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00831276
WSAGetLastError.WSOCK32 ref: 00831283
bind.WSOCK32(00000000,?,00000010), ref: 008312BA
WSAGetLastError.WSOCK32 ref: 008312C5
closesocket.WSOCK32(00000000), ref: 008312F4
listen.WSOCK32(00000000,00000005), ref: 00831303
WSAGetLastError.WSOCK32 ref: 0083130D
closesocket.WSOCK32(00000000), ref: 0083133C

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 29a7206ac2e6b3cc96c30922d75d707f2dd61475ed1625ae6a819706081f3637
Instruction ID: 1d610b6c898d3fec574b7a19f6f0ba50f2cf742c680a281f7d56ebe111381221
Opcode Fuzzy Hash: 29a7206ac2e6b3cc96c30922d75d707f2dd61475ed1625ae6a819706081f3637
Instruction Fuzzy Hash: 02417F356001009FDB10DF64C488B6ABBE5FF86718F188198E856DF296C775ED81CBE1

Function 007EB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007EB9D4
_free.LIBCMT ref: 007EB9F8
_free.LIBCMT ref: 007EBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00853700), ref: 007EBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0088121C,000000FF,00000000,0000003F,00000000,?,?), ref: 007EBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00881270,000000FF,?,0000003F,00000000,?), ref: 007EBC36
_free.LIBCMT ref: 007EBD4B

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 088f08c97735b6106ca4b38b2fd0c755e2f0034dd87e3d1044ee174c8d939098
Instruction ID: bf3842e2f914cb4fbedbc1a8f5c37f160dd92f843a3ba5b27b6454c23c9e57f0
Opcode Fuzzy Hash: 088f08c97735b6106ca4b38b2fd0c755e2f0034dd87e3d1044ee174c8d939098
Instruction Fuzzy Hash: 89C12971906285DFCF20DF7A8C45AAB7FB9EF49310F1441AAE494D7252DB389E42CB90

Function 0081D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007B3A97,?,?,007B2E7F,?,?,?,00000000), ref: 007B3AC2

Part of subcall function 0081E199: GetFileAttributesW.KERNEL32(?,0081CF95), ref: 0081E19A

FindFirstFileW.KERNEL32(?,?), ref: 0081D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0081D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0081D481
FindClose.KERNEL32(00000000), ref: 0081D498
FindClose.KERNEL32(00000000), ref: 0081D4A1

Strings

\*.*, xrefs: 0081D3F2

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 668c281f38bdd11c30c64302713d9bd508da6a8178a1e134c198521e0c9b8287
Instruction ID: 46a68ffa8539213f2c77d5263a435ddde62a08f5216d3627c91567542c066943
Opcode Fuzzy Hash: 668c281f38bdd11c30c64302713d9bd508da6a8178a1e134c198521e0c9b8287
Instruction Fuzzy Hash: 3A319C71009355ABC300EF64C899AEFB7ECBE92304F444A1DF5E593191EB34AA49CB67

Function 007EE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 007EE645

Strings

1#INF, xrefs: 007EF852
1#IND, xrefs: 007EF83D
1#QNAN, xrefs: 007EF84B
1#SNAN, xrefs: 007EF844

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: bc57be55b44c0240b66c3747f25bed99f292ed244f8c71cab34a3e7298901e05
Instruction ID: ff0a9df85205f84eb1eb104872bac5011a686f8a6c19bdb6e1503f1d18d1af3d
Opcode Fuzzy Hash: bc57be55b44c0240b66c3747f25bed99f292ed244f8c71cab34a3e7298901e05
Instruction Fuzzy Hash: B0C27B72E066688FDB25CF29CD407EAB7B5EB48305F1445EAD84DE7241E778AE818F40

Function 0082648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008264DC
CoInitialize.OLE32(00000000), ref: 00826639
CoCreateInstance.OLE32(0084FCF8,00000000,00000001,0084FB68,?), ref: 00826650
CoUninitialize.OLE32 ref: 008268D4

Strings

.lnk, xrefs: 008264BA, 00826524, 008265E0

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: f893096d4e7322b891f1f0eef19796161fb3015edb03fc595b929e2a869b9737
Instruction ID: 4677cc5c1f57fbde6181ca4938c1c62aecb4db10334f93fadb96429c1f53431a
Opcode Fuzzy Hash: f893096d4e7322b891f1f0eef19796161fb3015edb03fc595b929e2a869b9737
Instruction Fuzzy Hash: C8D15871508211AFC304EF24C885AABB7E8FF98704F14496DF595CB2A1EB34ED45CBA2

Function 008322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008322E8

Part of subcall function 0082E4EC: GetWindowRect.USER32(?,?), ref: 0082E504

GetDesktopWindow.USER32 ref: 00832312
GetWindowRect.USER32(00000000), ref: 00832319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00832355
GetCursorPos.USER32(?), ref: 00832381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008323DF

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: f06ed5bdcac63c6205850c3c8191deb3677bd4343c5f01638555030887f8093e
Instruction ID: 946e2557c38b3416bf38cb2bbc364231dc1a472b907eadae8f6ae49a9e72cdea
Opcode Fuzzy Hash: f06ed5bdcac63c6205850c3c8191deb3677bd4343c5f01638555030887f8093e
Instruction Fuzzy Hash: 6C31EB72505315ABD720DF18C848A9BBBADFFC9314F000A19F985D7291DB34EA08CBD2

Function 00829B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00829B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00829C8B

Part of subcall function 00823874: GetInputState.USER32 ref: 008238CB
Part of subcall function 00823874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00823966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00829BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00829C75

Strings

*.*, xrefs: 00829B5D

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 8d6dd3521b0e469653de16e939843667445395c3c7d063fb045469a66e6013e0
Instruction ID: 4a4664865148f167111ad4607857d5179e4b70d8b033192ae8a2877702140989
Opcode Fuzzy Hash: 8d6dd3521b0e469653de16e939843667445395c3c7d063fb045469a66e6013e0
Instruction Fuzzy Hash: 3F418E7190021AAFDF55DF64D889AEEBBB8FF05310F24405AE855E2291EB349E84CF60

Function 007C997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 007C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007C9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 007C9A4E
GetSysColor.USER32(0000000F), ref: 007C9B23
SetBkColor.GDI32(?,00000000), ref: 007C9B36

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 25d334b42d0d155e1977b6d2f3a241c4b62233b5837774586cd6a0791387cd1b
Instruction ID: 250f5027b649dc180fd2d61af20620e28a309c606707483054bb19aef8032d35
Opcode Fuzzy Hash: 25d334b42d0d155e1977b6d2f3a241c4b62233b5837774586cd6a0791387cd1b
Instruction Fuzzy Hash: 27A127B1609444BEE7B5AA2C8C4DF7F2B9DFB42340B15811DF212D66D1CA29AD01D376

Function 00831806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0083304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0083307A
Part of subcall function 0083304E: _wcslen.LIBCMT ref: 0083309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0083185D
WSAGetLastError.WSOCK32 ref: 00831884
bind.WSOCK32(00000000,?,00000010), ref: 008318DB
WSAGetLastError.WSOCK32 ref: 008318E6
closesocket.WSOCK32(00000000), ref: 00831915

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: d643066a3f3dfbbcfcfef5ab8d7823a607e92763bd3d5455d51584a6bad5b97c
Instruction ID: 908772a10ccc822ab6519cbdc44b03cba4dc68ec11ef0de54987b4f9a4fd0b4f
Opcode Fuzzy Hash: d643066a3f3dfbbcfcfef5ab8d7823a607e92763bd3d5455d51584a6bad5b97c
Instruction Fuzzy Hash: BC519175A00200AFDB10AF24C88AF6A77E5EB85718F08849CF9069F393C775AD41CBE1

Function 00841C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00841CC0
IsWindowEnabled.USER32 ref: 00841CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00841CDB
IsIconic.USER32 ref: 00841CE9
IsZoomed.USER32 ref: 00841CF7

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: eaa3a7f3fcdbe3e69c1735bdcd48ac49dffe81db14292d2135ea042a598253d6
Instruction ID: b6cf2a1207dfd86d62ba0327f0e5ecbda89ab54a4ea887ae4226030dd16777e2
Opcode Fuzzy Hash: eaa3a7f3fcdbe3e69c1735bdcd48ac49dffe81db14292d2135ea042a598253d6
Instruction Fuzzy Hash: 5C21D3317412159FDB208F1ADC88B6A7BE9FF95315B198058E84ACB351C775DC82CB90

Function 007B8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 007B843C
ERCP, xrefs: 007B813C
VUUU, xrefs: 007B83FA
VUUU, xrefs: 007B83E8
VUUU, xrefs: 007F5DF0

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 4e26d3e98fa97253bf5ee3e623b83e6f72ca883769504f5c79c6217fe26746d2
Instruction ID: a935b0329c206711c9a0025703c797e44efb9536168389ab3c51ab5513a98be9
Opcode Fuzzy Hash: 4e26d3e98fa97253bf5ee3e623b83e6f72ca883769504f5c79c6217fe26746d2
Instruction Fuzzy Hash: 8CA24A70A0021ECBDF64CF58C8407FDB7B5BB54314F2481AAEA15AB385EB789D81DB91

Function 0081AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0081AAAC
SetKeyboardState.USER32(00000080), ref: 0081AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0081AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0081AB88

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 595f3f1a9d7b8a444da205aa039bcf3af491694b3e74a3d8ac1a3cd6b893f401
Instruction ID: c888791674a9e236ec8f1967d991f9ed7eb46355b3642917957b297c6a71b242
Opcode Fuzzy Hash: 595f3f1a9d7b8a444da205aa039bcf3af491694b3e74a3d8ac1a3cd6b893f401
Instruction Fuzzy Hash: 66312570A46288AEEB38CA68CC05BFA7BAEFF55330F04421AF081D21D1D37589C1C762

Function 0082CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0082CE89
GetLastError.KERNEL32(?,00000000), ref: 0082CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0082CEFE

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 178b6b28b62f1882852aed5dcf1e4e69b92e8834a4f05b4c9d982a0236625ccb
Instruction ID: 6f6587535dbbc486be53583dfd6afe318078846b70efbf08eff17e4576e6b68f
Opcode Fuzzy Hash: 178b6b28b62f1882852aed5dcf1e4e69b92e8834a4f05b4c9d982a0236625ccb
Instruction Fuzzy Hash: 9221BDB5500715EBDB20DFA5E948BAABBFCFB10358F10441EE546D2251EBB4EE84CB60

Function 00818298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008182AA

Strings

|, xrefs: 008182DA
(, xrefs: 008182F0

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: d6ae90395ee45484e27afbd9b5a1d75dd5731fabd0038ce3bcbf77aa9f396867
Instruction ID: 5eaab2fcd789cc79e39935a399d08f09eba5375629fe6b5693ed5cfe750dcbfb
Opcode Fuzzy Hash: d6ae90395ee45484e27afbd9b5a1d75dd5731fabd0038ce3bcbf77aa9f396867
Instruction Fuzzy Hash: F2323674A00605DFC728CF59C481AAAB7F4FF48710B15C56EE59ADB3A1EB70E981CB40

Function 00825C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00825CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00825D17
FindClose.KERNEL32(?), ref: 00825D5F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 5feb721cd0d2887cc0e539f5560e984ec56bd50ed11870745d78fa531f533505
Instruction ID: 6df17040c9e66a1c8680cb9c55f272c90e0555d0cbd79a566c0745b7dcbe5cce
Opcode Fuzzy Hash: 5feb721cd0d2887cc0e539f5560e984ec56bd50ed11870745d78fa531f533505
Instruction Fuzzy Hash: B751A835600A019FC314CF28D498A9AB7E4FF09324F14856EE95ACB3A2DB30ED44CB91

Function 007E2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 007E271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 007E2724
UnhandledExceptionFilter.KERNEL32(?), ref: 007E2731

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f68e90561578566727a515d9ac1b0daa53820a25b9be3f7011eae8c659cc66e2
Instruction ID: 5d86e878b77766ebb493418cda938315fa509f17597ee868deb348b428ef05e6
Opcode Fuzzy Hash: f68e90561578566727a515d9ac1b0daa53820a25b9be3f7011eae8c659cc66e2
Instruction Fuzzy Hash: E731B5749112189BCB21DF65DC8979DB7B8BF08310F5051EAE41CA7261E7749F818F45

Function 008251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008251DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00825238
SetErrorMode.KERNEL32(00000000), ref: 008252A1

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 2b0692dae3f1f9ce0686b25e9d852877d35d938df9b19c9199f5fa9b128b322b
Instruction ID: c4de5d7ea6e1350daeb794baad217fa1f8004e41ff578703a452271caeb71127
Opcode Fuzzy Hash: 2b0692dae3f1f9ce0686b25e9d852877d35d938df9b19c9199f5fa9b128b322b
Instruction Fuzzy Hash: 59314C75A00618DFDB00DF54D888FADBBB4FF49314F188099E805AB3A2DB35E855CBA0

Function 008116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 007CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 007D0668
Part of subcall function 007CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 007D0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0081170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0081173A
GetLastError.KERNEL32 ref: 0081174A

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 0bfc823786314b777ad8f0ea81c1ae94f34fa848e9eab74611b62b67b861bd68
Instruction ID: f7cd3a7242af2bcf2d2a55666ae5422cc402c3e67f6dbe3de8abae2f4addbac2
Opcode Fuzzy Hash: 0bfc823786314b777ad8f0ea81c1ae94f34fa848e9eab74611b62b67b861bd68
Instruction Fuzzy Hash: 551191B2514309AFD7189F54DC8AEAAB7FDFF44714B20852EE05697291EB70BC81CA60

Function 0081D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0081D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0081D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0081D650

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 319d748bb5250c71a25b3e58894f324e38fe24736270b03d370dfbf4277e347b
Instruction ID: f3f2bb63242efa200f1e517f08d0b503c876247f0c0a7397c7dc75484ce963fd
Opcode Fuzzy Hash: 319d748bb5250c71a25b3e58894f324e38fe24736270b03d370dfbf4277e347b
Instruction Fuzzy Hash: 6D113C75E05228BBDB208F95AC45FAFBBBCFB45B50F108115F904E7290D6B05A058BA1

Function 00811663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0081168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008116A1
FreeSid.ADVAPI32(?), ref: 008116B1

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 94dff07213445ce5295e3b454c0b67d7a673cc707522e444821643eb7e9a5e2f
Instruction ID: 08d28467e565838e88e6f329e6d717e97354cf708979bf115c6e85bb70eed289
Opcode Fuzzy Hash: 94dff07213445ce5295e3b454c0b67d7a673cc707522e444821643eb7e9a5e2f
Instruction Fuzzy Hash: 03F0F475A51309FBDF00DFE49C89AAEBBBCFB08605F504965E501E2181E774AA448A54

Function 007EC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 007EC36C

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 97a8cb5fda1f528699f0efced1df946fd4cc518700aca505c859c49021cc4993
Instruction ID: 90f0f585f92183b0f94834e227ebc3523812ce1db67b3bbd9fc6fc702d91056b
Opcode Fuzzy Hash: 97a8cb5fda1f528699f0efced1df946fd4cc518700aca505c859c49021cc4993
Instruction Fuzzy Hash: 4041287A501259ABCB209FBACC4DDBB777CEB88314F1042A9F915D7280E6749D828B50

Function 0080D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0080D28C

Strings

X64, xrefs: 0080D2A8

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 8998da5bf2991af5f2767e73466c3d83431398e75e884cddccf48fd72909cc2b
Instruction ID: cc6a150767ee1976015c787b84510d26dad30c984967cd4fba8fc478e37ba1a9
Opcode Fuzzy Hash: 8998da5bf2991af5f2767e73466c3d83431398e75e884cddccf48fd72909cc2b
Instruction Fuzzy Hash: 6DD0C9B480211DEBCB90CB90DC88DD9B37CBB14305F100155F106E2040D77495488F10

Function 007DCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 887e2f7fe43384356b54a913814697f260e245b0739f1c841e5ba9d30cee4775
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 01022E72E0011A9FDF15CFA9C9806ADFBF1EF48314F25826AD919E7384D735A941CB90

Function 008268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00826918
FindClose.KERNEL32(00000000), ref: 00826961

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d4008379dc71207df22c81a74ea5ca8931991878c9caed257a498b8bf5e93bb0
Instruction ID: 8d9f7b6728609dea5a29e02c43d6058468cee4ae1b73bef59749d778be6a30b3
Opcode Fuzzy Hash: d4008379dc71207df22c81a74ea5ca8931991878c9caed257a498b8bf5e93bb0
Instruction Fuzzy Hash: 6E11D0356042109FC710CF29D488A26BBE4FF85328F04C699F4698F2A2DB74EC85CB90

Function 008237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00834891,?,?,00000035,?), ref: 008237E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00834891,?,?,00000035,?), ref: 008237F4

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: bf92905cec17bc47c5f5f396646061b3c8abd7085f8e20571bffa2964c115564
Instruction ID: 0240b8c5be96d6e16e1d173495479ba12d2fcb4ac3bf872b37bc19bf9cff9491
Opcode Fuzzy Hash: bf92905cec17bc47c5f5f396646061b3c8abd7085f8e20571bffa2964c115564
Instruction Fuzzy Hash: 8CF0E5B46052286BEB6017B69C4DFEB3AAEFFC5761F000275F609D2291D9A09944C6B0

Function 0081B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0081B25D
keybd_event.USER32(?,7608C0D0,?,00000000), ref: 0081B270

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 5db047f0597291159f2de79dea8ca5d0c18c9bf2f3ff2f60f4c04fb9cef8336a
Instruction ID: 7c6ee300b6d925419e4cad1608e8953ad65c99901dd41ff6ae06468f9a391c97
Opcode Fuzzy Hash: 5db047f0597291159f2de79dea8ca5d0c18c9bf2f3ff2f60f4c04fb9cef8336a
Instruction Fuzzy Hash: 44F01D7590424DABDB159FA4C805BEE7BB4FF05309F008009F955E6191C3798655DF94

Function 008110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008111FC), ref: 008110D4
CloseHandle.KERNEL32(?,?,008111FC), ref: 008110E9

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 1ba3ff31cecf9d1658c94bcd02636192f710954a5620bb3fe03c1a04e479da63
Instruction ID: da4ea6254f5ed1069c50aabcededfb4646f32e9f73926cff854c1498d39e5e1c
Opcode Fuzzy Hash: 1ba3ff31cecf9d1658c94bcd02636192f710954a5620bb3fe03c1a04e479da63
Instruction Fuzzy Hash: E1E0BF76115A10EEE7652F51FC09F7777ADFF05310B14882EF5A6804B1DB626C90DB50

Function 007BCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00800C40

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 0737545edb8471297625bae86863010f95fe8268c84d6ab0aac056d78fd80f44
Instruction ID: 24e2820227c6b8a1d3c4fdf88ff481ce9e6762616b0c1629da2b38e240bfb3cc
Opcode Fuzzy Hash: 0737545edb8471297625bae86863010f95fe8268c84d6ab0aac056d78fd80f44
Instruction Fuzzy Hash: 3C329C74A00218DFDF15DF94C895BEDBBB5FF05304F248069E806AB292DB79AE45CB60

Function 007E676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,007E6766,?,?,00000008,?,?,007EFEFE,00000000), ref: 007E6998

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5ca036b4220c24f7424240c83599b118ca6fc22fbe4620ebff5dfae822c63a24
Instruction ID: 3afdcb59fc3100b23658443fa656ca690f740d629dd42764941fd857d91f3ac1
Opcode Fuzzy Hash: 5ca036b4220c24f7424240c83599b118ca6fc22fbe4620ebff5dfae822c63a24
Instruction Fuzzy Hash: B5B169716116488FD719CF29C48AB647BE0FF193A4F25C65CE899CF2A2C339E981CB40

Function 007CB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0080851F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a78dbb6819c49db2e9e7052a271377b9271305f6dbbce470e46382db87fa63f1
Instruction ID: 66cdfa7cca44f0f9bc7b66500fdac595c8993bcf01a90416ba66c63356266075
Opcode Fuzzy Hash: a78dbb6819c49db2e9e7052a271377b9271305f6dbbce470e46382db87fa63f1
Instruction Fuzzy Hash: F9123E71900229DFDB54CF58C881BEEB7B5FF48710F15819AE849EB295EB349A81CF90

Function 0082EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0082EABD

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: aa56408e5682c4cb4dbeaf8db820746673cd235f66a32d49cedb923d0559c82f
Instruction ID: 1dda23cd55a898d8b9141e4f57ee34f6e77e6bc6c0041d0528a3ea8aa1b0bc32
Opcode Fuzzy Hash: aa56408e5682c4cb4dbeaf8db820746673cd235f66a32d49cedb923d0559c82f
Instruction Fuzzy Hash: 2EE012752002149FC710DF59D404E9AB7EDFF69760F00841AFC4AC7251D674A8408B91

Function 007D09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007D03EE), ref: 007D09DA

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eddd58dab075fd5e131effaa5bc80b888fcc747710d51c99b6f562efa945445e
Instruction ID: 0ed1eb06eb66f68bd871d8577a5c3774b430488172c0f00202e36d148d87abaf
Opcode Fuzzy Hash: eddd58dab075fd5e131effaa5bc80b888fcc747710d51c99b6f562efa945445e
Instruction Fuzzy Hash:

Function 007D781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 007D798B

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 524fc1e03a5d6f68f95409f4f15ad6012ac6d82fca642812d005cce6c09e7a18
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: E451677260C7459BDB3C856888AE7BE67B99B52300F18050BD886DB382F61DEE41E356

Function 007E6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf789f8af10a6d13a9d3ec2a9702d2ad4439d26ada26f9f74d990df3287c30cc
Instruction ID: ba2920f483475723c66805b7642280a74f2461043f9b3179ad6762511c073cda
Opcode Fuzzy Hash: cf789f8af10a6d13a9d3ec2a9702d2ad4439d26ada26f9f74d990df3287c30cc
Instruction Fuzzy Hash: 05322322D2AF814DD7279635D8223356259BFBB3C6F14D737E81AB59A6EF2DC4838100

Function 007CCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb6ebf565cb25174ace8702e73a4b02b6677d437b689461c7150179e2648bd8
Instruction ID: fd448adea62279b9153319ff48474851b6d5eaa88ec86510d29cbf7b4d251a43
Opcode Fuzzy Hash: 3fb6ebf565cb25174ace8702e73a4b02b6677d437b689461c7150179e2648bd8
Instruction Fuzzy Hash: 51320232A041198BDF79CF29C894B7D7BA1FB45314F28826ED89ACB2D1D234DD81DB51

Function 007B7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aeb4cb484c74cd8912fd8b9c591cc72f195865fd77bfcc25227005c5fcd8b0f
Instruction ID: da360f733b950ba6777d4032e7b28461b65de1e4ef6be1d49fea559222a024f3
Opcode Fuzzy Hash: 8aeb4cb484c74cd8912fd8b9c591cc72f195865fd77bfcc25227005c5fcd8b0f
Instruction Fuzzy Hash: 8A228EB0A04609DFDF14DF68D885BEEB7B6FF44300F204529E916AB391EB39A951CB50

Function 007B91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18bbafeb9d7dfa58759e661306fbe5aa0b4c714ca6fed5a8655b38da632b2119
Instruction ID: 477fbd10c624b78aaea92dedf39f93e414dec230005efe4a9c4e0056ba7d6ba4
Opcode Fuzzy Hash: 18bbafeb9d7dfa58759e661306fbe5aa0b4c714ca6fed5a8655b38da632b2119
Instruction Fuzzy Hash: 1E02A7B1E00209EBDB14DF64D885BBDB7B5FF44300F108169EA169B3A1EB39DA50DB91

Function 007E9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf81f42ef7b0397818b8064c40af0fdcf99f19b227230f2396317225a808119
Instruction ID: 9369cbbd8c18c3eef5974c26225465263018a679ea9a2286a9b3b2376b0af720
Opcode Fuzzy Hash: fcf81f42ef7b0397818b8064c40af0fdcf99f19b227230f2396317225a808119
Instruction Fuzzy Hash: 31B1F020D2AF414DC62396399831336B75CBFBB6D6F91D31BFC2674E22EB2686834140

Function 007D1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: ad58c1e606bf26f58a887eac6606d20549147af21a86469759dc06de5e240761
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: B79176722090E35ADB29463E857403EFFF15A923A235A079FD4F2CA3C5FE28D954D620

Function 007D1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 8f2028f9bc27fce677bd02f5cf124f41e5b8e23481cceb1df10d1fc05fd0e4d0
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 0E9169722090E349DB6D4339857403DFFF15AA23A131A479FE4F2CB2C6EE29D556D620

Function 007D19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: ab9bc2a21a5880f6d25682787912b68eecbb869972b73ae910fe2b26a87cdbd3
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: B89154722090E35ADB2D427A857403EFFF15A923A239A479FD4F2CA2C5FE28D554D620

Function 007D7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7254075197c6e3f3e73751c42fe2aa758b471049a743cdbfcae28d361e71a25
Instruction ID: 62142cea7ef744e1fbfd2ac3c34bec2f5e6f6d0a64d72cc962736b87afec309a
Opcode Fuzzy Hash: f7254075197c6e3f3e73751c42fe2aa758b471049a743cdbfcae28d361e71a25
Instruction Fuzzy Hash: 44614BB120874996DA3C5A2C8D96BBE23B8DF81700F14491FE846DB381F61DDE42C366

Function 007D7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce13b0d871eef399c94097beece11b31ebd49e1a40d3b04c283d1cab66b3997
Instruction ID: 7b32e13d9d46272207342d8e12e924cb833b0b7b50492969595cfd25d5115b8d
Opcode Fuzzy Hash: dce13b0d871eef399c94097beece11b31ebd49e1a40d3b04c283d1cab66b3997
Instruction Fuzzy Hash: 39616A7170870996DE3C4A288896BBF63B6DF42704F14095BE983DB381FA1EED42C256

Function 007D1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 893de2ce9f4573d324b55c64d80b79c86ea1fd9f15ab7398311d744167746b4a
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F78163726090E319EB6D827A853443EFFF15A923B135A079FD4F2CA2D1EE289554E620

Function 00822046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06113e9d275bb668a73157ddaa1f1c24ed544c7273796778d8a9c7839bba3a06
Instruction ID: 3f57fcf30c17d3eedcbaa1ce4a44b30b1f8cd67a3bdae20d0beae84e3e6f6985
Opcode Fuzzy Hash: 06113e9d275bb668a73157ddaa1f1c24ed544c7273796778d8a9c7839bba3a06
Instruction Fuzzy Hash: D621A8326206218BD728CE79C81267A73E5FB64310F15862EE4A7C77D0DE35A944CB40

Function 00832ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00832B30
DeleteObject.GDI32(00000000), ref: 00832B43
DestroyWindow.USER32 ref: 00832B52
GetDesktopWindow.USER32 ref: 00832B6D
GetWindowRect.USER32(00000000), ref: 00832B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00832CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00832CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00832CF8
GetClientRect.USER32(00000000,?), ref: 00832D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00832D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00832D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00832D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00832D80
GlobalLock.KERNEL32(00000000), ref: 00832D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00832D98
GlobalUnlock.KERNEL32(00000000), ref: 00832DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00832DA8
GlobalFree.KERNEL32(00000000), ref: 00832DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00832DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0084FC38,00000000), ref: 00832DDB
GlobalFree.KERNEL32(00000000), ref: 00832DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00832E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00832E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00832E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0083303F

Strings

, xrefs: 00832FC5
DISPLAY, xrefs: 00832EA2
AutoIt v3, xrefs: 00832CF2
static, xrefs: 00832D3A, 00832E91

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 2a1f81974851d170d5cb5ae9df6e1c74a47469bf538cd2e2d4c790d7e437515e
Instruction ID: de225b8e1bb19c54a2fe0a37a6454395ce4765346d593baaa9a1e32bbebf032e
Opcode Fuzzy Hash: 2a1f81974851d170d5cb5ae9df6e1c74a47469bf538cd2e2d4c790d7e437515e
Instruction Fuzzy Hash: 64024975500218EFDB24DF68CC89EAE7BB9FF49710F048558F915EB2A1DB74A901CBA0

Function 008470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0084712F
GetSysColorBrush.USER32(0000000F), ref: 00847160
GetSysColor.USER32(0000000F), ref: 0084716C
SetBkColor.GDI32(?,000000FF), ref: 00847186
SelectObject.GDI32(?,?), ref: 00847195
InflateRect.USER32(?,000000FF,000000FF), ref: 008471C0
GetSysColor.USER32(00000010), ref: 008471C8
CreateSolidBrush.GDI32(00000000), ref: 008471CF
FrameRect.USER32(?,?,00000000), ref: 008471DE
DeleteObject.GDI32(00000000), ref: 008471E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00847230
FillRect.USER32(?,?,?), ref: 00847262
GetWindowLongW.USER32(?,000000F0), ref: 00847284

Part of subcall function 008473E8: GetSysColor.USER32(00000012), ref: 00847421
Part of subcall function 008473E8: SetTextColor.GDI32(?,?), ref: 00847425
Part of subcall function 008473E8: GetSysColorBrush.USER32(0000000F), ref: 0084743B
Part of subcall function 008473E8: GetSysColor.USER32(0000000F), ref: 00847446
Part of subcall function 008473E8: GetSysColor.USER32(00000011), ref: 00847463
Part of subcall function 008473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00847471
Part of subcall function 008473E8: SelectObject.GDI32(?,00000000), ref: 00847482
Part of subcall function 008473E8: SetBkColor.GDI32(?,00000000), ref: 0084748B
Part of subcall function 008473E8: SelectObject.GDI32(?,?), ref: 00847498
Part of subcall function 008473E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008474B7
Part of subcall function 008473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008474CE
Part of subcall function 008473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008474DB

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 40f3e2d10ca46a2082de8d269cf207c25a1152f3e8708751a91af3fe8a954914
Instruction ID: 765c7c820242e0881352ec17fa747d780afdc7684f34830b6d3cf1ea659bc5ac
Opcode Fuzzy Hash: 40f3e2d10ca46a2082de8d269cf207c25a1152f3e8708751a91af3fe8a954914
Instruction Fuzzy Hash: 23A1AF76009315AFDB509F64DC48E6BBBA9FF8A320F100A19F962E61E1D770E944CB91

Function 007C8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 007C8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00806AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00806AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00806F43

Part of subcall function 007C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007C8BE8,?,00000000,?,?,?,?,007C8BBA,00000000,?), ref: 007C8FC5

SendMessageW.USER32(?,00001053), ref: 00806F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00806F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00806FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00806FB7

Strings

0, xrefs: 00806DCF

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: d719e92253906da0e560665713dace305ba87b8fcdd02875513b461ea5d46841
Instruction ID: 7f3433964298a26378854a6256eb689d9390172b6443fa529c02fe2b8930344c
Opcode Fuzzy Hash: d719e92253906da0e560665713dace305ba87b8fcdd02875513b461ea5d46841
Instruction Fuzzy Hash: 9912AC34201211DFDBA5CF28CC58BA9BBE5FF45310F54446DE495CB2A2DB35E862CB92

Function 00832711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0083273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0083286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008328A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008328B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00832900
GetClientRect.USER32(00000000,?), ref: 0083290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00832955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00832964
GetStockObject.GDI32(00000011), ref: 00832974
SelectObject.GDI32(00000000,00000000), ref: 00832978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00832988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00832991
DeleteDC.GDI32(00000000), ref: 0083299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008329C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008329DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00832A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00832A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00832A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00832A77
GetStockObject.GDI32(00000011), ref: 00832A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00832A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00832A97

Strings

DISPLAY, xrefs: 0083295A
AutoIt v3, xrefs: 008328F8
msctls_progress32, xrefs: 00832A13
static, xrefs: 0083294F, 00832A71

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 42f6ab8db8f57951d15bfa8142149586d7703f832eb4af3d780732a282b74bc1
Instruction ID: e3b379803e14e7dd318039e1bb2d1dc92b6d133347857f5bce554b731aef1237
Opcode Fuzzy Hash: 42f6ab8db8f57951d15bfa8142149586d7703f832eb4af3d780732a282b74bc1
Instruction Fuzzy Hash: F3B16C75A00219AFEB14DFA8CC4AFAE7BA9FB48714F008514F915E7290DB74ED40CBA0

Function 00824ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00824AED
GetDriveTypeW.KERNEL32(?,0084CB68,?,\\.\,0084CC08), ref: 00824BCA
SetErrorMode.KERNEL32(00000000,0084CB68,?,\\.\,0084CC08), ref: 00824D36

Strings

SATA, xrefs: 00824CD0
ATAPI, xrefs: 00824C91
PhysicalDrive, xrefs: 00824B76
CDROM, xrefs: 00824BFB
Unknown, xrefs: 00824BED, 00824C83
RAID, xrefs: 00824CBB
SSA, xrefs: 00824CA6
FileBackedVirtual, xrefs: 00824CEC
1394, xrefs: 00824C9F
Fixed, xrefs: 00824C09
ATA, xrefs: 00824C98
Fibre, xrefs: 00824CAD
Network, xrefs: 00824C02
USB, xrefs: 00824CB4
RAMDisk, xrefs: 00824BF4
iSCSI, xrefs: 00824CC2
SCSI, xrefs: 00824C8A
MMC, xrefs: 00824CDE
SAS, xrefs: 00824CC9
SSD, xrefs: 00824C4A
Removable, xrefs: 00824C10, 00824C15
Virtual, xrefs: 00824CE5
\\.\, xrefs: 00824B3F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 57628564f60d5b832ac0b273d8f380e5ed4549c85789049cedcb031ef6817ec2
Instruction ID: 71ac7bcd1eace9da5b23383f833b7ba123e9ec81be9bf7a821a97e2da5ada5ee
Opcode Fuzzy Hash: 57628564f60d5b832ac0b273d8f380e5ed4549c85789049cedcb031ef6817ec2
Instruction Fuzzy Hash: CE610630601619DBCB14DF68DA85DAC7BA0FF44304B249016F81AEB396EB3ADDD1DB61

Function 008473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00847421
SetTextColor.GDI32(?,?), ref: 00847425
GetSysColorBrush.USER32(0000000F), ref: 0084743B
GetSysColor.USER32(0000000F), ref: 00847446
CreateSolidBrush.GDI32(?), ref: 0084744B
GetSysColor.USER32(00000011), ref: 00847463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00847471
SelectObject.GDI32(?,00000000), ref: 00847482
SetBkColor.GDI32(?,00000000), ref: 0084748B
SelectObject.GDI32(?,?), ref: 00847498
InflateRect.USER32(?,000000FF,000000FF), ref: 008474B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008474CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008474DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0084752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00847554
InflateRect.USER32(?,000000FD,000000FD), ref: 00847572
DrawFocusRect.USER32(?,?), ref: 0084757D
GetSysColor.USER32(00000011), ref: 0084758E
SetTextColor.GDI32(?,00000000), ref: 00847596
DrawTextW.USER32(?,008470F5,000000FF,?,00000000), ref: 008475A8
SelectObject.GDI32(?,?), ref: 008475BF
DeleteObject.GDI32(?), ref: 008475CA
SelectObject.GDI32(?,?), ref: 008475D0
DeleteObject.GDI32(?), ref: 008475D5
SetTextColor.GDI32(?,?), ref: 008475DB
SetBkColor.GDI32(?,?), ref: 008475E5

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 9550b5c939254cfb13fab4f009185e3c85d88a6582407e6b729ce8ae5a0ef8c5
Instruction ID: d6224014a002ad7f0ff79dc7d5a2697c23b377326337c4872d921a66a2239604
Opcode Fuzzy Hash: 9550b5c939254cfb13fab4f009185e3c85d88a6582407e6b729ce8ae5a0ef8c5
Instruction Fuzzy Hash: 35616A76901218AFDF119FA4DC49EAEBFB9FB09320F118115F915BB2A1D7749940CF90

Function 00840FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00841128
GetDesktopWindow.USER32 ref: 0084113D
GetWindowRect.USER32(00000000), ref: 00841144
GetWindowLongW.USER32(?,000000F0), ref: 00841199
DestroyWindow.USER32(?), ref: 008411B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008411ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0084120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0084121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00841232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00841245
IsWindowVisible.USER32(00000000), ref: 008412A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008412BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008412D0
GetWindowRect.USER32(00000000,?), ref: 008412E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0084130E
GetMonitorInfoW.USER32(00000000,?), ref: 00841328
CopyRect.USER32(?,?), ref: 0084133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008413AA

Strings

(, xrefs: 0084131B
0, xrefs: 008410D3
tooltips_class32, xrefs: 008411E6

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e8857675b455bb798727b58c8232ad6253c871286ebdd2fc2f01579275611c4e
Instruction ID: e02ff8c16b9035c6c8926b66873e34a28ab9ef6b6d0ff0dfadcbe4f19a749648
Opcode Fuzzy Hash: e8857675b455bb798727b58c8232ad6253c871286ebdd2fc2f01579275611c4e
Instruction Fuzzy Hash: 2AB17D71604345AFDB54DF64C888BAABBE4FF89354F00891CF999DB261C771E844CB92

Function 00840241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008402E5
_wcslen.LIBCMT ref: 0084031F
_wcslen.LIBCMT ref: 00840389
_wcslen.LIBCMT ref: 008403F1
_wcslen.LIBCMT ref: 00840475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008404C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00840504

Part of subcall function 007CF9F2: _wcslen.LIBCMT ref: 007CF9FD

Part of subcall function 0081223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00812258
Part of subcall function 0081223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0081228A

Strings

GETSELECTEDCOUNT, xrefs: 00840470, 0084048B
GETTEXT, xrefs: 008403EC, 00840407
DESELECT, xrefs: 0084059C
SELECTINVERT, xrefs: 0084057E
FINDITEM, xrefs: 00840627
VIEWCHANGE, xrefs: 00840675
GETITEMCOUNT, xrefs: 00840316, 00840337
SELECTCLEAR, xrefs: 0084052D
SELECTALL, xrefs: 00840515
GETSUBITEMCOUNT, xrefs: 00840384, 0084039F
SELECT, xrefs: 00840548
ISSELECTED, xrefs: 008404DD
GETSELECTED, xrefs: 008405E1

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 0c77f1ec16626db46d39dfa7ef841675eadc44cf090e831cc32f441a830e8bb0
Instruction ID: eeb08a53e9890ce45b02ee31edccf8e2aa417ce4de9e137c7c3b88020395a09d
Opcode Fuzzy Hash: 0c77f1ec16626db46d39dfa7ef841675eadc44cf090e831cc32f441a830e8bb0
Instruction Fuzzy Hash: 00E1AB312082098BC724DF24C45096BB7E6FFD8318B15895CFA96EB3A5DB34ED45CB82

Function 007C8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007C8968
GetSystemMetrics.USER32(00000007), ref: 007C8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007C899B
GetSystemMetrics.USER32(00000008), ref: 007C89A3
GetSystemMetrics.USER32(00000004), ref: 007C89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007C89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007C89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 007C8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 007C8A3C
GetClientRect.USER32(00000000,000000FF), ref: 007C8A5A
GetStockObject.GDI32(00000011), ref: 007C8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 007C8A81

Part of subcall function 007C912D: GetCursorPos.USER32(?), ref: 007C9141
Part of subcall function 007C912D: ScreenToClient.USER32(00000000,?), ref: 007C915E
Part of subcall function 007C912D: GetAsyncKeyState.USER32(00000001), ref: 007C9183
Part of subcall function 007C912D: GetAsyncKeyState.USER32(00000002), ref: 007C919D

SetTimer.USER32(00000000,00000000,00000028,007C90FC), ref: 007C8AA8

Strings

AutoIt v3 GUI, xrefs: 007C8A20

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 21bad5887a6951e8a429dd5ee04059b893e63cdd167a6a8df35df2c513903126
Instruction ID: 8293708309932ccce6a3c8c1b09fbdbb734a17a459b3c0ef6f2d911d929b5645
Opcode Fuzzy Hash: 21bad5887a6951e8a429dd5ee04059b893e63cdd167a6a8df35df2c513903126
Instruction Fuzzy Hash: 8FB18A75A0020AAFDF54DFA8CC49BAE7BB9FB48314F11422DFA15E7290DB34A851CB51

Function 00810D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00811114
Part of subcall function 008110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00810B9B,?,?,?), ref: 00811120
Part of subcall function 008110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00810B9B,?,?,?), ref: 0081112F
Part of subcall function 008110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00810B9B,?,?,?), ref: 00811136
Part of subcall function 008110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0081114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00810DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00810E29
GetLengthSid.ADVAPI32(?), ref: 00810E40
GetAce.ADVAPI32(?,00000000,?), ref: 00810E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00810E96
GetLengthSid.ADVAPI32(?), ref: 00810EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00810EB5
HeapAlloc.KERNEL32(00000000), ref: 00810EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00810EDD
CopySid.ADVAPI32(00000000), ref: 00810EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00810F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00810F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00810F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00810F6E
HeapFree.KERNEL32(00000000), ref: 00810F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00810F7E
HeapFree.KERNEL32(00000000), ref: 00810F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00810F8E
HeapFree.KERNEL32(00000000), ref: 00810F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00810FA1
HeapFree.KERNEL32(00000000), ref: 00810FA8

Part of subcall function 00811193: GetProcessHeap.KERNEL32(00000008,00810BB1,?,00000000,?,00810BB1,?), ref: 008111A1
Part of subcall function 00811193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00810BB1,?), ref: 008111A8
Part of subcall function 00811193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00810BB1,?), ref: 008111B7

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 337e1eb813370e709417c086be5436925f92dabeff2125b56a97aef522fb7571
Instruction ID: 30cb46ac7d96d2665850688efda8f31fb9d5c29f5f0e013e73940b53b491ce77
Opcode Fuzzy Hash: 337e1eb813370e709417c086be5436925f92dabeff2125b56a97aef522fb7571
Instruction Fuzzy Hash: 9171487690120AABDB209FA5DC49BEEBBBCFF05300F044115E959E6191DB719A86CF60

Function 0083C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0083C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0084CC08,00000000,?,00000000,?,?), ref: 0083C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0083C5A4
_wcslen.LIBCMT ref: 0083C5F4
_wcslen.LIBCMT ref: 0083C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0083C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0083C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0083C84D
RegCloseKey.ADVAPI32(?), ref: 0083C881
RegCloseKey.ADVAPI32(00000000), ref: 0083C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0083C960

Strings

REG_EXPAND_SZ, xrefs: 0083C5CD
REG_DWORD, xrefs: 0083C804
REG_SZ, xrefs: 0083C644
REG_MULTI_SZ, xrefs: 0083C6F5
REG_BINARY, xrefs: 0083C913
REG_QWORD, xrefs: 0083C8C3

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 297d0205f2057c368ca31631e4f9c8ac9832172233db467755d683ce83eb5c3b
Instruction ID: 19cc5cd4c630f8493a62c4cc936dd02d9bf427eabe57c65402344910b4ec52a5
Opcode Fuzzy Hash: 297d0205f2057c368ca31631e4f9c8ac9832172233db467755d683ce83eb5c3b
Instruction Fuzzy Hash: 5B123435604201DFCB14DF14C885B6AB7E5FF88714F14889DF89AAB2A2DB35ED41CB91

Function 0084091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008409C6
_wcslen.LIBCMT ref: 00840A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00840A54
_wcslen.LIBCMT ref: 00840A8A
_wcslen.LIBCMT ref: 00840B06
_wcslen.LIBCMT ref: 00840B81

Part of subcall function 007CF9F2: _wcslen.LIBCMT ref: 007CF9FD

Part of subcall function 00812BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00812BFA

Strings

ISCHECKED, xrefs: 00840CE1
GETTOTALCOUNT, xrefs: 008409F2, 00840A17
SELECT, xrefs: 00840D11
GETTEXT, xrefs: 00840C97
EXISTS, xrefs: 00840B7C, 00840B97
EXPAND, xrefs: 00840BF8
COLLAPSE, xrefs: 00840B01, 00840B1C
CHECK, xrefs: 00840A85, 00840AA0
UNCHECK, xrefs: 00840D3E
GETSELECTED, xrefs: 00840C4E
GETITEMCOUNT, xrefs: 00840C1E

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 11f5358184063a390b88f9988477ef12a53897d931eaff3219dbe8da420ec9e1
Instruction ID: 55e4d8eb6a3f4d9bfca4a3d644c7bafdb43ed57f86d5de9b5f2341458b66eb6f
Opcode Fuzzy Hash: 11f5358184063a390b88f9988477ef12a53897d931eaff3219dbe8da420ec9e1
Instruction Fuzzy Hash: 10E17831608305DFC714DF24C491A6AB7E2FF98318B14895DF99A9B3A2D734ED49CB82

Function 0083C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0083B6AE,?,?), ref: 0083C9B5
_wcslen.LIBCMT ref: 0083C9F1
_wcslen.LIBCMT ref: 0083CA68
_wcslen.LIBCMT ref: 0083CA9E
_wcslen.LIBCMT ref: 0083CAF9
_wcslen.LIBCMT ref: 0083CB2F
_wcslen.LIBCMT ref: 0083CB7F

Strings

HKEY_CURRENT_USER, xrefs: 0083CBBD
HKEY_CLASSES_ROOT, xrefs: 0083CAF3, 0083CAF8
HKU, xrefs: 0083CBF0
HKLM, xrefs: 0083CA98, 0083CA9D
HKEY_USERS, xrefs: 0083CBDF
HKCU, xrefs: 0083CBCE
HKEY_LOCAL_MACHINE, xrefs: 0083CA62, 0083CA67
HKCR, xrefs: 0083CB29, 0083CB2E
HKEY_CURRENT_CONFIG, xrefs: 0083CB79, 0083CB7E
HKCC, xrefs: 0083CBAC

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 92ce81ddef22ef537d01200543781dbcbe4baa0aa70c0791b8ac7876f10f9fe2
Instruction ID: 9ca86d202b339990f141ed305aa969b5fbfacdef98adffa7c22e863867014045
Opcode Fuzzy Hash: 92ce81ddef22ef537d01200543781dbcbe4baa0aa70c0791b8ac7876f10f9fe2
Instruction Fuzzy Hash: 7271D37260012A8BCB20DE7CCD516BA73A5FBE0764F254529F866F7284EA35DD45C3E0

Function 0084833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0084835A
_wcslen.LIBCMT ref: 0084836E
_wcslen.LIBCMT ref: 00848391
_wcslen.LIBCMT ref: 008483B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008483F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00845BF2), ref: 0084844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00848487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008484CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00848501
FreeLibrary.KERNEL32(?), ref: 0084850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0084851D
DestroyIcon.USER32(?,?,?,?,?,00845BF2), ref: 0084852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00848549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00848555

Strings

.dll, xrefs: 008483AB
.icl, xrefs: 00848368
.exe, xrefs: 00848388

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 15f317537bd7df392fba25ab743e63f6cfd9526fcd82a442900d44ee0b921287
Instruction ID: 0755e91b7ab20ab911b55309e3dc2967c8d10a9aec67aeb3ad187cb982899be9
Opcode Fuzzy Hash: 15f317537bd7df392fba25ab743e63f6cfd9526fcd82a442900d44ee0b921287
Instruction Fuzzy Hash: B961AF71900219FBEB14DF64CC85BBE77ACFB04B11F10454AF915E61D1DB74AA90CBA0

Function 007B7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include, xrefs: 007B7847
Cannot parse #include, xrefs: 007F5279
#pragma compile, xrefs: 007B77D3
#comments-end, xrefs: 007B78D9
Unterminated group of comments, xrefs: 007F528C
#notrayicon, xrefs: 007B77E7
", xrefs: 007F5153
#comments-start, xrefs: 007B785F, 007B78B1
#cs, xrefs: 007B7873, 007B78C5
Bad directive syntax error, xrefs: 007F519A
#OnAutoItStartRegister, xrefs: 007B7817
#ce, xrefs: 007B78ED
#include-once, xrefs: 007B782F
#requireadmin, xrefs: 007B77FF
', xrefs: 007F5169

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 1ed8306e6214df338f367dc9f1b98cc7345ed93b7ee3c4ccad7319e08a9c815a
Instruction ID: e9ae8844307ff727b0ea56be9e59a88c66f851b101d7ba9b43d039a3d3b105c7
Opcode Fuzzy Hash: 1ed8306e6214df338f367dc9f1b98cc7345ed93b7ee3c4ccad7319e08a9c815a
Instruction Fuzzy Hash: BB81C371A04609FBDB24AF60CC46FFE37A9FF55300F044025FA15AA296EB7CD911D6A1

Function 00823E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00823EF8
_wcslen.LIBCMT ref: 00823F03
_wcslen.LIBCMT ref: 00823F5A
_wcslen.LIBCMT ref: 00823F98
GetDriveTypeW.KERNEL32(?), ref: 00823FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0082401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00824059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00824087

Strings

wait, xrefs: 00824044
open, xrefs: 00823F54, 00823F59
set cd door , xrefs: 00824028
close cd wait, xrefs: 00824072
closed, xrefs: 00823F08, 00823F2D, 00823F46, 00823F7E, 00823F97
open , xrefs: 00823FE5
close, xrefs: 00823EFE, 00823F18
type cdaudio alias cd wait, xrefs: 00824001

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 7a8d00cfb8414bf816bfec0c31da590350dd89975edab9292cd904dbeb019244
Instruction ID: e5fc2d533d9e1a16cf615f241f11eb5dadedea36d0b3f5ddcfd437aafe71a33b
Opcode Fuzzy Hash: 7a8d00cfb8414bf816bfec0c31da590350dd89975edab9292cd904dbeb019244
Instruction Fuzzy Hash: 267101326046119FC310EF24D8909AAB7F4FF94758F10892DF9A5D7251EB38ED89CB51

Function 00815A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00815A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00815A40
SetWindowTextW.USER32(?,?), ref: 00815A57
GetDlgItem.USER32(?,000003EA), ref: 00815A6C
SetWindowTextW.USER32(00000000,?), ref: 00815A72
GetDlgItem.USER32(?,000003E9), ref: 00815A82
SetWindowTextW.USER32(00000000,?), ref: 00815A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00815AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00815AC3
GetWindowRect.USER32(?,?), ref: 00815ACC
_wcslen.LIBCMT ref: 00815B33
SetWindowTextW.USER32(?,?), ref: 00815B6F
GetDesktopWindow.USER32 ref: 00815B75
GetWindowRect.USER32(00000000), ref: 00815B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00815BD3
GetClientRect.USER32(?,?), ref: 00815BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00815C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00815C2F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 1a4674c344b2de4132d1e20a0fb70f2298fdfeca4356c1a6e65832bbdb7ad9df
Instruction ID: 18d71799e6ad14f13930a64823c0960bdc378615cc513ea4a99d52609d6a2055
Opcode Fuzzy Hash: 1a4674c344b2de4132d1e20a0fb70f2298fdfeca4356c1a6e65832bbdb7ad9df
Instruction Fuzzy Hash: F2716F31900B09EFDB20DFA9CE85AAEBBF9FF88714F104519E542E25A0D775E984CB50

Function 0082FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0082FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0082FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0082FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0082FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0082FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0082FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0082FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0082FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0082FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0082FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0082FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0082FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0082FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0082FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0082FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0082FECC
GetCursorInfo.USER32(?), ref: 0082FEDC
GetLastError.KERNEL32 ref: 0082FF1E

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 2b9e669b75deb0085c38591913aa42ca1d423837d60f74dd56c4adf797f351cc
Instruction ID: 043c68343e12d85225fac4952fd7b9c99572e6c9bdcfe6e916b6ec6e18499a0f
Opcode Fuzzy Hash: 2b9e669b75deb0085c38591913aa42ca1d423837d60f74dd56c4adf797f351cc
Instruction Fuzzy Hash: 314160B0D04319AADB109FBA9C8985EBFF8FF04354B50853AF119E7281DB78A941CE90

Function 007D00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007D00C6

Part of subcall function 007D00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0088070C,00000FA0,EAA3E3AD,?,?,?,?,007F23B3,000000FF), ref: 007D011C
Part of subcall function 007D00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007F23B3,000000FF), ref: 007D0127
Part of subcall function 007D00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007F23B3,000000FF), ref: 007D0138
Part of subcall function 007D00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 007D014E
Part of subcall function 007D00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 007D015C
Part of subcall function 007D00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 007D016A
Part of subcall function 007D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007D0195
Part of subcall function 007D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007D01A0

___scrt_fastfail.LIBCMT ref: 007D00E7

Part of subcall function 007D00A3: __onexit.LIBCMT ref: 007D00A9

Strings

WakeAllConditionVariable, xrefs: 007D0162
InitializeConditionVariable, xrefs: 007D0148
SleepConditionVariableCS, xrefs: 007D0154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 007D0122
kernel32.dll, xrefs: 007D0133

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: fb5fc22f96e3cff6248dc2f0653c1cb4342d459d20ec6aaee3f4f9b64ae1e7d8
Instruction ID: 5c245c9f306993479fbfc1a9d13b205c66e4fc8408f9863c02985868cfb002ab
Opcode Fuzzy Hash: fb5fc22f96e3cff6248dc2f0653c1cb4342d459d20ec6aaee3f4f9b64ae1e7d8
Instruction Fuzzy Hash: 0D21C636A45719ABE7506BA4AC09B6E77E8FB05B51F10013FF911E3392DB7E98008AD0

Function 008130F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0081318D
_wcslen.LIBCMT ref: 008131F8

Strings

CLASSNN, xrefs: 008131F3, 00813204
CLASS, xrefs: 00813188, 008131A5
TEXT, xrefs: 0081347C
REGEXPCLASS, xrefs: 00813255, 00813266
INSTANCE, xrefs: 00813453
NAME, xrefs: 00813335, 00813346

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: a8137b3f5c9445f4494a8947a0c393c5cd25e3b5b73f82fe5e319595d5c56ef2
Instruction ID: 0fedceb0302cbd488bfd94d1c42bd4f4bd7e2ba3d28bf9bbc2925dd844819846
Opcode Fuzzy Hash: a8137b3f5c9445f4494a8947a0c393c5cd25e3b5b73f82fe5e319595d5c56ef2
Instruction Fuzzy Hash: 63E1E432A00516EBCB189FA8C455BEDFBB9FF54710F54812AE566F7240DB30AEC98790

Function 008244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0084CC08), ref: 00824527
_wcslen.LIBCMT ref: 0082453B
_wcslen.LIBCMT ref: 00824599
_wcslen.LIBCMT ref: 008245F4
_wcslen.LIBCMT ref: 0082463F
_wcslen.LIBCMT ref: 008246A7

Part of subcall function 007CF9F2: _wcslen.LIBCMT ref: 007CF9FD

GetDriveTypeW.KERNEL32(?,00876BF0,00000061), ref: 00824743

Strings

network, xrefs: 0082469D, 008246A2
removable, xrefs: 008245EA, 008245EF
all, xrefs: 00824531, 00824536
fixed, xrefs: 00824635, 0082463A
unknown, xrefs: 00824708
ramdisk, xrefs: 008246F1
cdrom, xrefs: 0082458F, 00824594

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 0ce5cbb06bdf287ad6008cb94fe77b48c7af531ac44dd64504502d91b3904ddb
Instruction ID: a922b0521a8c074d8b507d955d448b3b9ffd4edd28cf4bebd4f6f4dab113efae
Opcode Fuzzy Hash: 0ce5cbb06bdf287ad6008cb94fe77b48c7af531ac44dd64504502d91b3904ddb
Instruction Fuzzy Hash: A1B112316083229FC710DF28E890A6EB7E5FFA5724F50591DF5AAC7291E734D884CB62

Function 00833FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0084CC08), ref: 008340BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008340CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0084CC08), ref: 008340F2
FreeLibrary.KERNEL32(00000000,?,0084CC08), ref: 0083413E
StringFromGUID2.OLE32(?,?,00000028,?,0084CC08), ref: 008341A8
SysFreeString.OLEAUT32(00000009), ref: 00834262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008342C8
SysFreeString.OLEAUT32(?), ref: 008342F2

Strings

kernel32.dll, xrefs: 008340B6
GetModuleHandleExW, xrefs: 008340C7

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 4ed91841bbe92b514f4a2b006addf9b61e4f5ddff4ae81c5fd90b4b6d43f5d87
Instruction ID: 2e4ae6a385866f397824fe749e10ef71288891ceeec14c517b0fd55e8b81d250
Opcode Fuzzy Hash: 4ed91841bbe92b514f4a2b006addf9b61e4f5ddff4ae81c5fd90b4b6d43f5d87
Instruction Fuzzy Hash: 99122D75A00119EFDB14CF94C884EAEBBB9FF85318F248098E905EB251D731ED46CBA0

Function 007B326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00881990), ref: 007F2F8D
GetMenuItemCount.USER32(00881990), ref: 007F303D
GetCursorPos.USER32(?), ref: 007F3081
SetForegroundWindow.USER32(00000000), ref: 007F308A
TrackPopupMenuEx.USER32(00881990,00000000,?,00000000,00000000,00000000), ref: 007F309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007F30A9

Strings

0, xrefs: 007B327D

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: a1d8b536b3ab54fa66dde813e5c94c6697b7b97fd18966722f5b4b625007b585
Instruction ID: ce8344698765f5ab8dfbc8e13e75fc09c1031beeb5a925525f7bfb7b9b137017
Opcode Fuzzy Hash: a1d8b536b3ab54fa66dde813e5c94c6697b7b97fd18966722f5b4b625007b585
Instruction Fuzzy Hash: B5712D70644209BEEB218F64CC49FEABF69FF05324F204216F615A62D1C7B9AD50DB51

Function 00846CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00846DEB

Part of subcall function 007B6B57: _wcslen.LIBCMT ref: 007B6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00846E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00846E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00846E94
DestroyWindow.USER32(?), ref: 00846EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,007B0000,00000000), ref: 00846EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00846EFD
GetDesktopWindow.USER32 ref: 00846F16
GetWindowRect.USER32(00000000), ref: 00846F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00846F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00846F4D

Part of subcall function 007C9944: GetWindowLongW.USER32(?,000000EB), ref: 007C9952

Strings

0, xrefs: 00846D98
tooltips_class32, xrefs: 00846E58, 00846EDD

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 7324067461c5b0abb4bd5c1edd98fc0aea3392cecda6757137138d198a0764fa
Instruction ID: 59fbb75dd60c66bc5a3a352b1f24904d8d8c8462b208c094b4b13a2d77133f45
Opcode Fuzzy Hash: 7324067461c5b0abb4bd5c1edd98fc0aea3392cecda6757137138d198a0764fa
Instruction Fuzzy Hash: 9A714674104348AFDB61CF18DC48BAABBE9FB8A304F54441DF999C7261DB74A91ACB12

Function 0084911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007C9BB2

DragQueryPoint.SHELL32(?,?), ref: 00849147

Part of subcall function 00847674: ClientToScreen.USER32(?,?), ref: 0084769A
Part of subcall function 00847674: GetWindowRect.USER32(?,?), ref: 00847710
Part of subcall function 00847674: PtInRect.USER32(?,?,00848B89), ref: 00847720

SendMessageW.USER32(?,000000B0,?,?), ref: 008491B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008491BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008491DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00849225
SendMessageW.USER32(?,000000B0,?,?), ref: 0084923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00849255
SendMessageW.USER32(?,000000B1,?,?), ref: 00849277
DragFinish.SHELL32(?), ref: 0084927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00849371

Strings

@GUI_DRAGFILE, xrefs: 00849320
@GUI_DROPID, xrefs: 0084929E
@GUI_DRAGID, xrefs: 008492E9

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 73234da629cbd78eb70dcfc152f34a4d3252928702f820598f720f00c8b5ca71
Instruction ID: bdbbfa59c9f06e861bfc0e85633b40ae4c7a2a46a3a1954221d2fa731e0e9048
Opcode Fuzzy Hash: 73234da629cbd78eb70dcfc152f34a4d3252928702f820598f720f00c8b5ca71
Instruction Fuzzy Hash: 07617C71108305AFD701EF64DC89EAFBBE8FF89350F40491DF6A5922A1DB709A49CB52

Function 0082C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0082C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0082C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0082C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0082C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0082C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0082C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0082C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0082C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0082C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0082C5F0
InternetCloseHandle.WININET(00000000), ref: 0082C5FB

Strings

, xrefs: 0082C575

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: f298dea88832a5e65c1a29458ebb40c6e3ff002fd90ea0b71bd33c0f4f6d804e
Instruction ID: c652945e43e4d41af07cab9cdc426af269a9cc61754e98b66f1b20f1297b3179
Opcode Fuzzy Hash: f298dea88832a5e65c1a29458ebb40c6e3ff002fd90ea0b71bd33c0f4f6d804e
Instruction Fuzzy Hash: 4D5158B4500618AFEB219F64DA88ABB7BFCFF09344F00441AF945D6250DB74E984DB60

Function 0084856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00848592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008485A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008485AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008485BA
GlobalLock.KERNEL32(00000000), ref: 008485C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008485D7
GlobalUnlock.KERNEL32(00000000), ref: 008485E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008485E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008485F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0084FC38,?), ref: 00848611
GlobalFree.KERNEL32(00000000), ref: 00848621
GetObjectW.GDI32(?,00000018,?), ref: 00848641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00848671
DeleteObject.GDI32(?), ref: 00848699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008486AF

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 6e08ea6f6a589543d07bbed1e3c1eb075cffe3d2ea23c9687765bea4b09db686
Instruction ID: 7da7ef7db1ef7a90081bfab9c8421dccd1309b2c1413ec2e677ef774535f6a14
Opcode Fuzzy Hash: 6e08ea6f6a589543d07bbed1e3c1eb075cffe3d2ea23c9687765bea4b09db686
Instruction Fuzzy Hash: D8412979601208EFDB519FA5CC48EAE7BBCFF9A715F118058F909E7260DB749901DB20

Function 008214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00821502
VariantCopy.OLEAUT32(?,?), ref: 0082150B
VariantClear.OLEAUT32(?), ref: 00821517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008215FB
VarR8FromDec.OLEAUT32(?,?), ref: 00821657
VariantInit.OLEAUT32(?), ref: 00821708
SysFreeString.OLEAUT32(?), ref: 0082178C
VariantClear.OLEAUT32(?), ref: 008217D8
VariantClear.OLEAUT32(?), ref: 008217E7
VariantInit.OLEAUT32(00000000), ref: 00821823

Strings

Default, xrefs: 008216AF
%4d%02d%02d%02d%02d%02d, xrefs: 00821625

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: d27d66d1397570efa1b24bb300897270d60de9aee44f815f873a66d03a141748
Instruction ID: 15a55445df01e1e8f38bac0e7d42cfb47e89e0e35077e7c34c292fe008193826
Opcode Fuzzy Hash: d27d66d1397570efa1b24bb300897270d60de9aee44f815f873a66d03a141748
Instruction Fuzzy Hash: 4CD1CF71A00229EBDF109F65E98DBB9B7B5FF55704F24809AE406EB180DB34EC81DB61

Function 0083B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

Part of subcall function 0083C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0083B6AE,?,?), ref: 0083C9B5
Part of subcall function 0083C998: _wcslen.LIBCMT ref: 0083C9F1
Part of subcall function 0083C998: _wcslen.LIBCMT ref: 0083CA68
Part of subcall function 0083C998: _wcslen.LIBCMT ref: 0083CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0083B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0083B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0083B80A
RegCloseKey.ADVAPI32(?), ref: 0083B87E
RegCloseKey.ADVAPI32(?), ref: 0083B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0083B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0083B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0083B922
FreeLibrary.KERNEL32(00000000), ref: 0083B983
RegCloseKey.ADVAPI32(00000000), ref: 0083B994

Strings

RegDeleteKeyExW, xrefs: 0083B8FE
advapi32.dll, xrefs: 0083B8ED

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: a54c3aa904fc45b99503c02276fc718fba4217feda7901b5a0ce10c95142ad81
Instruction ID: 30513ba37bd3a0391948f638cf2344f51ef3e724e4cb0e6172822ab24584d91f
Opcode Fuzzy Hash: a54c3aa904fc45b99503c02276fc718fba4217feda7901b5a0ce10c95142ad81
Instruction Fuzzy Hash: 03C17A75208201EFD710DF14C499B6ABBE5FF84318F18849CF69A8B2A2DB35ED45CB91

Function 0083255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008325D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008325E8
CreateCompatibleDC.GDI32(?), ref: 008325F4
SelectObject.GDI32(00000000,?), ref: 00832601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0083266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008326AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008326D0
SelectObject.GDI32(?,?), ref: 008326D8
DeleteObject.GDI32(?), ref: 008326E1
DeleteDC.GDI32(?), ref: 008326E8
ReleaseDC.USER32(00000000,?), ref: 008326F3

Strings

(, xrefs: 0083268D

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 19a0b26b4eff8a0e1cf11119c44bf03b69ddeb50e87162f45dacba9101f70247
Instruction ID: e8186a6d8b64aa710d723f887d49b43914c7514245dced594197877913144902
Opcode Fuzzy Hash: 19a0b26b4eff8a0e1cf11119c44bf03b69ddeb50e87162f45dacba9101f70247
Instruction Fuzzy Hash: CB61E275D01219EFCF14CFA8D885AAEBBBAFF48310F208529E955E7250E770A951CF90

Function 007EDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 007EDAA1

Part of subcall function 007ED63C: _free.LIBCMT ref: 007ED659
Part of subcall function 007ED63C: _free.LIBCMT ref: 007ED66B
Part of subcall function 007ED63C: _free.LIBCMT ref: 007ED67D
Part of subcall function 007ED63C: _free.LIBCMT ref: 007ED68F
Part of subcall function 007ED63C: _free.LIBCMT ref: 007ED6A1
Part of subcall function 007ED63C: _free.LIBCMT ref: 007ED6B3
Part of subcall function 007ED63C: _free.LIBCMT ref: 007ED6C5
Part of subcall function 007ED63C: _free.LIBCMT ref: 007ED6D7
Part of subcall function 007ED63C: _free.LIBCMT ref: 007ED6E9
Part of subcall function 007ED63C: _free.LIBCMT ref: 007ED6FB
Part of subcall function 007ED63C: _free.LIBCMT ref: 007ED70D
Part of subcall function 007ED63C: _free.LIBCMT ref: 007ED71F
Part of subcall function 007ED63C: _free.LIBCMT ref: 007ED731

_free.LIBCMT ref: 007EDA96

Part of subcall function 007E29C8: HeapFree.KERNEL32(00000000,00000000,?,007ED7D1,00000000,00000000,00000000,00000000,?,007ED7F8,00000000,00000007,00000000,?,007EDBF5,00000000), ref: 007E29DE
Part of subcall function 007E29C8: GetLastError.KERNEL32(00000000,?,007ED7D1,00000000,00000000,00000000,00000000,?,007ED7F8,00000000,00000007,00000000,?,007EDBF5,00000000,00000000), ref: 007E29F0

_free.LIBCMT ref: 007EDAB8
_free.LIBCMT ref: 007EDACD
_free.LIBCMT ref: 007EDAD8
_free.LIBCMT ref: 007EDAFA
_free.LIBCMT ref: 007EDB0D
_free.LIBCMT ref: 007EDB1B
_free.LIBCMT ref: 007EDB26
_free.LIBCMT ref: 007EDB5E
_free.LIBCMT ref: 007EDB65
_free.LIBCMT ref: 007EDB82
_free.LIBCMT ref: 007EDB9A

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b4d5840bfc30ca9022307aa1ecd3015d85341cc2b50ad69d6863f88f0ff58c12
Instruction ID: cadab9b782c309b43f8f849fc2163c742b30370a4ad6403aaf63d0bd409cb1ad
Opcode Fuzzy Hash: b4d5840bfc30ca9022307aa1ecd3015d85341cc2b50ad69d6863f88f0ff58c12
Instruction Fuzzy Hash: 62315F71506288DFDB31AA76D84AB5677E8FF08310F115429E458E71A2EA3DFD418B20

Function 0081365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0081369C
_wcslen.LIBCMT ref: 008136A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00813797
GetClassNameW.USER32(?,?,00000400), ref: 0081380C
GetDlgCtrlID.USER32(?), ref: 0081385D
GetWindowRect.USER32(?,?), ref: 00813882
GetParent.USER32(?), ref: 008138A0
ScreenToClient.USER32(00000000), ref: 008138A7
GetClassNameW.USER32(?,?,00000100), ref: 00813921
GetWindowTextW.USER32(?,?,00000400), ref: 0081395D

Strings

%s%u, xrefs: 00813734

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: a84072a21a3d19320f277c12d6fda2d5eee65f28471c589ccf53badaa9a65334
Instruction ID: b8174ff7018e758bc9656e04ec2446cebe36a206382cb83e366266fa773738bf
Opcode Fuzzy Hash: a84072a21a3d19320f277c12d6fda2d5eee65f28471c589ccf53badaa9a65334
Instruction Fuzzy Hash: C291AF71204606AFD719DF24C885FEAFBACFF45350F008629F999D2190DB34EA95CBA1

Function 00814954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00814994
GetWindowTextW.USER32(?,?,00000400), ref: 008149DA
_wcslen.LIBCMT ref: 008149EB
CharUpperBuffW.USER32(?,00000000), ref: 008149F7
_wcsstr.LIBVCRUNTIME ref: 00814A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00814A64
GetWindowTextW.USER32(?,?,00000400), ref: 00814A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00814AE6
GetClassNameW.USER32(?,?,00000400), ref: 00814B20
GetWindowRect.USER32(?,?), ref: 00814B8B

Strings

ThumbnailClass, xrefs: 00814A6F, 00814AF1

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 4c35fe6e6f5a247bdd25830eca6ca770d27be02f05abf4b5ef2031bc679643ed
Instruction ID: d39455dc301cfbb0c8bd6abfc5b9519509f65586d4c80559f349caab81242975
Opcode Fuzzy Hash: 4c35fe6e6f5a247bdd25830eca6ca770d27be02f05abf4b5ef2031bc679643ed
Instruction Fuzzy Hash: D4919C710082059BDB04CF54C985BEA7BECFF84354F04946AFD8ADA196EB34ED85CBA1

Function 00848D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007C9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00848D5A
GetFocus.USER32 ref: 00848D6A
GetDlgCtrlID.USER32(00000000), ref: 00848D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00848E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00848ECF
GetMenuItemCount.USER32(?), ref: 00848EEC
GetMenuItemID.USER32(?,00000000), ref: 00848EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00848F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00848F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00848FA1

Strings

0, xrefs: 00848E9F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 4549fcead4d78ac73c0cb217f6fc99b5495b059604ec6afd907a37306efcf71e
Instruction ID: 5bad8e09058de36a4293973079b428c4bb4f82458316c40a8778dadf65e45d74
Opcode Fuzzy Hash: 4549fcead4d78ac73c0cb217f6fc99b5495b059604ec6afd907a37306efcf71e
Instruction Fuzzy Hash: E6817A71508309EBDB10CF28D888AAFBBE9FB89754F14091DF995D7291DB30D905CBA2

Function 0081BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00881990,000000FF,00000000,00000030), ref: 0081BFAC
SetMenuItemInfoW.USER32(00881990,00000004,00000000,00000030), ref: 0081BFE1
Sleep.KERNEL32(000001F4), ref: 0081BFF3
GetMenuItemCount.USER32(?), ref: 0081C039
GetMenuItemID.USER32(?,00000000), ref: 0081C056
GetMenuItemID.USER32(?,-00000001), ref: 0081C082
GetMenuItemID.USER32(?,?), ref: 0081C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0081C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0081C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0081C145

Strings

0, xrefs: 0081BF3D

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 262cde61f2206fdcb93278877392d95e5379a2b20d64e962c00b82d99f00ca33
Instruction ID: 367f7f1afec4795ccb081c6da047aa1aa522907223a79dbc9b0dd2b170bc19de
Opcode Fuzzy Hash: 262cde61f2206fdcb93278877392d95e5379a2b20d64e962c00b82d99f00ca33
Instruction Fuzzy Hash: 51615AB498024AABDF11CF68DC88AEEBBADFF06344F104155E811E3291CB35AD85CB61

Function 0081DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0081DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0081DC46
_wcslen.LIBCMT ref: 0081DC50
_wcsstr.LIBVCRUNTIME ref: 0081DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0081DCBC

Strings

DefaultLangCodepage, xrefs: 0081DD1F
%u.%u.%u.%u, xrefs: 0081DD9A
StringFileInfo\, xrefs: 0081DC8F
04090000, xrefs: 0081DCF2
\VarFileInfo\Translation, xrefs: 0081DCB4

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 924ac28626b6a1770765b58d5d8d3d9e99b408696beefd5851ac86ee9cf539d0
Instruction ID: b6763382772271541a1fe13c1474bb7c79e652c8e0e54095df0bb97da0c11f90
Opcode Fuzzy Hash: 924ac28626b6a1770765b58d5d8d3d9e99b408696beefd5851ac86ee9cf539d0
Instruction Fuzzy Hash: B541F372A40305BBDB10A765AC4BFFF377CFF52710F10406AF900E6282EA78A90196A5

Function 0083CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0083CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0083CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0083CD48

Part of subcall function 0083CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0083CCAA
Part of subcall function 0083CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0083CCBD
Part of subcall function 0083CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0083CCCF
Part of subcall function 0083CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0083CD05
Part of subcall function 0083CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0083CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0083CCF3

Strings

RegDeleteKeyExW, xrefs: 0083CCC9
advapi32.dll, xrefs: 0083CCB8

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 236d771883ecb8f5718df8a4d68d6aeb2cc41e63fef33f405f5dd9dfdb5d0d5c
Instruction ID: 22b0f1c9fc82eb60db71aec6aa43807974f58b74acdc6b38951f65299314fbbe
Opcode Fuzzy Hash: 236d771883ecb8f5718df8a4d68d6aeb2cc41e63fef33f405f5dd9dfdb5d0d5c
Instruction Fuzzy Hash: E9316C75902129BBDB609B65DC88EFFBB7CFF86754F000165B906E2240DA349A45DBE0

Function 00823D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00823D40
_wcslen.LIBCMT ref: 00823D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00823D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00823DBE
RemoveDirectoryW.KERNEL32(?), ref: 00823DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00823E55
CloseHandle.KERNEL32(00000000), ref: 00823E60
CloseHandle.KERNEL32(00000000), ref: 00823E6B

Strings

\??\%s, xrefs: 00823D5B
:, xrefs: 00823D82
\, xrefs: 00823D77

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 5f0a3dcb3bbc06d1f1b19e66dc39d7fcc556453781af9770c3d5d753772d8af2
Instruction ID: d7ec37b13efa586e67184ed12d2c18261143e34b1aa1e80b6813f2a05535bd97
Opcode Fuzzy Hash: 5f0a3dcb3bbc06d1f1b19e66dc39d7fcc556453781af9770c3d5d753772d8af2
Instruction Fuzzy Hash: 1F31A176A00219ABDB209FA0DC49FEB37BCFF89700F1041A6F509D6160E7789784CB24

Function 0081E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0081E6B4

Part of subcall function 007CE551: timeGetTime.WINMM(?,?,0081E6D4), ref: 007CE555

Sleep.KERNEL32(0000000A), ref: 0081E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0081E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0081E727
SetActiveWindow.USER32 ref: 0081E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0081E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0081E773
Sleep.KERNEL32(000000FA), ref: 0081E77E
IsWindow.USER32 ref: 0081E78A
EndDialog.USER32(00000000), ref: 0081E79B

Strings

BUTTON, xrefs: 0081E719

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 22c13e52455321b8ca7607fcb0225ed33e9f6ebc23cc8a47bcbf6cc2d1258a7e
Instruction ID: 3ea98f274d18cb4169a702da365f9b00772bda9d6865b8e2c172d0039125f18f
Opcode Fuzzy Hash: 22c13e52455321b8ca7607fcb0225ed33e9f6ebc23cc8a47bcbf6cc2d1258a7e
Instruction Fuzzy Hash: 96218174201204AFFB50DF68EC89E653BADFF76748F144424F915C22A1EB75AC80CB25

Function 0081E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0081EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0081EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0081EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0081EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0081EAA7

Strings

close PlayMe, xrefs: 0081EA6E, 0081EA9B
status PlayMe mode, xrefs: 0081EA58
play PlayMe wait, xrefs: 0081EA91
open , xrefs: 0081EA0C
alias PlayMe, xrefs: 0081EA36
play PlayMe, xrefs: 0081EAA2

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: e6bf2cb8509cf0db647adb5d170499a85c357bb953b725aa0141290a9e7839cb
Instruction ID: 466c79ea8bfe02a29b2e9699877d591223304839b2db0a0920f8bc2a81929720
Opcode Fuzzy Hash: e6bf2cb8509cf0db647adb5d170499a85c357bb953b725aa0141290a9e7839cb
Instruction Fuzzy Hash: 1511BF20A50229B9D720A3A1DC4AEFB6F7CFFD1B40F000429B925E20D5EA744984C5B0

Function 00819F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0081A012
SetKeyboardState.USER32(?), ref: 0081A07D
GetAsyncKeyState.USER32(000000A0), ref: 0081A09D
GetKeyState.USER32(000000A0), ref: 0081A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0081A0E3
GetKeyState.USER32(000000A1), ref: 0081A0F4
GetAsyncKeyState.USER32(00000011), ref: 0081A120
GetKeyState.USER32(00000011), ref: 0081A12E
GetAsyncKeyState.USER32(00000012), ref: 0081A157
GetKeyState.USER32(00000012), ref: 0081A165
GetAsyncKeyState.USER32(0000005B), ref: 0081A18E
GetKeyState.USER32(0000005B), ref: 0081A19C

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 497a251811f0993f0798f257375429fc50bc91dec2e6000eb5f95f13b0f4b153
Instruction ID: 7bb4f49127d558ea732d146b7d421f176b9fce52cb93254030d5f38b1a29d488
Opcode Fuzzy Hash: 497a251811f0993f0798f257375429fc50bc91dec2e6000eb5f95f13b0f4b153
Instruction Fuzzy Hash: 4E51B96490578469FB39DB64C4117EABFBCEF12340F084599D5C2D61C2DA649ACCC763

Function 00815CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00815CE2
GetWindowRect.USER32(00000000,?), ref: 00815CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00815D59
GetDlgItem.USER32(?,00000002), ref: 00815D69
GetWindowRect.USER32(00000000,?), ref: 00815D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00815DCF
GetDlgItem.USER32(?,000003E9), ref: 00815DDD
GetWindowRect.USER32(00000000,?), ref: 00815DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00815E31
GetDlgItem.USER32(?,000003EA), ref: 00815E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00815E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00815E67

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: df0719639641416704eabca035255ab84f0f749b18f3771593a4b201515f0403
Instruction ID: 0eb812a29dc43a0ca2b843a20ade7daea5dcc3de54e3bfe8f0eacaf70f353b37
Opcode Fuzzy Hash: df0719639641416704eabca035255ab84f0f749b18f3771593a4b201515f0403
Instruction Fuzzy Hash: BE510E75B01609AFDF18CF68DD89AAEBBB9FF89300F148129F915E6290D7709E40CB50

Function 007C8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 007C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007C8BE8,?,00000000,?,?,?,?,007C8BBA,00000000,?), ref: 007C8FC5

DestroyWindow.USER32(?), ref: 007C8C81
KillTimer.USER32(00000000,?,?,?,?,007C8BBA,00000000,?), ref: 007C8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00806973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,007C8BBA,00000000,?), ref: 008069A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,007C8BBA,00000000,?), ref: 008069B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,007C8BBA,00000000), ref: 008069D4
DeleteObject.GDI32(00000000), ref: 008069E6

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 59f78126dd5f9fda10547256c65b812d82d84c57e13774994908d9309df60b37
Instruction ID: bcb263434e6f0378092e68be610bd50ffb88919ec2be2df314bcc872dc5a5daf
Opcode Fuzzy Hash: 59f78126dd5f9fda10547256c65b812d82d84c57e13774994908d9309df60b37
Instruction Fuzzy Hash: 3561BD31102A10DFCBB59F18DD48B25BBF5FB41312F14456CE0429BAA0CB39ACA1DFA6

Function 007C9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 007C9944: GetWindowLongW.USER32(?,000000EB), ref: 007C9952

GetSysColor.USER32(0000000F), ref: 007C9862

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e0d57f440088004a5f9b58c821e61bbba51619d6b014fa08e57b2500c340d0d0
Instruction ID: 5b267e0ef934107272f051fbd7921e2ba9c0aa5ba0533bccb465315cd8ecbcb9
Opcode Fuzzy Hash: e0d57f440088004a5f9b58c821e61bbba51619d6b014fa08e57b2500c340d0d0
Instruction Fuzzy Hash: 79417D35505640AFDBA05F389C88FB93BA9FB47330F14465DFAA2871E2D735A942DB10

Function 007E8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.}, xrefs: 007E903A, 007E8FD0, 007E8FF2

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: .}
API String ID: 0-2266125135
Opcode ID: f9e43d3984fe416a90cab7291451a35ea3c5704c9c9fbed47d7df97e1be1d1ea
Instruction ID: 2be937ed8ee9abca35004e715190fcad8cb3275e3a1b5ce37c4b2fe708a5de9b
Opcode Fuzzy Hash: f9e43d3984fe416a90cab7291451a35ea3c5704c9c9fbed47d7df97e1be1d1ea
Instruction Fuzzy Hash: 2AC13675905289EFCF51DFAAC844BADBBB0BF0D310F044199E619AB392C7389941CF61

Function 008196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,007FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00819717
LoadStringW.USER32(00000000,?,007FF7F8,00000001), ref: 00819720

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,007FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00819742
LoadStringW.USER32(00000000,?,007FF7F8,00000001), ref: 00819745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00819866

Strings

^ ERROR, xrefs: 008197FB
%s (%d) : ==> %s: %s %s, xrefs: 0081984A
Error: , xrefs: 0081981D
Line %d:, xrefs: 008197A0
Line %d (File "%s"):, xrefs: 0081978F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3cfda51a4965d2061224a6e9395e96e044ee31c20fcd36766a41474d2b0354b4
Instruction ID: 3da26277cd922559b3b0e6bc49e58a195898d5cb668853ce9604f15d9db22a2e
Opcode Fuzzy Hash: 3cfda51a4965d2061224a6e9395e96e044ee31c20fcd36766a41474d2b0354b4
Instruction Fuzzy Hash: AF411371800219AACB04EBE4DD9AEEEB77CFF55340F504465F605B2192EB396F88CB61

Function 008106DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 007B6B57: _wcslen.LIBCMT ref: 007B6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008107A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008107BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008107DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00810804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0081082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00810837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0081083C

Strings

\CLSID, xrefs: 00810724
SOFTWARE\Classes\, xrefs: 0081070E
\IPC$, xrefs: 00810784

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 18910849108dce7a890fcdc0a30a1b75a0a00d841621e82f73c55500dd898c4d
Instruction ID: c41c86ff60da3f0400585c3dd958b69d18e7d4d9c590baab1d0996459de86142
Opcode Fuzzy Hash: 18910849108dce7a890fcdc0a30a1b75a0a00d841621e82f73c55500dd898c4d
Instruction Fuzzy Hash: 0B413872C00229EBDF11EBA4DC89DEEB778FF04340B144129E915A31A1EB74AE84CF90

Function 00843F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0084403B
CreateCompatibleDC.GDI32(00000000), ref: 00844042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00844055
SelectObject.GDI32(00000000,00000000), ref: 0084405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00844068
DeleteDC.GDI32(00000000), ref: 00844072
GetWindowLongW.USER32(?,000000EC), ref: 0084407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00844092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0084409E

Strings

static, xrefs: 00843FD3

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: f43762fff08b41bb2b9b57e8f9cd59e48343ad725734019cddc951b628d8b9b9
Instruction ID: 4b38fab7eda6b3b3ef4c4f8c1fe1da5bb9d282187d89e48847d2a202fdd98c2e
Opcode Fuzzy Hash: f43762fff08b41bb2b9b57e8f9cd59e48343ad725734019cddc951b628d8b9b9
Instruction Fuzzy Hash: 43315A36502219ABDF619FA8DC09FDA3B6CFF0E324F110215FA59E61A0D775D820DB54

Function 00833C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00833C5C
CoInitialize.OLE32(00000000), ref: 00833C8A
CoUninitialize.OLE32 ref: 00833C94
_wcslen.LIBCMT ref: 00833D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00833DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00833ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00833F0E
CoGetObject.OLE32(?,00000000,0084FB98,?), ref: 00833F2D
SetErrorMode.KERNEL32(00000000), ref: 00833F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00833FC4
VariantClear.OLEAUT32(?), ref: 00833FD8

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 310b64ab8eba9e7c3be35206d2d3682098833e9b83f6811a07eb76747ff0ddf8
Instruction ID: b0c05532ad7d56a888cb74c4010604013c8d576b1888322cbecfbabd622cf773
Opcode Fuzzy Hash: 310b64ab8eba9e7c3be35206d2d3682098833e9b83f6811a07eb76747ff0ddf8
Instruction Fuzzy Hash: FDC11271608205AFD700DF68C88496BBBE9FF89748F10491DF98ADB211DB71EE45CB92

Function 00827A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00827AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00827B8F
SHGetDesktopFolder.SHELL32(?), ref: 00827BA3
CoCreateInstance.OLE32(0084FD08,00000000,00000001,00876E6C,?), ref: 00827BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00827C74
CoTaskMemFree.OLE32(?,?), ref: 00827CCC
SHBrowseForFolderW.SHELL32(?), ref: 00827D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00827D7A
CoTaskMemFree.OLE32(00000000), ref: 00827D81
CoTaskMemFree.OLE32(00000000), ref: 00827DD6
CoUninitialize.OLE32 ref: 00827DDC

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 4b26ce802809a17d1dd9ff50a2160ae52aa40e721815ce3e31da4cf5b6ba362e
Instruction ID: 3e07028b8b9a9bdecc91e7ec1a2ce444fd55c8370204e76c459b60ea7b55d35e
Opcode Fuzzy Hash: 4b26ce802809a17d1dd9ff50a2160ae52aa40e721815ce3e31da4cf5b6ba362e
Instruction Fuzzy Hash: 2DC14B75A00119EFCB14DFA4D888DAEBBF9FF48304B1484A9E916DB261D730ED81CB90

Function 0084541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00845504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00845515
CharNextW.USER32(00000158), ref: 00845544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00845585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0084559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008455AC

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 4cfbe50355e38dd0333251ad56e587f816efc3953ca398ac610f21f2b0026575
Instruction ID: 8dfd5ab271c0b9f81d60831491258d3683578e9a2e4c0435a98da25e36755efd
Opcode Fuzzy Hash: 4cfbe50355e38dd0333251ad56e587f816efc3953ca398ac610f21f2b0026575
Instruction Fuzzy Hash: 21619F7490560CEFDF509F64CC849FE7BB9FB06728F108149F925EA292D7748A81DB60

Function 0080FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0080FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0080FB08
VariantInit.OLEAUT32(?), ref: 0080FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0080FB3A
VariantCopy.OLEAUT32(?,?), ref: 0080FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0080FBA1
VariantClear.OLEAUT32(?), ref: 0080FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0080FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0080FBCC
VariantClear.OLEAUT32(?), ref: 0080FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0080FBE9

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 73454fe1ff715a895f3dcde965c7f42dbf9aa5f6f8979d3327ca3674efa20e18
Instruction ID: e1a3dc52d10de2c2d2ec2c207d72e608bbb37b7187ac62d38be907bfa884417d
Opcode Fuzzy Hash: 73454fe1ff715a895f3dcde965c7f42dbf9aa5f6f8979d3327ca3674efa20e18
Instruction Fuzzy Hash: 63415F35A01219DFCB50DF68CC689AEBBB9FF49354F00C069E945E7262CB34A945CFA4

Function 00819C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00819CA1
GetAsyncKeyState.USER32(000000A0), ref: 00819D22
GetKeyState.USER32(000000A0), ref: 00819D3D
GetAsyncKeyState.USER32(000000A1), ref: 00819D57
GetKeyState.USER32(000000A1), ref: 00819D6C
GetAsyncKeyState.USER32(00000011), ref: 00819D84
GetKeyState.USER32(00000011), ref: 00819D96
GetAsyncKeyState.USER32(00000012), ref: 00819DAE
GetKeyState.USER32(00000012), ref: 00819DC0
GetAsyncKeyState.USER32(0000005B), ref: 00819DD8
GetKeyState.USER32(0000005B), ref: 00819DEA

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d386c8a2160d8b4e9696b6cff84dd06ffe703883b29f3161f89eec673f896949
Instruction ID: 4ac756ada051ed6f5c97e8d2a3ef22eafb4b79da475fa8f9ee0feff2d421e4d1
Opcode Fuzzy Hash: d386c8a2160d8b4e9696b6cff84dd06ffe703883b29f3161f89eec673f896949
Instruction Fuzzy Hash: E241D5346047C96DFF708664D8243F5BEE8FF12344F08805ADAC6965C2EBA499C8C7A2

Function 0083055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008305BC
inet_addr.WSOCK32(?), ref: 0083061C
gethostbyname.WSOCK32(?), ref: 00830628
IcmpCreateFile.IPHLPAPI ref: 00830636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008306C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008306E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008307B9
WSACleanup.WSOCK32 ref: 008307BF

Strings

Ping, xrefs: 00830676

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 6c6303b5456878311cc395fd0f43ac3b7e4b6ee3c5b556f13f9d42707e2839d2
Instruction ID: 890a9b139598f197213da5b6c45959010b813cdda79e84996e8a0abf4f09147b
Opcode Fuzzy Hash: 6c6303b5456878311cc395fd0f43ac3b7e4b6ee3c5b556f13f9d42707e2839d2
Instruction Fuzzy Hash: 4A9167356082019FD320DF19C899B1ABBE4FF88318F1485A9E46ADB6A2C735EC41CFD1

Function 00838CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00838CF3

Part of subcall function 00818E54: _wcslen.LIBCMT ref: 00818E77

_wcslen.LIBCMT ref: 00838D4E
_wcslen.LIBCMT ref: 00838D9C
_wcslen.LIBCMT ref: 00838DDC
_wcslen.LIBCMT ref: 00838E6E

Strings

none, xrefs: 00838E65, 00838E6A
stdcall, xrefs: 00838DD6, 00838DDB
winapi, xrefs: 00838D96, 00838D9B
cdecl, xrefs: 00838D48, 00838D4D

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 3e86d6065a0e9a89aea144e1dd64b6321b5c080b7a0bf494f6e246c3cd337bbe
Instruction ID: 90a78edcf8663f084168a90b63eb67ea37c53a765f1495acc384709c61ec4946
Opcode Fuzzy Hash: 3e86d6065a0e9a89aea144e1dd64b6321b5c080b7a0bf494f6e246c3cd337bbe
Instruction Fuzzy Hash: 5D518031A00616DBCF14DF68C9909BEB7A5FFA4724B214229F526E7284EB35DD44C7D0

Function 0083372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00833774
CoUninitialize.OLE32 ref: 0083377F
CoCreateInstance.OLE32(?,00000000,00000017,0084FB78,?), ref: 008337D9
IIDFromString.OLE32(?,?), ref: 0083384C
VariantInit.OLEAUT32(?), ref: 008338E4
VariantClear.OLEAUT32(?), ref: 00833936

Strings

NULL Pointer assignment, xrefs: 0083381E
Invalid parameter, xrefs: 00833865
Failed to create object, xrefs: 008337E4, 0083389A

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 6b29be6bb1937d9edfe9d6fd0db38bbc51a82e99456c34b2f48f8574a17e85e7
Instruction ID: 6cddecab79ad8871549343a6c0d4c90db660dbfc4de05ef1879aa6d1fe3bd628
Opcode Fuzzy Hash: 6b29be6bb1937d9edfe9d6fd0db38bbc51a82e99456c34b2f48f8574a17e85e7
Instruction Fuzzy Hash: DD6159B4608301AFD310DF54C889B6ABBE8FF89714F104929F995DB291C774EE48CB92

Function 00823388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008233CF

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008233F0

Strings

Incorrect parameters to object property !, xrefs: 008234AB
Error: , xrefs: 008234D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00823504
"%s" (%d) : ==> %s:, xrefs: 00823522
^ ERROR , xrefs: 0082349E
Line %d (File "%s"):, xrefs: 00823443, 0082345C

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 7142b1ed3cb79f5af9ccfd49f4bf376ca0e2db01c250d55f187c9cc3b900ca74
Instruction ID: 4306ef850d39e4e6f7aad73a72c4e0ff3be64cf4962e258a73550ceb2f8df60b
Opcode Fuzzy Hash: 7142b1ed3cb79f5af9ccfd49f4bf376ca0e2db01c250d55f187c9cc3b900ca74
Instruction Fuzzy Hash: FA51A371800219EADF14EBA0DD5AEEEB7B8FF14340F204065F119B2151EB396F98DB61

Function 0081B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0081B5FC
_wcslen.LIBCMT ref: 0081B608
_wcslen.LIBCMT ref: 0081B64D
_wcslen.LIBCMT ref: 0081B68C
_wcslen.LIBCMT ref: 0081B6C7

Strings

EXISTS, xrefs: 0081B686, 0081B68B
APPEND, xrefs: 0081B6C1, 0081B6C6
REMOVE, xrefs: 0081B602, 0081B607
KEYS, xrefs: 0081B647, 0081B64C

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 61c0155671e3f2669a1662d988e1b2342c69914ace5b6fea8ffac2fa343b47da
Instruction ID: cb380ac7da1442273fc2c591bf2d50ce2b3ccfaaaa10d0ee1fe13686e9b32751
Opcode Fuzzy Hash: 61c0155671e3f2669a1662d988e1b2342c69914ace5b6fea8ffac2fa343b47da
Instruction Fuzzy Hash: 4D41A032A001269BCB206F7988A05FEB7A9FFB17A4F244229E525D7284F735CDC1C690

Function 00825393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008253A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00825416
GetLastError.KERNEL32 ref: 00825420
SetErrorMode.KERNEL32(00000000,READY), ref: 008254A7

Strings

READY, xrefs: 00825460, 00825468
INVALID, xrefs: 00825459
UNKNOWN, xrefs: 00825444
READONLY, xrefs: 00825452
NOTREADY, xrefs: 0082544B

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: c3472e5c528a082446a2894f8633d010d2591f534d079579d86b0b40f5de2b2b
Instruction ID: 50c0c3b545787483bf7cbd5eab23f08f67032dfe1d1d9d40023dd666d82a3c06
Opcode Fuzzy Hash: c3472e5c528a082446a2894f8633d010d2591f534d079579d86b0b40f5de2b2b
Instruction Fuzzy Hash: 6D31D2B5A40614DFD710EF68D488BAABBB4FF05305F148066E505CB292E771DDC6CBA0

Function 00843C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00843C79
SetMenu.USER32(?,00000000), ref: 00843C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00843D10
IsMenu.USER32(?), ref: 00843D24
CreatePopupMenu.USER32 ref: 00843D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00843D5B
DrawMenuBar.USER32 ref: 00843D63

Strings

0, xrefs: 00843C54
F, xrefs: 00843D4E

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 71c8fd9c983dba33de3926d474a02cbfeb2434a30892d7ed57d4c19cce65d648
Instruction ID: fd888473996f90fdc6f8c2a8df4fb9a123c2a2671e5dc7477db360518a91c825
Opcode Fuzzy Hash: 71c8fd9c983dba33de3926d474a02cbfeb2434a30892d7ed57d4c19cce65d648
Instruction Fuzzy Hash: BA412779A02209EFDB14DF64D884BAEBBB9FF49350F140029E956A7360D770AA11CB94

Function 00811EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

Part of subcall function 00813CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00813CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00811F64
GetDlgCtrlID.USER32 ref: 00811F6F
GetParent.USER32 ref: 00811F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00811F8E
GetDlgCtrlID.USER32(?), ref: 00811F97
GetParent.USER32(?), ref: 00811FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00811FAE

Strings

ComboBox, xrefs: 00811EEC
ListBox, xrefs: 00811F21

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: baf27075a124c8aeae314851a3b7f90137e49caa0000450ad59482434fb60a6d
Instruction ID: 4d3bc2548a1a7201342eff14d7863019603d101ce725feafc6decb823a6afb35
Opcode Fuzzy Hash: baf27075a124c8aeae314851a3b7f90137e49caa0000450ad59482434fb60a6d
Instruction Fuzzy Hash: F321B374A00118BBCF44AFA0CC89AEEBBB8FF16314F104119BA65A7291DB785949DB60

Function 00811FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

Part of subcall function 00813CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00813CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00812043
GetDlgCtrlID.USER32 ref: 0081204E
GetParent.USER32 ref: 0081206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0081206D
GetDlgCtrlID.USER32(?), ref: 00812076
GetParent.USER32(?), ref: 0081208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0081208D

Strings

ComboBox, xrefs: 00811FCD
ListBox, xrefs: 00812002

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: f1fd6916b25bbd3dfc6e1c15c44d4a978097a7e7ba87c753da7ef50d33173ae3
Instruction ID: 5d8af3269f41b278c269c2139d875599891a2ce7111731a0f9cbd4470951da0b
Opcode Fuzzy Hash: f1fd6916b25bbd3dfc6e1c15c44d4a978097a7e7ba87c753da7ef50d33173ae3
Instruction Fuzzy Hash: 9121D7B5900218BBCF14AFA0CC89EFEBBBCFF19344F104005BA65A7191D7794554DB60

Function 00843A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00843A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00843AA0
GetWindowLongW.USER32(?,000000F0), ref: 00843AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00843AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00843B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00843BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00843BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00843BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00843BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00843C13

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b36c6fa13d8c906a34c9adcb2f31529d9fdf4a57c04368defd06e6e247e5a32e
Instruction ID: 06b1834d92bbfcd46ba937aa7ff566edff02a09fb7628493f902ccb89660bb0e
Opcode Fuzzy Hash: b36c6fa13d8c906a34c9adcb2f31529d9fdf4a57c04368defd06e6e247e5a32e
Instruction Fuzzy Hash: FB617775A00208AFDB11DFA8CC85EEEB7B8FB09714F104199FA15E72A1C774AA46DF50

Function 0081B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0081B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0081A1E1,?,00000001), ref: 0081B165
GetWindowThreadProcessId.USER32(00000000), ref: 0081B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0081A1E1,?,00000001), ref: 0081B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0081B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0081A1E1,?,00000001), ref: 0081B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0081A1E1,?,00000001), ref: 0081B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0081A1E1,?,00000001), ref: 0081B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0081A1E1,?,00000001), ref: 0081B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0081A1E1,?,00000001), ref: 0081B21D

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2ce2ec533c8e28eec879781e5703d6e6d5a3ea3c9dbf2e818ce61bdc61ed408b
Instruction ID: d7dfd91ac48a9c2f86063d4c9b0975a32e418046316e917454caa7fa5a5ea460
Opcode Fuzzy Hash: 2ce2ec533c8e28eec879781e5703d6e6d5a3ea3c9dbf2e818ce61bdc61ed408b
Instruction Fuzzy Hash: 3D31A9B5601604BFDB10AF68DC58FAD7BADFF62711F218009FA01DA190D7B49A84CF64

Function 007E2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007E2C94

Part of subcall function 007E29C8: HeapFree.KERNEL32(00000000,00000000,?,007ED7D1,00000000,00000000,00000000,00000000,?,007ED7F8,00000000,00000007,00000000,?,007EDBF5,00000000), ref: 007E29DE
Part of subcall function 007E29C8: GetLastError.KERNEL32(00000000,?,007ED7D1,00000000,00000000,00000000,00000000,?,007ED7F8,00000000,00000007,00000000,?,007EDBF5,00000000,00000000), ref: 007E29F0

_free.LIBCMT ref: 007E2CA0
_free.LIBCMT ref: 007E2CAB
_free.LIBCMT ref: 007E2CB6
_free.LIBCMT ref: 007E2CC1
_free.LIBCMT ref: 007E2CCC
_free.LIBCMT ref: 007E2CD7
_free.LIBCMT ref: 007E2CE2
_free.LIBCMT ref: 007E2CED
_free.LIBCMT ref: 007E2CFB

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6a5642ee0f4265d412e1b5124f56cbb85029b90440b2839ac6e66c2600181a35
Instruction ID: 652d438804ef9c724adc7d609681b5c562699d3d061682c5deed2efa36a3ee23
Opcode Fuzzy Hash: 6a5642ee0f4265d412e1b5124f56cbb85029b90440b2839ac6e66c2600181a35
Instruction Fuzzy Hash: 9D11B376101148EFCB02EF56D846C9D3BA9BF09350F5254A0FA48AB233D639EA519F90

Function 00827DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00827FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00827FC1
GetFileAttributesW.KERNEL32(?), ref: 00827FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00828005
SetCurrentDirectoryW.KERNEL32(?), ref: 00828017
SetCurrentDirectoryW.KERNEL32(?), ref: 00828060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008280B0

Strings

*.*, xrefs: 00828066

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 15159bcc5d01456358efb080b8c0ba9bf1e9d4648a77b2db2fdfa16cbe39be94
Instruction ID: 04672a6c4cc442ebd48c1820beb9078b5bb82227de0c67f45853a57616257c1e
Opcode Fuzzy Hash: 15159bcc5d01456358efb080b8c0ba9bf1e9d4648a77b2db2fdfa16cbe39be94
Instruction Fuzzy Hash: 0281C076508255DBCB20EF15D844AAAB3E8FF88714F55486EF885C7250EB34ED84CBA2

Function 007B5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 007B5C7A

Part of subcall function 007B5D0A: GetClientRect.USER32(?,?), ref: 007B5D30
Part of subcall function 007B5D0A: GetWindowRect.USER32(?,?), ref: 007B5D71
Part of subcall function 007B5D0A: ScreenToClient.USER32(?,?), ref: 007B5D99

GetDC.USER32 ref: 007F46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 007F4708
SelectObject.GDI32(00000000,00000000), ref: 007F4716
SelectObject.GDI32(00000000,00000000), ref: 007F472B
ReleaseDC.USER32(?,00000000), ref: 007F4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007F47C4

Strings

U, xrefs: 007F4693

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 51bfc8d57aa8a0e34585e1a044a973e03e8b4678cecb6ab39cbe38197646279b
Instruction ID: 02f2abdcbaf424dbf86495f22651afc7e668d08a574b6fb4baaeab3f8151260d
Opcode Fuzzy Hash: 51bfc8d57aa8a0e34585e1a044a973e03e8b4678cecb6ab39cbe38197646279b
Instruction Fuzzy Hash: CF71E135500209DFCF219F68C984BFB7BB6FF4A360F144269EE559A266C7398841DF60

Function 0082359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008235E4

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

LoadStringW.USER32(00882390,?,00000FFF,?), ref: 0082360A

Strings

^ ERROR, xrefs: 008236C9
Error: , xrefs: 008236EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00823724
"%s" (%d) : ==> %s:, xrefs: 00823742
Line %d (File "%s"):, xrefs: 0082366B

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 77649d3f5a9ae6c421c0708659f2871c0036acc6fc8808a0481f2c536b6c3605
Instruction ID: a48a8a34419c28ff3563222028f5279c371d02c04acc1052cbd9fadf4c8e0768
Opcode Fuzzy Hash: 77649d3f5a9ae6c421c0708659f2871c0036acc6fc8808a0481f2c536b6c3605
Instruction Fuzzy Hash: FE513B71800219FACF14EBA4DC9AEEEBB78FF14300F144125F215A21A1EB395AD9DF61

Function 00848B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007C9BB2

Part of subcall function 007C912D: GetCursorPos.USER32(?), ref: 007C9141
Part of subcall function 007C912D: ScreenToClient.USER32(00000000,?), ref: 007C915E
Part of subcall function 007C912D: GetAsyncKeyState.USER32(00000001), ref: 007C9183
Part of subcall function 007C912D: GetAsyncKeyState.USER32(00000002), ref: 007C919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00848B6B
ImageList_EndDrag.COMCTL32 ref: 00848B71
ReleaseCapture.USER32 ref: 00848B77
SetWindowTextW.USER32(?,00000000), ref: 00848C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00848C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00848CFF

Strings

@GUI_DRAGFILE, xrefs: 00848C9A
@GUI_DROPID, xrefs: 00848C51

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: b9d2b486549bb48f83f7eb5fd392749fffde70dc5b9d8c78a1cd3a6db1121a50
Instruction ID: cd7ee7684c5200a518a8d975bad4f5a53b9271fedbb12ef62b5b572548c68286
Opcode Fuzzy Hash: b9d2b486549bb48f83f7eb5fd392749fffde70dc5b9d8c78a1cd3a6db1121a50
Instruction Fuzzy Hash: BB516C71105304AFD740EF24DC9AFAE7BE8FB88714F40062DFA56972A1DB74A904CB62

Function 0082C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0082C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0082C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0082C2CA
GetLastError.KERNEL32 ref: 0082C322
SetEvent.KERNEL32(?), ref: 0082C336
InternetCloseHandle.WININET(00000000), ref: 0082C341

Strings

, xrefs: 0082C2BB

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8034bf4c8262d34c9def46e377874ab1b2221defc5f4d5c38e9963dbdc3cabf2
Instruction ID: 3a89b5d80945110745e383bff48d8acbcafa968d149f7bdf3c7c825cde2d7352
Opcode Fuzzy Hash: 8034bf4c8262d34c9def46e377874ab1b2221defc5f4d5c38e9963dbdc3cabf2
Instruction Fuzzy Hash: 8F317CB5500618AFD721DFA8A888ABF7AFCFB49744B10891EA446D2200DB74DD848B61

Function 0081989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,007F3AAF,?,?,Bad directive syntax error,0084CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008198BC
LoadStringW.USER32(00000000,?,007F3AAF,?), ref: 008198C3

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00819987

Strings

Error: , xrefs: 00819955
%s (%d) : ==> %s.: %s %s, xrefs: 008198F1
Line %d:, xrefs: 00819912
., xrefs: 0081996D
Line %d (File "%s"):, xrefs: 0081992D

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: fd1863f1c27539792cbbf70b8af028657b1bb30e9cc320a01425770b1479bf00
Instruction ID: e1bbf06c5e3e51803466a8de2ed01a127228210785854a541e8f189fb746ae31
Opcode Fuzzy Hash: fd1863f1c27539792cbbf70b8af028657b1bb30e9cc320a01425770b1479bf00
Instruction Fuzzy Hash: 8B21713180021DFBCF15AF90CC1AEEE7B79FF14304F044459F629A61A2EB3996A8CB10

Function 0081209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008120AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008120C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0081214D

Strings

list, xrefs: 0081212F
details, xrefs: 008120FB
largeicons, xrefs: 008120E1
smallicons, xrefs: 00812115
SHELLDLL_DefView, xrefs: 008120CC

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 6892a3a97441899cfb81af8dcdf1fe6a99f3574a5f61602b55ff6310859656e3
Instruction ID: cab16a55a736dad167132639c66e664090987a771a4beaa6e93f9de000dcc777
Opcode Fuzzy Hash: 6892a3a97441899cfb81af8dcdf1fe6a99f3574a5f61602b55ff6310859656e3
Instruction Fuzzy Hash: A7113A7A684706FAF705A220DC0ACFA33ACFF15324B20801AFB08F41D1FBA9B8915614

Function 007ECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 007ECEB7
_free.LIBCMT ref: 007ECF22
_free.LIBCMT ref: 007ECF48
_free.LIBCMT ref: 007ECF71
_free.LIBCMT ref: 007ECFA9
_free.LIBCMT ref: 007ECFDA
_free.LIBCMT ref: 007ED01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 007ED09C
_free.LIBCMT ref: 007ED0B5

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 8321e2c0fa5952564485060166c2f5765e33a2a55eacae668c18c89f0fd95f37
Instruction ID: fe8dd19ac04ea27b3e7256d47128b552c4b5116a2b9408b64761d3a90be52154
Opcode Fuzzy Hash: 8321e2c0fa5952564485060166c2f5765e33a2a55eacae668c18c89f0fd95f37
Instruction Fuzzy Hash: A4614C77906384EFDB32AFBA984966D7BA9AF0D310F04456DF940A7243D63D9D028B50

Function 008450D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00845186
ShowWindow.USER32(?,00000000), ref: 008451C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 008451CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 008451D1

Part of subcall function 00846FBA: DeleteObject.GDI32(00000000), ref: 00846FE6

GetWindowLongW.USER32(?,000000F0), ref: 0084520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0084521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0084524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00845287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00845296

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 8f0a84837acae2106faca4cfe8207961aef71eed7c610e1a167031ebecd97dc6
Instruction ID: 75e6c107adff9cb8b1013354cbe0fab6900dfba01e3ccc17adeb4e9faf1527d8
Opcode Fuzzy Hash: 8f0a84837acae2106faca4cfe8207961aef71eed7c610e1a167031ebecd97dc6
Instruction Fuzzy Hash: 6A519C30A41A1CFFEF609F28CC4AB9D7B65FB05325F148016FA25D62E2C7B5A980DB41

Function 007C8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00806890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008068A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008068B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008068D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008068F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,007C8874,00000000,00000000,00000000,000000FF,00000000), ref: 00806901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0080691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,007C8874,00000000,00000000,00000000,000000FF,00000000), ref: 0080692D

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 711e42a9a0a428c5c1f22cd27fe0e912172af0326fa9979c58ea1f0744ffc6d0
Instruction ID: 5e0b3aa9ee89f5fef339af56f5f62f411b8c91e415d8fa41549e1ec92fd17814
Opcode Fuzzy Hash: 711e42a9a0a428c5c1f22cd27fe0e912172af0326fa9979c58ea1f0744ffc6d0
Instruction Fuzzy Hash: DC5169B0600209EFDB608F28CC55FAA7BB9FB54750F10452CF906D62A0EB74ADA0DB50

Function 0082C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0082C182
GetLastError.KERNEL32 ref: 0082C195
SetEvent.KERNEL32(?), ref: 0082C1A9

Part of subcall function 0082C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0082C272
Part of subcall function 0082C253: GetLastError.KERNEL32 ref: 0082C322
Part of subcall function 0082C253: SetEvent.KERNEL32(?), ref: 0082C336
Part of subcall function 0082C253: InternetCloseHandle.WININET(00000000), ref: 0082C341

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 1392931aa63f858ddfd21a0f10396e5e67c51c1ebaafeffc0c2336b9c4281c31
Instruction ID: 1fad6b94899d83c3edd4abb21bee5866492c9e844697abbb36857ef45cc2a9d1
Opcode Fuzzy Hash: 1392931aa63f858ddfd21a0f10396e5e67c51c1ebaafeffc0c2336b9c4281c31
Instruction Fuzzy Hash: 1E317A75201A15EFDB219FA9ED44A7ABBECFF19300B00441EF956C3610DB71E894DBA0

Function 008125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00813A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00813A57
Part of subcall function 00813A3D: GetCurrentThreadId.KERNEL32 ref: 00813A5E
Part of subcall function 00813A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008125B3), ref: 00813A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008125BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008125DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008125DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008125E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00812601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00812605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0081260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00812623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00812627

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 7b0984cd7907b28f8c79523810c55c46ad1e50261fb4f8d92e5bf4eee38d5269
Instruction ID: 493717cd3c3f6c731c72a4779ce87681a4376879d2b4514bf4dd99fd7cefdc96
Opcode Fuzzy Hash: 7b0984cd7907b28f8c79523810c55c46ad1e50261fb4f8d92e5bf4eee38d5269
Instruction Fuzzy Hash: F001D430391624BBFB5067689C8AF993F5DFF5EB12F100005F318EE0D1C9E22484CAAA

Function 00811803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00811449,?,?,00000000), ref: 0081180C
HeapAlloc.KERNEL32(00000000,?,00811449,?,?,00000000), ref: 00811813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00811449,?,?,00000000), ref: 00811828
GetCurrentProcess.KERNEL32(?,00000000,?,00811449,?,?,00000000), ref: 00811830
DuplicateHandle.KERNEL32(00000000,?,00811449,?,?,00000000), ref: 00811833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00811449,?,?,00000000), ref: 00811843
GetCurrentProcess.KERNEL32(00811449,00000000,?,00811449,?,?,00000000), ref: 0081184B
DuplicateHandle.KERNEL32(00000000,?,00811449,?,?,00000000), ref: 0081184E
CreateThread.KERNEL32(00000000,00000000,00811874,00000000,00000000,00000000), ref: 00811868

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: fbffd52bbafdab8eaa33673d74369d63bcf9bc1551bdd7e9b8d689e1d5a860b4
Instruction ID: e1545f617d9ed093512c0ae81740e26d641096b2133053a529326da6fffc7ba4
Opcode Fuzzy Hash: fbffd52bbafdab8eaa33673d74369d63bcf9bc1551bdd7e9b8d689e1d5a860b4
Instruction Fuzzy Hash: 9C01BF75241304BFE750AFA5DC4DF577B6CFB8AB11F004411FA05DB291C6749800CB20

Function 007E3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 007E3F0B
__alldvrm.LIBCMT ref: 007E410C
__alldvrm.LIBCMT ref: 007E412E

Strings

}}}, xrefs: 007E40CD
}}}, xrefs: 007E3E96, 007E3EF1, 007E3F0A, 007E4090
}}}, xrefs: 007E3E8A

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}}$}}}$}}}
API String ID: 1036877536-3712723652
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 2ef9044cc96cb930592fc49d528f646039efd0b3cf06b1c9450ee25cef0daeb1
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 54A13672E023CA9FDB25CE1AC8957AEBBF4EF69350F1441ADE5859B282C23C9941C750

Function 0083A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0081D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0081D501
Part of subcall function 0081D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0081D50F
Part of subcall function 0081D4DC: CloseHandle.KERNELBASE(00000000), ref: 0081D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0083A16D
GetLastError.KERNEL32 ref: 0083A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0083A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0083A268
GetLastError.KERNEL32(00000000), ref: 0083A273
CloseHandle.KERNEL32(00000000), ref: 0083A2C4

Strings

SeDebugPrivilege, xrefs: 0083A18F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: a88f93238cd0c984cff6eeb4d7c2add1d401e09bab9853f6241ff7b1cc215371
Instruction ID: 4d846aa3c4f8722dd4e7e7ae55cdf7a52d50d44e2fa4fc403450ff3e8d7537ae
Opcode Fuzzy Hash: a88f93238cd0c984cff6eeb4d7c2add1d401e09bab9853f6241ff7b1cc215371
Instruction Fuzzy Hash: CA617C352042419FD724DF18C498F6ABBE5FF94318F18848CE4A68B7A2C776EC45CB92

Function 00843886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00843925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0084393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00843954
_wcslen.LIBCMT ref: 00843999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008439C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008439F4

Strings

SysListView32, xrefs: 008438F7

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 516584b5e9d54be3f3f86b86adc7f4aa4f35022470e1b525bffc4f1d72398f33
Instruction ID: c4156df9ba1ecace648a7964666f7849b244d3472a945f105902a763cd32c8c1
Opcode Fuzzy Hash: 516584b5e9d54be3f3f86b86adc7f4aa4f35022470e1b525bffc4f1d72398f33
Instruction Fuzzy Hash: AB419071A0021DABEF219F64CC49FEA7BA9FF18354F10052AF958E7281D7759A84CB90

Function 0081BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0081BCFD
IsMenu.USER32(00000000), ref: 0081BD1D
CreatePopupMenu.USER32 ref: 0081BD53
GetMenuItemCount.USER32(01475418), ref: 0081BDA4
InsertMenuItemW.USER32(01475418,?,00000001,00000030), ref: 0081BDCC

Strings

2, xrefs: 0081BD37
0, xrefs: 0081BCA8

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: d40a031f9b1c6e555172a7e0ff5f2f74f58140553fb3cbf8237a4a43a56fee47
Instruction ID: 8c04d156cbcd072e3a0200ddd7f069fc3ae875498a4e437ceabaad1bdcd5e795
Opcode Fuzzy Hash: d40a031f9b1c6e555172a7e0ff5f2f74f58140553fb3cbf8237a4a43a56fee47
Instruction Fuzzy Hash: 6B519D70A002099BDB18CFA8E884BEEBBFCFF59354F144159E411D7291D7709981CB62

Function 007D2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 007D2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 007D2D53
_ValidateLocalCookies.LIBCMT ref: 007D2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 007D2E0C
_ValidateLocalCookies.LIBCMT ref: 007D2E61

Strings

csm, xrefs: 007D2DF6
&H}, xrefs: 007D2DFE, 007D2E07, 007D2E18

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H}$csm
API String ID: 1170836740-1162412510
Opcode ID: 8608dd33a8c4024f99c47c004bc79eaaa6db64ddcb8d5e521ab2ea8eeb40b62f
Instruction ID: 118d084391ac4172cf6fee337a7ac770208e97e22df8aaa1233abafc2b610a67
Opcode Fuzzy Hash: 8608dd33a8c4024f99c47c004bc79eaaa6db64ddcb8d5e521ab2ea8eeb40b62f
Instruction Fuzzy Hash: 73418334A00209EBCF10DF68C849A9EBBB5BF55325F148156E814AB393D739EA07CBD1

Function 0081C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0081C913

Strings

blank, xrefs: 0081C895
info, xrefs: 0081C8B4
warning, xrefs: 0081C8FC
question, xrefs: 0081C8CC
stop, xrefs: 0081C8E4

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2ae56a1f4dc3212ac7c34fc668664f4e552b34b3bb489755a5fd78101758795b
Instruction ID: 9807f232328a5f0a175306db4e8cf3e36ccffc431eef0a70c28afb61f8944fc9
Opcode Fuzzy Hash: 2ae56a1f4dc3212ac7c34fc668664f4e552b34b3bb489755a5fd78101758795b
Instruction Fuzzy Hash: 3F11EB316C970ABBE7055B64DCC3DEE6BACFF153A8B10402BF504EA382E7749D805268

Function 0081DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0081DE42
gethostname.WSOCK32(?,00000100), ref: 0081DE5C
gethostbyname.WSOCK32(?), ref: 0081DE69
inet_ntoa.WSOCK32(?), ref: 0081DEAB
_strcat.LIBCMT ref: 0081DEB9
WSACleanup.WSOCK32 ref: 0081DEDE

Strings

0.0.0.0, xrefs: 0081DE87

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 7341adfd98c4d3630dbc102563198110d322635cdaf5a0440e88c24756da5cb8
Instruction ID: ff9669d03a003c2c052ca9fd71111b7b7fce2ec781579f1f722ec9a6799b6424
Opcode Fuzzy Hash: 7341adfd98c4d3630dbc102563198110d322635cdaf5a0440e88c24756da5cb8
Instruction Fuzzy Hash: 82110671904208ABCB20AB74DC4AFEE77BCFF11712F00016AF445EA191EF789AC1CA60

Function 00849F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007C9BB2

GetSystemMetrics.USER32(0000000F), ref: 00849FC7
GetSystemMetrics.USER32(0000000F), ref: 00849FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0084A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0084A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0084A263
ShowWindow.USER32(00000003,00000000), ref: 0084A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0084A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0084A2CA

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: cfa2600791feda47e4410ac7a1c10ca1013f761378e6637d5e52cee1dbe0d7db
Instruction ID: 16be15c9631476998185123445340289ee5e948179f8a3665175c0a5948b9631
Opcode Fuzzy Hash: cfa2600791feda47e4410ac7a1c10ca1013f761378e6637d5e52cee1dbe0d7db
Instruction Fuzzy Hash: BEB1A831640229EFDF18CF68C9857AA7BB2FF48701F088169EC49DF295DB71AA40DB51

Function 0081ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0081ED2A
_wcslen.LIBCMT ref: 0081ED3B
_wcslen.LIBCMT ref: 0081ED79
_wcslen.LIBCMT ref: 0081EDAF
_wcslen.LIBCMT ref: 0081EDDF
_wcslen.LIBCMT ref: 0081EDEF
_wcslen.LIBCMT ref: 0081EE2B
_wcslen.LIBCMT ref: 0081EE5A

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 04c5372de8eb1873e21e32fb3d03d5a2fb39121935eb3c7a8b5c5d4eb1ae946c
Instruction ID: 389caaa2f7e6486d3cd412b7bc9ee63a3f130b795d9126dbcf6affb63562bb78
Opcode Fuzzy Hash: 04c5372de8eb1873e21e32fb3d03d5a2fb39121935eb3c7a8b5c5d4eb1ae946c
Instruction Fuzzy Hash: 38413066C10118B6CB11ABA4CC8A9CFB7BCBF45710F508567E914E3221EB38F655C7A5

Function 007CF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0080682C,00000004,00000000,00000000), ref: 007CF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0080682C,00000004,00000000,00000000), ref: 0080F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0080682C,00000004,00000000,00000000), ref: 0080F454

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: dcc60f7b1e1924092b7bd7857935c668a3cbd63d90f476103a4c1dca10821bc4
Instruction ID: a6453ec4c8fbcb9c122900d419848f6c3bd1d1ff11f5d25f6df2d3bbed559c43
Opcode Fuzzy Hash: dcc60f7b1e1924092b7bd7857935c668a3cbd63d90f476103a4c1dca10821bc4
Instruction Fuzzy Hash: 5D410B31604640BECFB99B2D8C88F6A7B97BB57314F15843DE547D6AA1C639B880CB11

Function 00842D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00842D1B
GetDC.USER32(00000000), ref: 00842D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00842D2E
ReleaseDC.USER32(00000000,00000000), ref: 00842D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00842D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00842D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00845A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00842DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00842DE1

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 2a8bf2ac24aa6f3025763c7968ff8f80a9c87bca0a46c706d2a769a39dc1b95d
Instruction ID: 8d1d835def44a4b617544cbfb1d019268fe8f89c87f6e9589d48514b21c2f79b
Opcode Fuzzy Hash: 2a8bf2ac24aa6f3025763c7968ff8f80a9c87bca0a46c706d2a769a39dc1b95d
Instruction Fuzzy Hash: C5318B76202618BBEB618F548C8AFEB3BADFB1A715F044055FE08DA291C6759C40CBA0

Function 00815622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00815637
_memcmp.LIBVCRUNTIME ref: 00815659
_memcmp.LIBVCRUNTIME ref: 00815671
_memcmp.LIBVCRUNTIME ref: 00815684
_memcmp.LIBVCRUNTIME ref: 0081569E
_memcmp.LIBVCRUNTIME ref: 008156B1
_memcmp.LIBVCRUNTIME ref: 008156C9
_memcmp.LIBVCRUNTIME ref: 008156E4

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9b1c59b45cdc702fe540f14d4b847d40414fb1de738304dc1a0ade642da27afd
Instruction ID: 9933a1819148baa94e5a3b837b3675173f2c4f3209ea0b72ae873b3b79142542
Opcode Fuzzy Hash: 9b1c59b45cdc702fe540f14d4b847d40414fb1de738304dc1a0ade642da27afd
Instruction Fuzzy Hash: 0F21A461640A1DFBD21456219E82FFA336CFFB1398F840025FE05DA782F768ED5085E5

Function 00834FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0083502E, 00835383
Not an Object type, xrefs: 00835007

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: da6cc382f42540bc0aafdb1968fd08e0b0682d8ec6718eb771f79730019e961a
Instruction ID: d87ce0b7debc63f3d11874e6f96025d6e8097110919a3ee400aabcfa78b44c87
Opcode Fuzzy Hash: da6cc382f42540bc0aafdb1968fd08e0b0682d8ec6718eb771f79730019e961a
Instruction Fuzzy Hash: 4DD1B171A0060A9FDF14CFA8C891BAEB7B5FF88344F148469E915EB281E771DD45CB90

Function 007F1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,007F17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 007F15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007F1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,007F17FB,?,007F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007F16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007F16FB

Part of subcall function 007E3820: RtlAllocateHeap.NTDLL(00000000,?,00881444,?,007CFDF5,?,?,007BA976,00000010,00881440,007B13FC,?,007B13C6,?,007B1129), ref: 007E3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,007F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007F1777
__freea.LIBCMT ref: 007F17A2
__freea.LIBCMT ref: 007F17AE

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 13f48d208eae259ae6b90c8f67263c1a8beb31bb93aa49b45ec4708bf5d1ee54
Instruction ID: f960eb553dcd8e8399dd4a0c7bd2b636a07a0008b8c6d75e4a4fc859b04bd888
Opcode Fuzzy Hash: 13f48d208eae259ae6b90c8f67263c1a8beb31bb93aa49b45ec4708bf5d1ee54
Instruction Fuzzy Hash: 3B91D272E0020EDADB209E75C885AFE7BB5AF49310F980659EA05E7341DB3DCC40CBA0

Function 00834523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00834648
VariantInit.OLEAUT32(?), ref: 00834749
VariantClear.OLEAUT32(?), ref: 00834753
VariantClear.OLEAUT32(?), ref: 008347B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0083472C
Null Object assignment in FOR..IN loop, xrefs: 008345D8, 00834706, 008347BE

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 0a4dfeae11af0bc01e7e5733605be44dd13b2f6b04627bc95ea70524440fedb0
Instruction ID: b69d16cf29bdf4d5597274a6f0b3bd00897730b82014934abe181b4b8a4ff24a
Opcode Fuzzy Hash: 0a4dfeae11af0bc01e7e5733605be44dd13b2f6b04627bc95ea70524440fedb0
Instruction Fuzzy Hash: 4C918071A00219ABDF20CFA4C849FAEBBB8FF86714F108559F515EB281D770A945CFA0

Function 00821187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0082125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00821284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008212A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008212D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0082135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008213C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00821430

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 6baedcfb2dcb52a449c19a6e8ea6c4920b25094feb3bda93baa6ec8c69242a24
Instruction ID: 69118c65de981e0fd4ed82761f028aa11aeaf672254865f0d3299f610373332c
Opcode Fuzzy Hash: 6baedcfb2dcb52a449c19a6e8ea6c4920b25094feb3bda93baa6ec8c69242a24
Instruction Fuzzy Hash: F391F875A00229DFDF10DF98E888BBEB7B6FF55314F204029E540E7291D778A981CB95

Function 007C948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d1438ddd6a0d4058aef5065cda5dac30633742fd29149990b6214ed33295c35e
Instruction ID: c39692197ff473fc4b91154692a539489bfa86297fe9fe4bd10bf905995b3f3f
Opcode Fuzzy Hash: d1438ddd6a0d4058aef5065cda5dac30633742fd29149990b6214ed33295c35e
Instruction Fuzzy Hash: 90912871D00219EFCB54CFA9CC88AEEBBB8FF49320F148459E515B7291D778AA51CB60

Function 00833947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0083396B
CharUpperBuffW.USER32(?,?), ref: 00833A7A
_wcslen.LIBCMT ref: 00833A8A
VariantClear.OLEAUT32(?), ref: 00833C1F

Part of subcall function 00820CDF: VariantInit.OLEAUT32(00000000), ref: 00820D1F
Part of subcall function 00820CDF: VariantCopy.OLEAUT32(?,?), ref: 00820D28
Part of subcall function 00820CDF: VariantClear.OLEAUT32(?), ref: 00820D34

Strings

Incorrect Parameter format, xrefs: 008339A6, 00833BA1
AUTOIT.ERROR, xrefs: 00833A80, 00833A85

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 6938be363450651657b940a4b5642adce8350f9ab51e42f3ba9d27e062ce3d29
Instruction ID: 6daf9bec3c81aaeed986939b92f2ebdfce75beaf5306c47a06590a572782942d
Opcode Fuzzy Hash: 6938be363450651657b940a4b5642adce8350f9ab51e42f3ba9d27e062ce3d29
Instruction Fuzzy Hash: B19122746083059FC704EF28C48596ABBE4FF89314F14882DF89ADB351DB35EA45CB92

Function 00834BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0081000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0080FF41,80070057,?,?,?,0081035E), ref: 0081002B
Part of subcall function 0081000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0080FF41,80070057,?,?), ref: 00810046
Part of subcall function 0081000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0080FF41,80070057,?,?), ref: 00810054
Part of subcall function 0081000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0080FF41,80070057,?), ref: 00810064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00834C51
_wcslen.LIBCMT ref: 00834D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00834DCF
CoTaskMemFree.OLE32(?), ref: 00834DDA

Strings

NULL Pointer assignment, xrefs: 00834E23, 00834E52

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 8197c466b9303bf2e389d5a8b1627b59e7f71fae024a986f9e8e7a4a52c2cac5
Instruction ID: ea7331fc2bc5830537dbbc4625f427f2d856cb5394e85750d15b112607c18346
Opcode Fuzzy Hash: 8197c466b9303bf2e389d5a8b1627b59e7f71fae024a986f9e8e7a4a52c2cac5
Instruction Fuzzy Hash: B4910271D0021DEBDF10DFA4C895AEEB7B8FF48314F10816AE915A7251EB34AA45CFA0

Function 008420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00842183
GetMenuItemCount.USER32(00000000), ref: 008421B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008421DD
_wcslen.LIBCMT ref: 00842213
GetMenuItemID.USER32(?,?), ref: 0084224D
GetSubMenu.USER32(?,?), ref: 0084225B

Part of subcall function 00813A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00813A57
Part of subcall function 00813A3D: GetCurrentThreadId.KERNEL32 ref: 00813A5E
Part of subcall function 00813A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008125B3), ref: 00813A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008422E3

Part of subcall function 0081E97B: Sleep.KERNEL32 ref: 0081E9F3

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 2f8970c3377c7e3364db6bbf65c8a0b69c7ca95d1eb0a68eb99278ddab57098f
Instruction ID: e6cda4d440ac6c76116605662989f93abe92810b6398822c8ff8b9d760ee3586
Opcode Fuzzy Hash: 2f8970c3377c7e3364db6bbf65c8a0b69c7ca95d1eb0a68eb99278ddab57098f
Instruction Fuzzy Hash: 1B718D35A04219EFCB10EF68C885AAEB7B5FF88314F548499F816EB341DB74A941CB90

Function 00847E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(014755F8), ref: 00847F37
IsWindowEnabled.USER32(014755F8), ref: 00847F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0084801E
SendMessageW.USER32(014755F8,000000B0,?,?), ref: 00848051
IsDlgButtonChecked.USER32(?,?), ref: 00848089
GetWindowLongW.USER32(014755F8,000000EC), ref: 008480AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008480C3

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 315589bd96fecb5f8b0bed77a461c0223da951321f09e8f23d330467babf746d
Instruction ID: 36cca413520b2b0f99ddd7e6c35bfe123b34de5d60a9fdc0c7cbeda76e369020
Opcode Fuzzy Hash: 315589bd96fecb5f8b0bed77a461c0223da951321f09e8f23d330467babf746d
Instruction Fuzzy Hash: 65717B34609648EFEF219F64CC84FAABBB9FF1A300F14445AE955D7261CB31AC49DB20

Function 0081AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0081AEF9
GetKeyboardState.USER32(?), ref: 0081AF0E
SetKeyboardState.USER32(?), ref: 0081AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0081AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0081AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0081AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0081B020

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7c2ff83f1b8bb5f65496e3c68cdd68329b750ec523ddf89554eb63cc92962717
Instruction ID: daaef3bf9fbe884a05e94011962fe118d78b88c63b485cab95f6d9b616464a8f
Opcode Fuzzy Hash: 7c2ff83f1b8bb5f65496e3c68cdd68329b750ec523ddf89554eb63cc92962717
Instruction Fuzzy Hash: 0951D3A06056D53DFB364234C845BFA7EADBF06304F088489F1D9D54C2D798A8C9D761

Function 0081ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0081AD19
GetKeyboardState.USER32(?), ref: 0081AD2E
SetKeyboardState.USER32(?), ref: 0081AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0081ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0081ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0081AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0081AE38

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 66876ec56975f88d7a196934986750a947e2f527e023f05b9cf515eba92e285a
Instruction ID: 64e42eea90bc66f171473a7e24b011b4b9dee5810eefa3c1de4163f44fdc658d
Opcode Fuzzy Hash: 66876ec56975f88d7a196934986750a947e2f527e023f05b9cf515eba92e285a
Instruction Fuzzy Hash: 2C51C5A15057D53DFB3A8264CC95BFA7E9CBF46304F088488E1D9C58C2D294ACD8D752

Function 007E542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(007F3CD6,?,?,?,?,?,?,?,?,007E5BA3,?,?,007F3CD6,?,?), ref: 007E5470
__fassign.LIBCMT ref: 007E54EB
__fassign.LIBCMT ref: 007E5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,007F3CD6,00000005,00000000,00000000), ref: 007E552C
WriteFile.KERNEL32(?,007F3CD6,00000000,007E5BA3,00000000,?,?,?,?,?,?,?,?,?,007E5BA3,?), ref: 007E554B
WriteFile.KERNEL32(?,?,00000001,007E5BA3,00000000,?,?,?,?,?,?,?,?,?,007E5BA3,?), ref: 007E5584

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 68a802c488cecacd979064e183d00ecd0cc90d5eb5bf0403831b2718933f3c8c
Instruction ID: dacc7c6475ec322bf08e78eeec23da1f53e2c8c9574a45080d5e5ac792db6e95
Opcode Fuzzy Hash: 68a802c488cecacd979064e183d00ecd0cc90d5eb5bf0403831b2718933f3c8c
Instruction Fuzzy Hash: DD51F370A016889FDB10CFA9D845AEEBBFAFF0D304F14401AF555E7292E734AA50CB60

Function 008310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0083304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0083307A
Part of subcall function 0083304E: _wcslen.LIBCMT ref: 0083309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00831112
WSAGetLastError.WSOCK32 ref: 00831121
WSAGetLastError.WSOCK32 ref: 008311C9
closesocket.WSOCK32(00000000), ref: 008311F9

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: aa80fb04d662afc9f981e1a1107a232f5b826f3ea205324764ac09d89f51b4fd
Instruction ID: 8fc72b3eb03d402af1503b91e775391a531c19a66e874b557d7537fc45723185
Opcode Fuzzy Hash: aa80fb04d662afc9f981e1a1107a232f5b826f3ea205324764ac09d89f51b4fd
Instruction Fuzzy Hash: CF41C035600208AFDB109F18C889BEEBBA9FF85768F148059F915DB291C774AD41CBE1

Function 0081CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0081DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0081CF22,?), ref: 0081DDFD

Part of subcall function 0081DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0081CF22,?), ref: 0081DE16

lstrcmpiW.KERNEL32(?,?), ref: 0081CF45
MoveFileW.KERNEL32(?,?), ref: 0081CF7F
_wcslen.LIBCMT ref: 0081D005
_wcslen.LIBCMT ref: 0081D01B
SHFileOperationW.SHELL32(?), ref: 0081D061

Strings

\*.*, xrefs: 0081CFF3

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 02ccf2360dced0eb2229c3ff1ece7d7324274acd33aa8fda42f86dc179f51871
Instruction ID: b6d8cd6df0018168083554ed81900cc52b34d5308be313d6f0a8a5e3fcfb86c9
Opcode Fuzzy Hash: 02ccf2360dced0eb2229c3ff1ece7d7324274acd33aa8fda42f86dc179f51871
Instruction Fuzzy Hash: 55415FB18452199FDF12EFA4D985ADEB7BDFF08380F1000A6E505EB141EE74A689CB50

Function 00842DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00842E1C
GetWindowLongW.USER32(?,000000F0), ref: 00842E4F
GetWindowLongW.USER32(?,000000F0), ref: 00842E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00842EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00842EE0
GetWindowLongW.USER32(?,000000F0), ref: 00842EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00842F0B

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 05960b333e27ea0bedafb902aafc1eb931dd9eebbd26dd56047a1d36ada3867f
Instruction ID: db0c86f74fd0b533bcee217cc3ab0a5ff1fa3f74fdfeea95374af0de6c00b9bf
Opcode Fuzzy Hash: 05960b333e27ea0bedafb902aafc1eb931dd9eebbd26dd56047a1d36ada3867f
Instruction Fuzzy Hash: 47311234609248AFEB60CF58DC88F653BE8FB9A714F9501A4F915CB2B2CB71AC41DB01

Function 00817726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00817769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0081778F
SysAllocString.OLEAUT32(00000000), ref: 00817792
SysAllocString.OLEAUT32(?), ref: 008177B0
SysFreeString.OLEAUT32(?), ref: 008177B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008177DE
SysAllocString.OLEAUT32(?), ref: 008177EC

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bc35cb86fc725625e38f51081ab3baa72aa7ec1a2b3ec120432a7548d96acc49
Instruction ID: c09d96912ef472a9659014b43281c070289188b6ff4d46ee32eca98d83a8cad1
Opcode Fuzzy Hash: bc35cb86fc725625e38f51081ab3baa72aa7ec1a2b3ec120432a7548d96acc49
Instruction Fuzzy Hash: DD219C7A605219AFDB10AFA8CC88DFA73ACFF09364B048429FA15DB191D6749C81C764

Function 008177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00817842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00817868
SysAllocString.OLEAUT32(00000000), ref: 0081786B
SysAllocString.OLEAUT32 ref: 0081788C
SysFreeString.OLEAUT32 ref: 00817895
StringFromGUID2.OLE32(?,?,00000028), ref: 008178AF
SysAllocString.OLEAUT32(?), ref: 008178BD

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 882e7b2b65a268c5209c3315800dece2ce73ae4b4aa70e6f27b9d1975da12d52
Instruction ID: 15a0a2aa352e7835d3628aaa5ccc35edd1ae092a56bd61a10fab9e2e7b81d063
Opcode Fuzzy Hash: 882e7b2b65a268c5209c3315800dece2ce73ae4b4aa70e6f27b9d1975da12d52
Instruction Fuzzy Hash: F0213E75609208AF9B10AFA8DC88DEA77BCFF097607108139F915CB2A1D674DC81CB78

Function 008204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008204F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0082052E

Strings

nul, xrefs: 00820567

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 4eadd0d0f406ed8b37d85d1a844c9417d68d7bf44d1dd90423ea920de8a05be2
Instruction ID: 8f387ed2f0c2db72fc2c2410181b423b9adc0da78c6ef4113ae05e63b9ebc45c
Opcode Fuzzy Hash: 4eadd0d0f406ed8b37d85d1a844c9417d68d7bf44d1dd90423ea920de8a05be2
Instruction Fuzzy Hash: 9F216275600329ABDB209F69ED44A5A77F8FF45724F204A19F8A1E62E1D7B09980CF60

Function 008205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008205C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00820601

Strings

nul, xrefs: 00820639

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d1d30adf5126f0eb903041bf036a9491207d0c5c8829c9e4900feedd0499b632
Instruction ID: 0a50b54d4eef082041caebc020258a3c34bedfe85ce6e8c1ce5863e85a8a15e9
Opcode Fuzzy Hash: d1d30adf5126f0eb903041bf036a9491207d0c5c8829c9e4900feedd0499b632
Instruction Fuzzy Hash: 28216775500325AFDB209F69EC44A5A77E8FF95724F200A19F8A1E72E6D7B099A0CF10

Function 008440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007B604C
Part of subcall function 007B600E: GetStockObject.GDI32(00000011), ref: 007B6060
Part of subcall function 007B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007B606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00844112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0084411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0084412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00844139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00844145

Strings

Msctls_Progress32, xrefs: 008440E3

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 74233505dac18087fe67519f97f4bef570f99e2ec352a1962b501147ec7b8ae8
Instruction ID: 48f1f3db62b34d7c1d21f2766930cbb49648fec5eaff06b5cc8e436533e29a80
Opcode Fuzzy Hash: 74233505dac18087fe67519f97f4bef570f99e2ec352a1962b501147ec7b8ae8
Instruction Fuzzy Hash: B41190B214021DBEEF119E64CC86EE77F5DFF18798F014111BA18E2150CA769C21DBA4

Function 007ED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007ED7A3: _free.LIBCMT ref: 007ED7CC

_free.LIBCMT ref: 007ED82D

Part of subcall function 007E29C8: HeapFree.KERNEL32(00000000,00000000,?,007ED7D1,00000000,00000000,00000000,00000000,?,007ED7F8,00000000,00000007,00000000,?,007EDBF5,00000000), ref: 007E29DE
Part of subcall function 007E29C8: GetLastError.KERNEL32(00000000,?,007ED7D1,00000000,00000000,00000000,00000000,?,007ED7F8,00000000,00000007,00000000,?,007EDBF5,00000000,00000000), ref: 007E29F0

_free.LIBCMT ref: 007ED838
_free.LIBCMT ref: 007ED843
_free.LIBCMT ref: 007ED897
_free.LIBCMT ref: 007ED8A2
_free.LIBCMT ref: 007ED8AD
_free.LIBCMT ref: 007ED8B8

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: bb49280d3295ce41be947cc3099dc98e118f2387f72571b85a4e8dd66a6e4271
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 3E112171542B88EAD531BFB2CC4FFCB7BDC6F08700F404825B699A64A3DA6DB9064A50

Function 0081DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0081DA74
LoadStringW.USER32(00000000), ref: 0081DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0081DA91
LoadStringW.USER32(00000000), ref: 0081DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0081DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0081DAB9

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 0c10b0d34af12b616334150b5399298cc02a490a04e45654805d7876532d5ec1
Instruction ID: 397092b9d2479e009854f95dc3065eeb54fcf66dcdef4eb4466dc10a41d40ec7
Opcode Fuzzy Hash: 0c10b0d34af12b616334150b5399298cc02a490a04e45654805d7876532d5ec1
Instruction Fuzzy Hash: 6D016DF69002187FE750EBE49D89EEB376CFB09305F404496B746E2041EA749E848F74

Function 0082096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0146E200,0146E200), ref: 0082097B
EnterCriticalSection.KERNEL32(0146E1E0,00000000), ref: 0082098D
TerminateThread.KERNEL32(?,000001F6), ref: 0082099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 008209A9
CloseHandle.KERNEL32(?), ref: 008209B8
InterlockedExchange.KERNEL32(0146E200,000001F6), ref: 008209C8
LeaveCriticalSection.KERNEL32(0146E1E0), ref: 008209CF

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f8f19885ec25f99b793cb3409d946e5655ed91dabc2f03c6761e76172889a649
Instruction ID: c27ea578c84097ac68dfa3844e3a88c0e6e700d7df2165cc86b00996453fc88a
Opcode Fuzzy Hash: f8f19885ec25f99b793cb3409d946e5655ed91dabc2f03c6761e76172889a649
Instruction Fuzzy Hash: EFF0EC36543A22BBD7915FA4EE8DBD6BB39FF06702F402025F202908A1C7B594A5CF90

Function 00831C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00831DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00831DE1
WSAGetLastError.WSOCK32 ref: 00831DF2
htons.WSOCK32(?,?,?,?,?), ref: 00831EDB
inet_ntoa.WSOCK32(?), ref: 00831E8C

Part of subcall function 008139E8: _strlen.LIBCMT ref: 008139F2

Part of subcall function 00833224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0082EC0C), ref: 00833240

_strlen.LIBCMT ref: 00831F35

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 9bae0b70891882a6a9376a5eb39f5cbf020750a730d896a485199b26f2ad2adf
Instruction ID: 24f9ec1f9ee6fdc7d3b0b1df1fee2a43731d8519edc6804243d9a3bda527edaf
Opcode Fuzzy Hash: 9bae0b70891882a6a9376a5eb39f5cbf020750a730d896a485199b26f2ad2adf
Instruction Fuzzy Hash: B6B1CE30204340AFC724DF24C889F6A7BA5FF85718F54895CF5569B2A2CB75ED42CB92

Function 007B5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 007B5D30
GetWindowRect.USER32(?,?), ref: 007B5D71
ScreenToClient.USER32(?,?), ref: 007B5D99
GetClientRect.USER32(?,?), ref: 007B5ED7
GetWindowRect.USER32(?,?), ref: 007B5EF8

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 4d16a9b7c4e20251a851246524c987ba5d43520c1eeac7b6ca8907a455d86baf
Instruction ID: 735e8d0b6caff71039bd0a7ef852065b70e4b6c7056a287e9183832cdee80c16
Opcode Fuzzy Hash: 4d16a9b7c4e20251a851246524c987ba5d43520c1eeac7b6ca8907a455d86baf
Instruction Fuzzy Hash: 00B15739A00A4ADBDB10CFA9C4807FAB7F1FF58310F14851AE9A9D7250DB38EA51DB54

Function 007E01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 007E00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007E00D6
__allrem.LIBCMT ref: 007E00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007E010B
__allrem.LIBCMT ref: 007E0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007E0140

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: b20514696396fda7d49a5843c09301fa8ca21e88b1e6ecd21a39ffc6a3bbf7db
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 49810672602746EBE7209F2ACC45B6F73F9AF49324F24453AF511DA381E7B8D9408790

Function 007E61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007D82D9,007D82D9,?,?,?,007E644F,00000001,00000001,8BE85006), ref: 007E6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,007E644F,00000001,00000001,8BE85006,?,?,?), ref: 007E62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007E63D8
__freea.LIBCMT ref: 007E63E5

Part of subcall function 007E3820: RtlAllocateHeap.NTDLL(00000000,?,00881444,?,007CFDF5,?,?,007BA976,00000010,00881440,007B13FC,?,007B13C6,?,007B1129), ref: 007E3852

__freea.LIBCMT ref: 007E63EE
__freea.LIBCMT ref: 007E6413

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 9402296ca708fc4792ad87e211bd88c132335c43ffb9a3d687f62096d0bfe413
Instruction ID: 156c82dfe7b9aa2514b5020d008673c770ba74f8bdd7a0ea57b22a5bbd12d1d8
Opcode Fuzzy Hash: 9402296ca708fc4792ad87e211bd88c132335c43ffb9a3d687f62096d0bfe413
Instruction Fuzzy Hash: 7E510472602296ABDB258F66CC85EBF77A9EF58790F144629FD05D7180EB38DC40C6A0

Function 0083BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

Part of subcall function 0083C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0083B6AE,?,?), ref: 0083C9B5
Part of subcall function 0083C998: _wcslen.LIBCMT ref: 0083C9F1
Part of subcall function 0083C998: _wcslen.LIBCMT ref: 0083CA68
Part of subcall function 0083C998: _wcslen.LIBCMT ref: 0083CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0083BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0083BD25
RegCloseKey.ADVAPI32(00000000), ref: 0083BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0083BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0083BDF3
RegCloseKey.ADVAPI32(?), ref: 0083BDFF

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 3bf67fdcd52f3eb3742f42f905c97e76a4bd28b0b19e69094eff45e6a18e14c4
Instruction ID: 2a2830a9a89c550ffab2c42ac810b7802420bb4711ecf27d7a727d71da4d3fae
Opcode Fuzzy Hash: 3bf67fdcd52f3eb3742f42f905c97e76a4bd28b0b19e69094eff45e6a18e14c4
Instruction Fuzzy Hash: 7281A070208241EFD714DF24C895E6ABBE5FF84308F14895DF6598B2A2DB31ED45CB92

Function 0080F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0080F7B9
SysAllocString.OLEAUT32(00000001), ref: 0080F860
VariantCopy.OLEAUT32(0080FA64,00000000), ref: 0080F889
VariantClear.OLEAUT32(0080FA64), ref: 0080F8AD
VariantCopy.OLEAUT32(0080FA64,00000000), ref: 0080F8B1
VariantClear.OLEAUT32(?), ref: 0080F8BB

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: c0daa87be509465dc15cb7dc44de345f60b467517157a08ccb9cd5abaf162445
Instruction ID: 4b932705aeb3ec34ec0f726314d81d7ebfaa5aede649a36723e624c1718585a2
Opcode Fuzzy Hash: c0daa87be509465dc15cb7dc44de345f60b467517157a08ccb9cd5abaf162445
Instruction Fuzzy Hash: E7511731600314EADFB0AB65DC95B69B7A8FF45314B20C42AEA02DF6D3D7748C40C796

Function 0082910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 007B7620: _wcslen.LIBCMT ref: 007B7625

Part of subcall function 007B6B57: _wcslen.LIBCMT ref: 007B6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008294E5
_wcslen.LIBCMT ref: 00829506
_wcslen.LIBCMT ref: 0082952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00829585

Strings

X, xrefs: 00829412

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 10a4654e55f47da04e4e83fcb33582dd1e43d28fcf4a96c4fc49ba94a12762e8
Instruction ID: 2fbcf54583fa761b377acb6f7820c5eccfc9df1326cc8bcf9d45b17c50c0e9f8
Opcode Fuzzy Hash: 10a4654e55f47da04e4e83fcb33582dd1e43d28fcf4a96c4fc49ba94a12762e8
Instruction Fuzzy Hash: 71E1AE31604310DFC724EF24D889BAAB7E4FF84314F14896DE9999B2A2DB34DD45CB92

Function 007C920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 007C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007C9BB2

BeginPaint.USER32(?,?,?), ref: 007C9241
GetWindowRect.USER32(?,?), ref: 007C92A5
ScreenToClient.USER32(?,?), ref: 007C92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007C92D3
EndPaint.USER32(?,?,?,?,?), ref: 007C9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008071EA

Part of subcall function 007C9339: BeginPath.GDI32(00000000), ref: 007C9357

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: e331c05b1789766830afaba4f11a83c2b7602612c1e4d8683a46b1080adbbe3f
Instruction ID: ac66086d4325e7e2a011fe797acfbd339b212d36ffc8b43932e60ec032e0dff3
Opcode Fuzzy Hash: e331c05b1789766830afaba4f11a83c2b7602612c1e4d8683a46b1080adbbe3f
Instruction Fuzzy Hash: 1E418C70505201EFDB51DF28CC88FAA7BA8FB56320F14066DFA95C72E1CB35A846DB61

Function 008207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0082080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00820847
EnterCriticalSection.KERNEL32(?), ref: 00820863
LeaveCriticalSection.KERNEL32(?), ref: 008208DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008208F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00820921

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: afed01b1b1b4e6232a8317980d632a37be0345a4b3b6111256bbbe8d22c4da5e
Instruction ID: 05cd6cd3e21b83c3ee9e1bfccf5d61e33f8d31a31e4c79350daf2c97486b4793
Opcode Fuzzy Hash: afed01b1b1b4e6232a8317980d632a37be0345a4b3b6111256bbbe8d22c4da5e
Instruction Fuzzy Hash: F6416B71900215EBDF14AF64DC89A6A77B9FF04300F1440A9ED04DA297DB74DEA1DFA4

Function 008481DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0080F3AB,00000000,?,?,00000000,?,0080682C,00000004,00000000,00000000), ref: 0084824C
EnableWindow.USER32(?,00000000), ref: 00848272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008482D1
ShowWindow.USER32(?,00000004), ref: 008482E5
EnableWindow.USER32(?,00000001), ref: 0084830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0084832F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d34b490438f3b770e3ca7d68df8556ec132c2bfecfd2a476fa43e1cda6e6b118
Instruction ID: 560e613173ccbea6f468740666c0c89179e7c25fd6238db91fbc56e709dabd04
Opcode Fuzzy Hash: d34b490438f3b770e3ca7d68df8556ec132c2bfecfd2a476fa43e1cda6e6b118
Instruction Fuzzy Hash: BB41A534601658EFDF51CF29CC99BE87BE5FB0A714F185269E5188B262CB71AC41CB50

Function 00814C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00814C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00814CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00814CEA
_wcslen.LIBCMT ref: 00814D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00814D10
_wcsstr.LIBVCRUNTIME ref: 00814D1A

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 5907559136ce51b66fa596a98554a82302cda54c0ca30aa4e96fe5e557e0857f
Instruction ID: dafa1353e084389a723a73f2631bd3020530227d14f701c609522a2e58ba2d6b
Opcode Fuzzy Hash: 5907559136ce51b66fa596a98554a82302cda54c0ca30aa4e96fe5e557e0857f
Instruction Fuzzy Hash: 9E213876205204BBEB555B39EC09EBB7BACEF45750F10907EF809CA192EA75DC81D2A0

Function 0082581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 007B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007B3A97,?,?,007B2E7F,?,?,?,00000000), ref: 007B3AC2

_wcslen.LIBCMT ref: 0082587B
CoInitialize.OLE32(00000000), ref: 00825995
CoCreateInstance.OLE32(0084FCF8,00000000,00000001,0084FB68,?), ref: 008259AE
CoUninitialize.OLE32 ref: 008259CC

Strings

.lnk, xrefs: 00825876, 008258C1, 00825985

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: f07f93dbc57686f00b6ebbb5e2df5cd26396f75515e79a0778075418720a209a
Instruction ID: 3aa551f535abcae5cf4e8a6e1f23ddd9778886301623694da6f0f7d8d77352cb
Opcode Fuzzy Hash: f07f93dbc57686f00b6ebbb5e2df5cd26396f75515e79a0778075418720a209a
Instruction Fuzzy Hash: 6CD15071608611DFC714DF24D488A6ABBE5FF89720F148859F88ADB361DB31EC85CB92

Function 0081175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00810FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00810FCA
Part of subcall function 00810FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00810FD6
Part of subcall function 00810FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00810FE5
Part of subcall function 00810FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00810FEC
Part of subcall function 00810FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00811002

GetLengthSid.ADVAPI32(?,00000000,00811335), ref: 008117AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008117BA
HeapAlloc.KERNEL32(00000000), ref: 008117C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008117DA
GetProcessHeap.KERNEL32(00000000,00000000,00811335), ref: 008117EE
HeapFree.KERNEL32(00000000), ref: 008117F5

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 43388ad88ae111a0e3ddeab9fe74fcf3b32928b59066d5211acfefd5fbdad174
Instruction ID: 1791a53b9c0f37753701697067b9e25a0c276fe39f103af1701c0a300f2c51dc
Opcode Fuzzy Hash: 43388ad88ae111a0e3ddeab9fe74fcf3b32928b59066d5211acfefd5fbdad174
Instruction Fuzzy Hash: BB118636602609EBDF109FA4CC49FEE7BADFF42359F104818E581E7294C736A980CB60

Function 008114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008114FF
OpenProcessToken.ADVAPI32(00000000), ref: 00811506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00811515
CloseHandle.KERNEL32(00000004), ref: 00811520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0081154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00811563

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: a206740ca971809b4b692bdef07b1e2c230afe89498ca4c7da505547bb625867
Instruction ID: befebe8f913ca5f7072692a5b3c4c8e4d74bc3703ab63a3da87fb2a367805a30
Opcode Fuzzy Hash: a206740ca971809b4b692bdef07b1e2c230afe89498ca4c7da505547bb625867
Instruction Fuzzy Hash: BC11297660220DABDF118F98DD49FDE7BAEFF49744F044015FA05A2160C3758EA0DB61

Function 007D3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007D3379,007D2FE5), ref: 007D3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007D339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007D33B7
SetLastError.KERNEL32(00000000,?,007D3379,007D2FE5), ref: 007D3409

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8f679d1fc18ddb6b33a6122ef1b81c0675551b63e3e46570032e7ed149332895
Instruction ID: 5a2af98d07fef3641b7fd9a02d44239554d3a57a71ada4ed1d44270af326a66c
Opcode Fuzzy Hash: 8f679d1fc18ddb6b33a6122ef1b81c0675551b63e3e46570032e7ed149332895
Instruction Fuzzy Hash: 3D012432209711FEAA242BB4BC8D5262AB8FB05379320022FF414963F1EF198D819186

Function 007E2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007E5686,007F3CD6,?,00000000,?,007E5B6A,?,?,?,?,?,007DE6D1,?,00878A48), ref: 007E2D78
_free.LIBCMT ref: 007E2DAB
_free.LIBCMT ref: 007E2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,007DE6D1,?,00878A48,00000010,007B4F4A,?,?,00000000,007F3CD6), ref: 007E2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,007DE6D1,?,00878A48,00000010,007B4F4A,?,?,00000000,007F3CD6), ref: 007E2DEC
_abort.LIBCMT ref: 007E2DF2

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 30691485b4a6b20d126be4be2b8801a9c5ac44aa787ae20c930edb3673c64dcb
Instruction ID: dcd59a9627bac9f6fcdb89895675d94b15d61b2987c9438e7278907d289b71f5
Opcode Fuzzy Hash: 30691485b4a6b20d126be4be2b8801a9c5ac44aa787ae20c930edb3673c64dcb
Instruction Fuzzy Hash: 8DF0F935607580B7C25267376C0EA1A265DBBCA7A4F314119F624D32A3EE2C88034160

Function 00848A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 007C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007C9693
Part of subcall function 007C9639: SelectObject.GDI32(?,00000000), ref: 007C96A2
Part of subcall function 007C9639: BeginPath.GDI32(?), ref: 007C96B9
Part of subcall function 007C9639: SelectObject.GDI32(?,00000000), ref: 007C96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00848A4E
LineTo.GDI32(?,00000003,00000000), ref: 00848A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00848A70
LineTo.GDI32(?,00000000,00000003), ref: 00848A80
EndPath.GDI32(?), ref: 00848A90
StrokePath.GDI32(?), ref: 00848AA0

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 3d321a40a4a2f199871ad92441e7804a5175939dfea7f1ba3df9303118f39fef
Instruction ID: 6fc316a5b477960c6d52a3f73b5bf95c4b115089fbf2906a7f119267e4524209
Opcode Fuzzy Hash: 3d321a40a4a2f199871ad92441e7804a5175939dfea7f1ba3df9303118f39fef
Instruction Fuzzy Hash: F411057600111CFFEF129F94DC88EAA7F6CFB09394F048022FA199A1A1C771AD55DBA0

Function 008151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00815218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00815229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00815230
ReleaseDC.USER32(00000000,00000000), ref: 00815238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0081524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00815261

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 2b35a14a6b9404fa82cd2ee3cf8cede32e987296bda9735f90f77c51db30cb75
Instruction ID: 26fcf05aff55e071b714a06cb8017ff89b591e320e8addc1cc98217dd0ef9d72
Opcode Fuzzy Hash: 2b35a14a6b9404fa82cd2ee3cf8cede32e987296bda9735f90f77c51db30cb75
Instruction Fuzzy Hash: B1014F75A01719BBEB109BA69C49A5EBFBCFF49751F048066FA04E7291DA709800CFA0

Function 007B1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 007B1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 007B1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007B1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 007B1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 007B1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 007B1C22

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 63b053ac44c51eae03ab861f12dd4979592de3ca2760f43d626d9661ffc6f3f0
Instruction ID: 3f8686ace90b27130a065b1dffd0cc3d05dc5a0dd8acd1c2a841b472654460b8
Opcode Fuzzy Hash: 63b053ac44c51eae03ab861f12dd4979592de3ca2760f43d626d9661ffc6f3f0
Instruction Fuzzy Hash: B10167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CFE5

Function 0081EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0081EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0081EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0081EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0081EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0081EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0081EB75

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e66797af8c43b99b37343f043edbcd3cdcb46727e616ce3037a06bf5ea47335d
Instruction ID: 901d6b6c9596cd258f93bb76504fc56fc0e80b314647739ba9a3f5df6893303c
Opcode Fuzzy Hash: e66797af8c43b99b37343f043edbcd3cdcb46727e616ce3037a06bf5ea47335d
Instruction Fuzzy Hash: D1F0BEBA202158BBE7605B629C0EEEF3E7CFFCBB11F004158FA02E1090D7A01A01C6B4

Function 00807439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00807452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00807469
GetWindowDC.USER32(?), ref: 00807475
GetPixel.GDI32(00000000,?,?), ref: 00807484
ReleaseDC.USER32(?,00000000), ref: 00807496
GetSysColor.USER32(00000005), ref: 008074B0

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: acb979966e7a7a8ae8b3401b6dc3d0b94f7d225158ff5ee21d12e7a87cc43d1b
Instruction ID: a1a110e5c03d7311928d127f5015a7cefbee78a13102714282868b4eb6ec928e
Opcode Fuzzy Hash: acb979966e7a7a8ae8b3401b6dc3d0b94f7d225158ff5ee21d12e7a87cc43d1b
Instruction Fuzzy Hash: 6D018635801605EFEB905FA4DC08BAE7BB9FB05321F224068FA16A21A1CB312E41EB14

Function 00811874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0081187F
UnloadUserProfile.USERENV(?,?), ref: 0081188B
CloseHandle.KERNEL32(?), ref: 00811894
CloseHandle.KERNEL32(?), ref: 0081189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008118A5
HeapFree.KERNEL32(00000000), ref: 008118AC

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 16a481885e78c2fa61b1b01d01873b95588c74c7b80c024a57098c4260f90122
Instruction ID: 1c0937363f03f0a46bf8fc9774ef32a150b21399f27d2067bf766a607b505bf1
Opcode Fuzzy Hash: 16a481885e78c2fa61b1b01d01873b95588c74c7b80c024a57098c4260f90122
Instruction Fuzzy Hash: B1E0E53A206101BBDB415FA5ED0C90AFF3DFF4AB22B108220F22581170CB329420DF50

Function 0081C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007B7620: _wcslen.LIBCMT ref: 007B7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0081C6EE
_wcslen.LIBCMT ref: 0081C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0081C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0081C7CA

Strings

0, xrefs: 0081C6AF

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 07f071f758cc28aaf820014ada13b5ff5706221963663505c47a7b4ffbbaac9a
Instruction ID: eb8bf6c51b4bbe777219372a5a75404beadabe73d54c1f13d426a15ea12e24b4
Opcode Fuzzy Hash: 07f071f758cc28aaf820014ada13b5ff5706221963663505c47a7b4ffbbaac9a
Instruction Fuzzy Hash: FE51AD716843019BD714AF28C889BEA77ECFF59314F040A2DF996D21E1DBA4D984CB52

Function 0083AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0083AEA3

Part of subcall function 007B7620: _wcslen.LIBCMT ref: 007B7625

GetProcessId.KERNEL32(00000000), ref: 0083AF38
CloseHandle.KERNEL32(00000000), ref: 0083AF67

Strings

<, xrefs: 0083AE6B
@, xrefs: 0083AE72

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 55f2c6bdc8518e5e7b8c9020cb6ac88392c8c49f369e0b82041d814d904c7282
Instruction ID: 0e93e18584d8fd4e031ba74f8871918c6b0a72136bb4e8682d7f72f6ddc2bcfa
Opcode Fuzzy Hash: 55f2c6bdc8518e5e7b8c9020cb6ac88392c8c49f369e0b82041d814d904c7282
Instruction Fuzzy Hash: 87718A75A00619DFCB18DF54C489A9EBBF4FF48314F048499E856AB3A2CB78ED41CB91

Function 0081719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00817206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0081723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0081724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008172CF

Strings

DllGetClassObject, xrefs: 00817242

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 38a6ffc5ca8cbca647b1fc7f10cd762c66a8f94732e9ebd2ada5964b33278f4b
Instruction ID: 1ca5c98b3e6a3f8f05037f39f97756a81cdd12291725abb556c542c6cfa0c9e7
Opcode Fuzzy Hash: 38a6ffc5ca8cbca647b1fc7f10cd762c66a8f94732e9ebd2ada5964b33278f4b
Instruction Fuzzy Hash: D9412971A04205AFDB15CF54C884ADA7BBDFF49314B1480ADBD0ADF20AD7B1D985CBA0

Function 00843D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00843E35
IsMenu.USER32(?), ref: 00843E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00843E92
DrawMenuBar.USER32 ref: 00843EA5

Strings

0, xrefs: 00843D89

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 45180c6f9bd4b2ccfb32527353aac6a5f9f7ddb61013cd8a837b161c1244ee81
Instruction ID: b52c46acbfc5dd71368a9f03236ddabf6cb1de7dcc274b189626b5d1a03da5cf
Opcode Fuzzy Hash: 45180c6f9bd4b2ccfb32527353aac6a5f9f7ddb61013cd8a837b161c1244ee81
Instruction Fuzzy Hash: CF414575A0220DEFDB10EF64D884AAABBB9FF49354F044129E915EB650D730AE45CF60

Function 00811DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

Part of subcall function 00813CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00813CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00811E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00811E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00811EA9

Part of subcall function 007B6B57: _wcslen.LIBCMT ref: 007B6B6A

Strings

ComboBox, xrefs: 00811DF0
ListBox, xrefs: 00811E25

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 0163a0b856274115527c463ab6c6aa0d95de3b7a0fda01019a2ea9bc08f0663a
Instruction ID: 6dd28082749322f52527f9083762dc85afc477b2eb9fa2f146637e5ffa25ed64
Opcode Fuzzy Hash: 0163a0b856274115527c463ab6c6aa0d95de3b7a0fda01019a2ea9bc08f0663a
Instruction Fuzzy Hash: 6B210771A00108BADF14ABA4DC4DDFFB7BDFF45354B104119FA26E71E1DB3849459620

Function 00842F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00842F8D
LoadLibraryW.KERNEL32(?), ref: 00842F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00842FA9
DestroyWindow.USER32(?), ref: 00842FB1

Strings

SysAnimate32, xrefs: 00842F68

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 62840c4a7149199b99da4e1aa952f25cc0ae62149e190b09335d082f571e427d
Instruction ID: d45e6647133c00990e823b7ae1700e6fe0e827252d86e0245c9451369a3b9770
Opcode Fuzzy Hash: 62840c4a7149199b99da4e1aa952f25cc0ae62149e190b09335d082f571e427d
Instruction Fuzzy Hash: 5821AE7120820DABEB205F64DC84EBB77BDFB69364F904218F950D2190DB71DC559760

Function 007D4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,007D4D1E,007E28E9,?,007D4CBE,007E28E9,008788B8,0000000C,007D4E15,007E28E9,00000002), ref: 007D4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007D4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,007D4D1E,007E28E9,?,007D4CBE,007E28E9,008788B8,0000000C,007D4E15,007E28E9,00000002,00000000), ref: 007D4DC3

Strings

CorExitProcess, xrefs: 007D4D98
mscoree.dll, xrefs: 007D4D86

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 8400c6adf447e1ce7be9f633a421b9195ce8996fef8a6b3035f2c9ce3c026de3
Instruction ID: 009cc838ae82663efe9e218ba111b8a39ed9961825e89eb936bcd1728044c400
Opcode Fuzzy Hash: 8400c6adf447e1ce7be9f633a421b9195ce8996fef8a6b3035f2c9ce3c026de3
Instruction Fuzzy Hash: A6F04F35A41208BBDB519F90DC49BADBFB9FF48756F0000A9F909A2360DB359940CED0

Function 0080D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0080D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0080D3BF
FreeLibrary.KERNEL32(00000000), ref: 0080D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0080D3B9
X64, xrefs: 0080D2A8

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 803d85b4c19a42dda54a395bf521526526d6d7a17e6ad91fb263cb61b7087ae2
Instruction ID: 50cf7d2b85a3fb04d981a5bf85736a1ed49d82a929f3706e93277faa45b8956b
Opcode Fuzzy Hash: 803d85b4c19a42dda54a395bf521526526d6d7a17e6ad91fb263cb61b7087ae2
Instruction Fuzzy Hash: 9EF05C75407714EBD7F117904C08A197718FF11705B558059F801E12C9EB24DD44C795

Function 007B4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,007B4EDD,?,00881418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007B4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007B4EAE
FreeLibrary.KERNEL32(00000000,?,?,007B4EDD,?,00881418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007B4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 007B4EA8
kernel32.dll, xrefs: 007B4E94

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 91501abc1e4e3c3b6cebd153be5206cabbfd4d53cfcfcd39315af6641b26217c
Instruction ID: 2cf28801316f23443af8c7466a14622f30a442b876fc85099be98b51582b6bda
Opcode Fuzzy Hash: 91501abc1e4e3c3b6cebd153be5206cabbfd4d53cfcfcd39315af6641b26217c
Instruction Fuzzy Hash: 05E01D39A036225BD3B11B296C19B9F755CFF82F667050115FD05D2256DB6CCD01C5A1

Function 007B4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,007F3CDE,?,00881418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007B4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007B4E74
FreeLibrary.KERNEL32(00000000,?,?,007F3CDE,?,00881418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007B4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 007B4E6E
kernel32.dll, xrefs: 007B4E5B

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 7891c0e88bb014a026f9a1884b5abb12965c8ba9d4e8197aa0781b516d3ca84e
Instruction ID: 9e149030d5132c0ccb954c4f8892cf3a71f8393d6646c3f192616eb68c94063c
Opcode Fuzzy Hash: 7891c0e88bb014a026f9a1884b5abb12965c8ba9d4e8197aa0781b516d3ca84e
Instruction Fuzzy Hash: 97D01239503A615756A21B256C1CECB7B1CFF86B653054515B905E2215CF69CD01C5E1

Function 00822947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00822C05
DeleteFileW.KERNEL32(?), ref: 00822C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00822C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00822CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00822CC0

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 2dc4cd29e3665cff6724ea84d06863270825e32bf28432f9d93befc31df5ce20
Instruction ID: 63e30089b1e106abe8d7d06f8cbb448471273090a60a21a06621a022785827c6
Opcode Fuzzy Hash: 2dc4cd29e3665cff6724ea84d06863270825e32bf28432f9d93befc31df5ce20
Instruction Fuzzy Hash: BFB14E71900129ABDF21EBA4DC89EDEB77DFF49350F1040A6F509E6251EA349A848B61

Function 0083A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0083A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0083A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0083A468
CloseHandle.KERNEL32(?), ref: 0083A63D

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: a942619eb881ba7aaad3c3eda8f56ef51a977885ed7b09dcb719623cb619ed74
Instruction ID: e88a837d78b4ac00a62b3dc50a748321c95022841be92e8bd062cacdef286bf5
Opcode Fuzzy Hash: a942619eb881ba7aaad3c3eda8f56ef51a977885ed7b09dcb719623cb619ed74
Instruction Fuzzy Hash: 15A18B71604300AFD724DF24C886F2AB7E5AF84714F14885DF99ADB292DBB4ED41CB92

Function 007EBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00853700), ref: 007EBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0088121C,000000FF,00000000,0000003F,00000000,?,?), ref: 007EBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00881270,000000FF,?,0000003F,00000000,?), ref: 007EBC36
_free.LIBCMT ref: 007EBB7F

Part of subcall function 007E29C8: HeapFree.KERNEL32(00000000,00000000,?,007ED7D1,00000000,00000000,00000000,00000000,?,007ED7F8,00000000,00000007,00000000,?,007EDBF5,00000000), ref: 007E29DE
Part of subcall function 007E29C8: GetLastError.KERNEL32(00000000,?,007ED7D1,00000000,00000000,00000000,00000000,?,007ED7F8,00000000,00000007,00000000,?,007EDBF5,00000000,00000000), ref: 007E29F0

_free.LIBCMT ref: 007EBD4B

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: fcf0fb82c6287e71868a296efed0f754408fb048da87c9f7d0621dfedb676e9d
Instruction ID: 2fcc91935c9eae57e1f9454c71886fc0123a347d5135a8e6ac745fa33e5973bb
Opcode Fuzzy Hash: fcf0fb82c6287e71868a296efed0f754408fb048da87c9f7d0621dfedb676e9d
Instruction Fuzzy Hash: 7F51FB71905249DFCB10EF6A9C899AFBFBCFF48310F10026AE554D72A1EB349D418BA0

Function 0081E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0081DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0081CF22,?), ref: 0081DDFD

Part of subcall function 0081DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0081CF22,?), ref: 0081DE16

Part of subcall function 0081E199: GetFileAttributesW.KERNEL32(?,0081CF95), ref: 0081E19A

lstrcmpiW.KERNEL32(?,?), ref: 0081E473
MoveFileW.KERNEL32(?,?), ref: 0081E4AC
_wcslen.LIBCMT ref: 0081E5EB
_wcslen.LIBCMT ref: 0081E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0081E650

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 51147a078b55d69c0d916ce7ce82d8b678ecd426660258f6de41b1658309781f
Instruction ID: 26cac6b81c3406e3b3c6c13bf8bc32650a8d8f255ae7dd6e01368d19f0ea68fa
Opcode Fuzzy Hash: 51147a078b55d69c0d916ce7ce82d8b678ecd426660258f6de41b1658309781f
Instruction Fuzzy Hash: 765162B24087459BC724DBA4DC859DBB3ECEF85340F00491EFA89D3151EF74A688C76A

Function 0083B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

Part of subcall function 0083C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0083B6AE,?,?), ref: 0083C9B5
Part of subcall function 0083C998: _wcslen.LIBCMT ref: 0083C9F1
Part of subcall function 0083C998: _wcslen.LIBCMT ref: 0083CA68
Part of subcall function 0083C998: _wcslen.LIBCMT ref: 0083CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0083BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0083BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0083BB63
RegCloseKey.ADVAPI32(?,?), ref: 0083BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0083BBB3

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 976e26c04b20bc5a12d954d09e38dc3fbec1d8eeaebcadf6e6dbb938daf35e18
Instruction ID: 915a1bf8fdf480946be1e8e1bf6379da5583708308921a02e4bb1aa5b71d09d6
Opcode Fuzzy Hash: 976e26c04b20bc5a12d954d09e38dc3fbec1d8eeaebcadf6e6dbb938daf35e18
Instruction Fuzzy Hash: D161BE71209241EFC314DF24C494E6ABBE9FF84318F14899CF5998B2A2DB31ED45CB92

Function 00818BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00818BCD
VariantClear.OLEAUT32 ref: 00818C3E
VariantClear.OLEAUT32 ref: 00818C9D
VariantClear.OLEAUT32(?), ref: 00818D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00818D3B

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: a192d7347853d5542ce2014cbe6a5da05734a6ca6751ca69ea49e780e344b7ca
Instruction ID: 0717e7c583a6d0fa4bff7d2146e98a97055155ff2052df60ec8de89695b084e9
Opcode Fuzzy Hash: a192d7347853d5542ce2014cbe6a5da05734a6ca6751ca69ea49e780e344b7ca
Instruction Fuzzy Hash: 0A5167B5A00219EFCB10CF68D884AAAB7F8FF89314B158559F909DB350E730E911CF90

Function 00828AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00828BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00828BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00828C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00828C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00828C5F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 85174aefddc13033c5e73c3d942dc3d43c797bceca479febf244adafcf93a799
Instruction ID: fa45f049807b4b4658e5e3b8ac8dea22e9d34fc12c947db5d23689723375dc57
Opcode Fuzzy Hash: 85174aefddc13033c5e73c3d942dc3d43c797bceca479febf244adafcf93a799
Instruction Fuzzy Hash: 75514A35A00215EFCB15DF64C885EA9BBF5FF49314F088498E849AB362DB35ED51CBA0

Function 00838EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00838F40
GetProcAddress.KERNEL32(00000000,?), ref: 00838FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00838FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00839032
FreeLibrary.KERNEL32(00000000), ref: 00839052

Part of subcall function 007CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00821043,?,7556E610), ref: 007CF6E6
Part of subcall function 007CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0080FA64,00000000,00000000,?,?,00821043,?,7556E610,?,0080FA64), ref: 007CF70D

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 60b51738f433137863be13f074e00037ba21b3dfdb835d238feef0e5b49281e2
Instruction ID: a0350f6636dbbd63f69f6436dd1a36ffdc0ec5de9dcb23ca5d10eb111f0f1044
Opcode Fuzzy Hash: 60b51738f433137863be13f074e00037ba21b3dfdb835d238feef0e5b49281e2
Instruction Fuzzy Hash: FE514834605205DFCB14DF68C4989ADBBF1FF89314F0480A8E90AAB362DB75ED85CB90

Function 00846B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00846C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00846C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00846C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0082AB79,00000000,00000000), ref: 00846C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00846CC7

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 0bd301e41e89acbcd5a0d1cf7fe45fc9cea840b2b52f67f29b0494202971e972
Instruction ID: bf290d726349df6672adf69598dc108a22ab4fab9ab384f58dcfef6a0b400646
Opcode Fuzzy Hash: 0bd301e41e89acbcd5a0d1cf7fe45fc9cea840b2b52f67f29b0494202971e972
Instruction Fuzzy Hash: EB41D935A0410CAFD724CF68CC98FA57BA9FB0B364F150258F895D72E0E771AD61DA41

Function 007E2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007E20C3
_free.LIBCMT ref: 007E20E3

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0eb78f96a2d8b70f85663c875dd3ea4a588c74c1f7e835f28c071646dbfae687
Instruction ID: a2ace22b2959035da55e73dfb98ff87d8fb33481e20233f5ce4637c4b0a496d2
Opcode Fuzzy Hash: 0eb78f96a2d8b70f85663c875dd3ea4a588c74c1f7e835f28c071646dbfae687
Instruction Fuzzy Hash: FB41E232A01204DFCB24DF79C885A5DB3B9EF89310F1545ADE515EB392EA35EE02CB80

Function 007C912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007C9141
ScreenToClient.USER32(00000000,?), ref: 007C915E
GetAsyncKeyState.USER32(00000001), ref: 007C9183
GetAsyncKeyState.USER32(00000002), ref: 007C919D

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: c7a1f87ea00286cef786fa22f82dcbcdb86e55a9ef9ba07dfde3bf59a246bcbc
Instruction ID: 53753f3889a0405dc13dd51329f2ab2f2b46feab1224bd42bfdc1a860809580f
Opcode Fuzzy Hash: c7a1f87ea00286cef786fa22f82dcbcdb86e55a9ef9ba07dfde3bf59a246bcbc
Instruction Fuzzy Hash: 0C416C31A0860AFBDF559F68C849BEEB774FB05324F248229E529A32E0C7346950CB91

Function 00823874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008238CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00823922
TranslateMessage.USER32(?), ref: 0082394B
DispatchMessageW.USER32(?), ref: 00823955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00823966

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4894f866e29422d1f4e86404c3d0eb82b22f019ffc277909dcf7b52d18bac3a0
Instruction ID: 83b34daef70e1c388b4c92db7a439930e9093cfff362392c97868da0fd45ed9a
Opcode Fuzzy Hash: 4894f866e29422d1f4e86404c3d0eb82b22f019ffc277909dcf7b52d18bac3a0
Instruction Fuzzy Hash: 6831C6709043659EEF25CB38A869BB67FACFB07304F04056DE462D65A0E7BCA6C5CB11

Function 0082CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0082C21E,00000000), ref: 0082CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0082CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0082C21E,00000000), ref: 0082CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0082C21E,00000000), ref: 0082CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0082C21E,00000000), ref: 0082CFF2

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 4101f05bc9bef8b04cb31701f682e2626987dc3601f44185d5e31de2c06d7a4e
Instruction ID: bc3f59297ca6893e6a1530d6481a83bac904f5691e828558d9d1594bb90b8d49
Opcode Fuzzy Hash: 4101f05bc9bef8b04cb31701f682e2626987dc3601f44185d5e31de2c06d7a4e
Instruction Fuzzy Hash: 12314C71600615EFDB20DFA5E984ABFBBFAFB15354B10442EF516D2150DBB0AE80DB60

Function 00811901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00811915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008119C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008119C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008119DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008119E2

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 9ac17af2adc12d955f4c2c8da24d0e2a6d1db0afabe856773213eb118223bd26
Instruction ID: 53003239f63097f18dc77db06ff1d4ddf5325693e3a1fbcb74e5d9ae406b500b
Opcode Fuzzy Hash: 9ac17af2adc12d955f4c2c8da24d0e2a6d1db0afabe856773213eb118223bd26
Instruction Fuzzy Hash: 40318A75A00219AFCB00CFA8C999ADE3BB9FF05315F108229FA21E72D1C7709984CB91

Function 00845706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00845745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0084579D
_wcslen.LIBCMT ref: 008457AF
_wcslen.LIBCMT ref: 008457BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00845816

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 1dd6da03817f53a8a0e6af1bad776a351c0ddc6e953d428ac5c19a5d563f32e6
Instruction ID: fa9c51b16bf1c031e6374f46f664e51548d8e4c4e0cd00c7353d73df8f0b3b50
Opcode Fuzzy Hash: 1dd6da03817f53a8a0e6af1bad776a351c0ddc6e953d428ac5c19a5d563f32e6
Instruction Fuzzy Hash: 7C21A57590461CEBDB209F64CC85AEE7BBCFF15328F108226E929EA181D7709985CF50

Function 007C990F Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007C98CC
SetTextColor.GDI32(?,?), ref: 007C98D6
SetBkMode.GDI32(?,00000001), ref: 007C98E9
GetStockObject.GDI32(00000005), ref: 007C98F1
GetWindowLongW.USER32(?,000000EB), ref: 007C9952

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: c4ed082e7e131905690d74d6f5a63ff9b4ed92afd4dc3dd7b5dcfad2ffd47669
Instruction ID: 459d8688670ddd7a197c83ef38b021c48ac8ab32e0af3e4620f31a56cfac5fce
Opcode Fuzzy Hash: c4ed082e7e131905690d74d6f5a63ff9b4ed92afd4dc3dd7b5dcfad2ffd47669
Instruction Fuzzy Hash: DA2147314462909FCBA24F34EC5CFE53FA4AF67321F09018EE6928B1E2D7396941CB10

Function 00830930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00830951
GetForegroundWindow.USER32 ref: 00830968
GetDC.USER32(00000000), ref: 008309A4
GetPixel.GDI32(00000000,?,00000003), ref: 008309B0
ReleaseDC.USER32(00000000,00000003), ref: 008309E8

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: fad088969bae27dec0015164babe6d7ddea8e4be3ed3f0492359b1ebcb207726
Instruction ID: 0aeea945fbd0d7a8874ef899441b9a99aabc184ccc356da6eecc438e4b021767
Opcode Fuzzy Hash: fad088969bae27dec0015164babe6d7ddea8e4be3ed3f0492359b1ebcb207726
Instruction Fuzzy Hash: A0219239A00214AFD714EF68D848AAEBBE9FF49700F04806DE846D7362CB74AD44CB90

Function 007ECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 007ECDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007ECDE9

Part of subcall function 007E3820: RtlAllocateHeap.NTDLL(00000000,?,00881444,?,007CFDF5,?,?,007BA976,00000010,00881440,007B13FC,?,007B13C6,?,007B1129), ref: 007E3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 007ECE0F
_free.LIBCMT ref: 007ECE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007ECE31

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 33aceb5797cb3254fc29298eab8c0a9a4fcdae383b1d93a68b22f95d3662e208
Instruction ID: 3f4d337ff001e79b0e2f16a6c807ff4035643e2d2ce196f07aea564aa84c5f84
Opcode Fuzzy Hash: 33aceb5797cb3254fc29298eab8c0a9a4fcdae383b1d93a68b22f95d3662e208
Instruction Fuzzy Hash: 8E01847A6032957F23261ABB6C8DD7B796DEECBBA1315012DF905D7201EA698D0381B0

Function 007C9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007C9693
SelectObject.GDI32(?,00000000), ref: 007C96A2
BeginPath.GDI32(?), ref: 007C96B9
SelectObject.GDI32(?,00000000), ref: 007C96E2

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b42091aa466ea46f667b2776bdd57513d1511fca4c010dcca144438f9a1a5a80
Instruction ID: 1c4e9ed553ffd97d0fef64e10dfb18dad075f3b0158eb04e6aff39dba5337549
Opcode Fuzzy Hash: b42091aa466ea46f667b2776bdd57513d1511fca4c010dcca144438f9a1a5a80
Instruction Fuzzy Hash: 58215B30802305EBDF519F68EC1CBA97FACBB51765F50421EF910A61F0DB78A892CB94

Function 00815711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00815726
_memcmp.LIBVCRUNTIME ref: 00815744
_memcmp.LIBVCRUNTIME ref: 00815757
_memcmp.LIBVCRUNTIME ref: 0081576F
_memcmp.LIBVCRUNTIME ref: 00815787

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c7d7e5386ca98366bc7bcdfea1c093dc8d2f8b73e55b4e78a695707d4bc12b90
Instruction ID: 25413c5e84caaaa0e60dcf7b542649df44b55df32e25dd2d924a241bb88e8c26
Opcode Fuzzy Hash: c7d7e5386ca98366bc7bcdfea1c093dc8d2f8b73e55b4e78a695707d4bc12b90
Instruction Fuzzy Hash: 550192A564161DFAE20855109D83EFA635CFFA13A8B404425FE14DA382F664ED9086A0

Function 007E2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,007DF2DE,007E3863,00881444,?,007CFDF5,?,?,007BA976,00000010,00881440,007B13FC,?,007B13C6), ref: 007E2DFD
_free.LIBCMT ref: 007E2E32
_free.LIBCMT ref: 007E2E59
SetLastError.KERNEL32(00000000,007B1129), ref: 007E2E66
SetLastError.KERNEL32(00000000,007B1129), ref: 007E2E6F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: df45c3b02200e14756d5238aba1600b52b08895b55219034174a70bf49f27482
Instruction ID: 521cf5eebcaeb6d580a6a3d346326abb610d3a6f98020daf690945c2b78d19fc
Opcode Fuzzy Hash: df45c3b02200e14756d5238aba1600b52b08895b55219034174a70bf49f27482
Instruction Fuzzy Hash: 3001F436207690A7C61227776C4ED2B265DBBCE7A5B214028F425E32A3EA2CCC034520

Function 0081000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0080FF41,80070057,?,?,?,0081035E), ref: 0081002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0080FF41,80070057,?,?), ref: 00810046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0080FF41,80070057,?,?), ref: 00810054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0080FF41,80070057,?), ref: 00810064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0080FF41,80070057,?,?), ref: 00810070

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 96e983b06c80bb4208fd40589a61af3a1b8881d834301e66dc24c616ca5249da
Instruction ID: 64bdcb67ccf686346d9b879e84e4b9dc447b9c5ab1003b6c487e764d4845096f
Opcode Fuzzy Hash: 96e983b06c80bb4208fd40589a61af3a1b8881d834301e66dc24c616ca5249da
Instruction Fuzzy Hash: BE018F7A601608BFDB504F68DC04BEA7AADFF48791F144124F905D2211E7B1DE80CBA0

Function 0081E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0081E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0081E9A5
Sleep.KERNEL32(00000000), ref: 0081E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0081E9B7
Sleep.KERNEL32 ref: 0081E9F3

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 5231acbe761e7f8d81d2d6ec7d405eb1b813db9adbe56b3f7e54c47b760429ce
Instruction ID: edec36c4912ebf244bc602849d9cdb259264adeb50844a12292837b97211c565
Opcode Fuzzy Hash: 5231acbe761e7f8d81d2d6ec7d405eb1b813db9adbe56b3f7e54c47b760429ce
Instruction Fuzzy Hash: 9201203580262DDBCF40ABA4D849AEDBF7CFF0A700F000546E902B2241DB309690CBA2

Function 008110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00811114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00810B9B,?,?,?), ref: 00811120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00810B9B,?,?,?), ref: 0081112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00810B9B,?,?,?), ref: 00811136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0081114D

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: cb6f4c165fb0fb4777619a384924a86f03e72a424da3677912162897220db374
Instruction ID: 4948babb6b55032bf9debff093acc5b7f3d2f3789d98eebd645afd4b7d59864a
Opcode Fuzzy Hash: cb6f4c165fb0fb4777619a384924a86f03e72a424da3677912162897220db374
Instruction Fuzzy Hash: 37011D79101205BFDB514FA5DC4DAAA7B6EFF86364B104419FA45D7360DA31DC40DA60

Function 00810FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00810FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00810FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00810FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00810FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00811002

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 567998ea6ecc569b2c923c110b2fb9ce9f7666ecd1e892198d061c37184415d0
Instruction ID: ccb2c210ecf68ee371e23e2ba8fff4d4b211dd63b5159a1e00ef72f49331ce83
Opcode Fuzzy Hash: 567998ea6ecc569b2c923c110b2fb9ce9f7666ecd1e892198d061c37184415d0
Instruction Fuzzy Hash: 62F06D39602701EBDB214FA4DC4DF963BADFF8ABA2F104415FA45C7251CA70DC80CA60

Function 00811014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0081102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00811036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00811045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0081104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00811062

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7fe515ebbb15722272c67178beac765ac5fc3883313d04f2c9e8ba271953a579
Instruction ID: 2bcc944d465dc3453d9a31218299b08047f1b907c3da8dc3b30b59fb1ac4fd26
Opcode Fuzzy Hash: 7fe515ebbb15722272c67178beac765ac5fc3883313d04f2c9e8ba271953a579
Instruction Fuzzy Hash: 4CF06D39602701EBDB219FA5EC4DF963BADFF8A761F100415FA45C7250CA70D880CA60

Function 0082030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0082017D,?,008232FC,?,00000001,007F2592,?), ref: 00820324
CloseHandle.KERNEL32(?,?,?,?,0082017D,?,008232FC,?,00000001,007F2592,?), ref: 00820331
CloseHandle.KERNEL32(?,?,?,?,0082017D,?,008232FC,?,00000001,007F2592,?), ref: 0082033E
CloseHandle.KERNEL32(?,?,?,?,0082017D,?,008232FC,?,00000001,007F2592,?), ref: 0082034B
CloseHandle.KERNEL32(?,?,?,?,0082017D,?,008232FC,?,00000001,007F2592,?), ref: 00820358
CloseHandle.KERNEL32(?,?,?,?,0082017D,?,008232FC,?,00000001,007F2592,?), ref: 00820365

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: df780eb3b1c922f1286d6ed0b8409bec9e61ab02a9f457bb54375860e4e4e8bd
Instruction ID: 0c63a696e60e79dc9cb794e17bf8f878aa9cfbcbd47e62372855c1293170ac94
Opcode Fuzzy Hash: df780eb3b1c922f1286d6ed0b8409bec9e61ab02a9f457bb54375860e4e4e8bd
Instruction Fuzzy Hash: B101A272801B259FC7309F66E880412FBF9FF503153158A3FD19692A32C371A994CF80

Function 007ED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007ED752

Part of subcall function 007E29C8: HeapFree.KERNEL32(00000000,00000000,?,007ED7D1,00000000,00000000,00000000,00000000,?,007ED7F8,00000000,00000007,00000000,?,007EDBF5,00000000), ref: 007E29DE
Part of subcall function 007E29C8: GetLastError.KERNEL32(00000000,?,007ED7D1,00000000,00000000,00000000,00000000,?,007ED7F8,00000000,00000007,00000000,?,007EDBF5,00000000,00000000), ref: 007E29F0

_free.LIBCMT ref: 007ED764
_free.LIBCMT ref: 007ED776
_free.LIBCMT ref: 007ED788
_free.LIBCMT ref: 007ED79A

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b69ccbe27691a6ec38b43fee12e742f1ca277f1da36e9e5f952b85330fe1c2ec
Instruction ID: bd6ebfb9ac73924f51d1c557277c2270fc09ce7cbed4464583d9af027d63b1f6
Opcode Fuzzy Hash: b69ccbe27691a6ec38b43fee12e742f1ca277f1da36e9e5f952b85330fe1c2ec
Instruction Fuzzy Hash: D7F01232546288AB8671EB66F9CAC1A7BDDBB4C710B951819F058E7517C73CFCC08A64

Function 00815C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00815C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00815C6F
MessageBeep.USER32(00000000), ref: 00815C87
KillTimer.USER32(?,0000040A), ref: 00815CA3
EndDialog.USER32(?,00000001), ref: 00815CBD

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 16a0ae5c4d2fb85fe2779daa1bf284a94340040d0ceeb1ee761a69c692672ea0
Instruction ID: 627e3dc209650ed2377011df1c5101c19bfdd2a64e2d2a11bb0c088bb66bd2da
Opcode Fuzzy Hash: 16a0ae5c4d2fb85fe2779daa1bf284a94340040d0ceeb1ee761a69c692672ea0
Instruction Fuzzy Hash: D6016D74501B04EBEB205F50DD5EFE677BCFF51B05F010559A692A10E1DBF4AA84CA90

Function 007E22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007E22BE

Part of subcall function 007E29C8: HeapFree.KERNEL32(00000000,00000000,?,007ED7D1,00000000,00000000,00000000,00000000,?,007ED7F8,00000000,00000007,00000000,?,007EDBF5,00000000), ref: 007E29DE
Part of subcall function 007E29C8: GetLastError.KERNEL32(00000000,?,007ED7D1,00000000,00000000,00000000,00000000,?,007ED7F8,00000000,00000007,00000000,?,007EDBF5,00000000,00000000), ref: 007E29F0

_free.LIBCMT ref: 007E22D0
_free.LIBCMT ref: 007E22E3
_free.LIBCMT ref: 007E22F4
_free.LIBCMT ref: 007E2305

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 472bfd149c02a6b76c73b535e97fe7867db6861468b3eff27b41f24d0901512c
Instruction ID: cd97b96eb10b8c821550071798ada21c1691fc384d3c32d3a7ed59b2041cd924
Opcode Fuzzy Hash: 472bfd149c02a6b76c73b535e97fe7867db6861468b3eff27b41f24d0901512c
Instruction Fuzzy Hash: 1CF030714021548B8A22AF59BC0A8083B6CFB1C760702551AF514E72B7CB3854539FA5

Function 007C95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007C95D4
StrokeAndFillPath.GDI32(?,?,008071F7,00000000,?,?,?), ref: 007C95F0
SelectObject.GDI32(?,00000000), ref: 007C9603
DeleteObject.GDI32 ref: 007C9616
StrokePath.GDI32(?), ref: 007C9631

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 6eb0c816d0a68dbc80c67721d84fa3572191dbeab04b35dca851d55096734527
Instruction ID: 1e9463c47b0783279e18cc86912bea91b78c9048441a6df0216494a48cf85610
Opcode Fuzzy Hash: 6eb0c816d0a68dbc80c67721d84fa3572191dbeab04b35dca851d55096734527
Instruction Fuzzy Hash: C7F04934006A08EBDFA65F69ED1CBA43F69BB02322F448218F525650F0DB3499A2DF20

Function 007E0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 007E10F9
__freea.LIBCMT ref: 007E1117

Part of subcall function 007E1537: _free.LIBCMT ref: 007E154F

Strings

a/p, xrefs: 007E11DE
am/pm, xrefs: 007E117A

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 98798344badbd48bda0d0f144e126e0b5095605fee537814fbbcf2a6dcf91ed8
Instruction ID: 3db4e4a99945eb99a5924fc0ee9c9661e8a8a4c076818f38f0d67e60aeb86a7a
Opcode Fuzzy Hash: 98798344badbd48bda0d0f144e126e0b5095605fee537814fbbcf2a6dcf91ed8
Instruction Fuzzy Hash: 2DD11771A02285CACB249F6AC85BBFEB7B5FF0E300FA44159E6019B654D37D9D80CB91

Function 00837B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 007D0242: EnterCriticalSection.KERNEL32(0088070C,00881884,?,?,007C198B,00882518,?,?,?,007B12F9,00000000), ref: 007D024D
Part of subcall function 007D0242: LeaveCriticalSection.KERNEL32(0088070C,?,007C198B,00882518,?,?,?,007B12F9,00000000), ref: 007D028A

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

Part of subcall function 007D00A3: __onexit.LIBCMT ref: 007D00A9

__Init_thread_footer.LIBCMT ref: 00837BFB

Part of subcall function 007D01F8: EnterCriticalSection.KERNEL32(0088070C,?,?,007C8747,00882514), ref: 007D0202
Part of subcall function 007D01F8: LeaveCriticalSection.KERNEL32(0088070C,?,007C8747,00882514), ref: 007D0235

Strings

G, xrefs: 00837C7F
Variable must be of type 'Object'., xrefs: 00837C3A
5, xrefs: 00837C78

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 34d550e247ffb9b0be94b1df552bd97a20c8fb0163935e68a365d72f0d9c1c22
Instruction ID: 6cad68b10ba1a0657eed0d5186ee161fd164dd21ed18c516b8b9852417ea3775
Opcode Fuzzy Hash: 34d550e247ffb9b0be94b1df552bd97a20c8fb0163935e68a365d72f0d9c1c22
Instruction Fuzzy Hash: 65917CB0A04209EFCB24EF98D8959ADB7B1FF85304F108059F806DB292DB75EE45CB91

Function 007E5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO{, xrefs: 007E5BA8, 007E5C6C

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: JO{
API String ID: 0-846867066
Opcode ID: db4b4780b453edcbef913ad2e4f8ff9962b886cba1727ce5e0cb94b67ae62a1b
Instruction ID: 79a090f00dfc20f44a4340e164f320a29d4891ace195dfdb7bcb15e5fb5ce256
Opcode Fuzzy Hash: db4b4780b453edcbef913ad2e4f8ff9962b886cba1727ce5e0cb94b67ae62a1b
Instruction Fuzzy Hash: AD51D771D0268EDFCB119FA6C849FAE7BB4BF0D318F14005AF405A72A2D6799901CB61

Function 007E8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 007E8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 007E8B7A
__dosmaperr.LIBCMT ref: 007E8B81

Strings

.}, xrefs: 007E8A63

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .}
API String ID: 2434981716-2266125135
Opcode ID: d46a6e18b7d10b955ebdf18155fa8791c0d367eb3b81288f56b547a0cad9b8e8
Instruction ID: 2bd3054b87ab96cd1e0d88641f715f099e9ff838e6c2bbe03631b14d30f6a939
Opcode Fuzzy Hash: d46a6e18b7d10b955ebdf18155fa8791c0d367eb3b81288f56b547a0cad9b8e8
Instruction Fuzzy Hash: F8417EF06051C5AFC7659F5AC880A7D7FA6EF8D304B1881AAF45D8B242DE35CC02C751

Function 00812716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0081B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008121D0,?,?,00000034,00000800,?,00000034), ref: 0081B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00812760

Part of subcall function 0081B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0081B3F8

Part of subcall function 0081B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0081B355
Part of subcall function 0081B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00812194,00000034,?,?,00001004,00000000,00000000), ref: 0081B365
Part of subcall function 0081B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00812194,00000034,?,?,00001004,00000000,00000000), ref: 0081B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008127CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0081281A

Strings

@, xrefs: 00812832

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 1cf53c891e77df89c195903dfc5316426fe48ed5dadcc877db4e6a7f0bf23a84
Instruction ID: 667b42cc3c2581723e5112010567061f9352b72673e8ad9c43916afa68b1c857
Opcode Fuzzy Hash: 1cf53c891e77df89c195903dfc5316426fe48ed5dadcc877db4e6a7f0bf23a84
Instruction Fuzzy Hash: 63410E76900218AFDB10DFA8CD85ADEBBB8FF09700F108099FA55B7181DB706E95CB61

Function 007E172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 007E1769
_free.LIBCMT ref: 007E1834
_free.LIBCMT ref: 007E183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 007E1760, 007E1767, 007E1796, 007E17CE

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1505163051
Opcode ID: c60b4b2e19d71f017cd5cf9c9ca7eb3fb29e52fa69ab0629d7c72ab802417951
Instruction ID: a0fd80694d2f3a71f29ce4c1abd4ed44b8140ca84823a14b1729bd03d08485c0
Opcode Fuzzy Hash: c60b4b2e19d71f017cd5cf9c9ca7eb3fb29e52fa69ab0629d7c72ab802417951
Instruction Fuzzy Hash: 9931C271A01298EFCB21DB9A9C8AD9EBBFCEF89720B504166F404D7211D7749E41CB90

Function 0081C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0081C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0081C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00881990,01475418), ref: 0081C395

Strings

0, xrefs: 0081C2DF

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: c313f3190f4823057509d40e889098223ec995e6ca8d8f40c877ca769163f721
Instruction ID: 4a42474d967ae21da25cfcc707abacc5cb04267dab61fcf0dce14183c7c1ebaa
Opcode Fuzzy Hash: c313f3190f4823057509d40e889098223ec995e6ca8d8f40c877ca769163f721
Instruction Fuzzy Hash: 5341AD312443019FD724DF29D884B9ABBE8FF85324F008A1EF9A5D7391D730A985CB62

Function 00844416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0084CC08,00000000,?,?,?,?), ref: 008444AA
GetWindowLongW.USER32 ref: 008444C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008444D7

Strings

SysTreeView32, xrefs: 0084447C

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 52808132590bf9e2a57b25bb5eced0ced1c14ba158a16bd354e300b9e096eed3
Instruction ID: 678c2a2f8208d07a7f7510120fe2889aac02b48f39ad2e0540155f51894a3524
Opcode Fuzzy Hash: 52808132590bf9e2a57b25bb5eced0ced1c14ba158a16bd354e300b9e096eed3
Instruction Fuzzy Hash: B7319C32201209ABDF209E38DC45BEA7BA9FB08334F219329F979E21D0D774EC509B50

Function 0083304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0083335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00833077,?,?), ref: 00833378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0083307A
_wcslen.LIBCMT ref: 0083309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00833106

Strings

255.255.255.255, xrefs: 00833095, 0083309A

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 43439361629196dba8ee1a38035ea421ab47a523dacf2b87cfc29215e0f4e42c
Instruction ID: 1c35f26416379ed4bb949ce7da4d8c9fa5caf21feb0274e9bbfe3d4d2330df1b
Opcode Fuzzy Hash: 43439361629196dba8ee1a38035ea421ab47a523dacf2b87cfc29215e0f4e42c
Instruction Fuzzy Hash: 4031B039604605DFCB24CF68C595AAA77E0FF94318F248059E915CB3A2DB72EE45C7A0

Function 00843EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00843F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00843F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00843F78

Strings

SysMonthCal32, xrefs: 00843F0B

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 85439976975d445f7486fb9a8b411f8c13875e0c0f436af981f40ef5680dba5f
Instruction ID: 44d0af4b02267bb7c0b32a61af1e5b3b1c41195c778b067b962fa4f5c5e83f2d
Opcode Fuzzy Hash: 85439976975d445f7486fb9a8b411f8c13875e0c0f436af981f40ef5680dba5f
Instruction Fuzzy Hash: 2321BC32600219BBDF219F94DC46FEA3B79FF48728F110214FE15AB1D0DAB5A854CBA0

Function 00844653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00844705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00844713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0084471A

Strings

msctls_updown32, xrefs: 00844684

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 1665c2315baae876d40db1625875509403ae9e949d2281dab25a0b37a9c37495
Instruction ID: a576bc07c0e531e035fb7637e39ad36ca8bf837efffc3141a1335f1b97ab0764
Opcode Fuzzy Hash: 1665c2315baae876d40db1625875509403ae9e949d2281dab25a0b37a9c37495
Instruction Fuzzy Hash: 93214CB560020DAFEB10DF68DC85EA737ADFB5A394B050059FA15DB351CB34EC12CA60

Function 008195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0081961D

Strings

#requireadmin, xrefs: 008195D9
#notrayicon, xrefs: 008195B7
#OnAutoItStartRegister, xrefs: 008195F3

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: b24f11fa846df4a1b3d26d18797bcc5f82a6f4d05c1df4551e974a46e1c8c8b4
Instruction ID: c6fd24059aa02734bf3c7c14bc548ab0e3f2c20839342834fe7621f9b4ea49f3
Opcode Fuzzy Hash: b24f11fa846df4a1b3d26d18797bcc5f82a6f4d05c1df4551e974a46e1c8c8b4
Instruction Fuzzy Hash: 74215B32104514A6D331AB24DC26FF773EDFFA1314F50402AF99AE7142EB59ADC1C2A5

Function 008437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00843840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00843850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00843876

Strings

Listbox, xrefs: 0084380F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: f29e4770825a1aaa6f1549ae238ac7c92cf446dcfe312e45bf2ceb6e67f85814
Instruction ID: 2ca54342396679de7e0696ffc64cd80124c3b7fb04e23d79aa855f5d3a1e9d10
Opcode Fuzzy Hash: f29e4770825a1aaa6f1549ae238ac7c92cf446dcfe312e45bf2ceb6e67f85814
Instruction Fuzzy Hash: 5C21BE7260021CBBEF219F54CC85FAB7B6EFF89764F108124F9449B190CA75DC5287A0

Function 008249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00824A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00824A5C
SetErrorMode.KERNEL32(00000000,?,?,0084CC08), ref: 00824AD0

Strings

%lu, xrefs: 00824A6F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 230fdffe052b330e5cb6c6c4761f7ac9f27bea84096d0347f6a16eb042cc4470
Instruction ID: a5bb1de06864e3dba977b6e363c4ab67559932025201e3dba44c93468f5fd2ec
Opcode Fuzzy Hash: 230fdffe052b330e5cb6c6c4761f7ac9f27bea84096d0347f6a16eb042cc4470
Instruction Fuzzy Hash: 1F313E75A00219EFDB10DF64C885EAA7BF8FF09308F1480A9E909DB252D775EE45CB61

Function 008441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0084424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00844264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00844271

Strings

msctls_trackbar32, xrefs: 00844226

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 52fa0a5feae4908afdc35cd9b845dcb3983bb6329d7fb6f835eda5ee8b94b8af
Instruction ID: fd4c9d430e0483fbc0d19a81c24f16447997f07d4de477dfa704de68f15cdca4
Opcode Fuzzy Hash: 52fa0a5feae4908afdc35cd9b845dcb3983bb6329d7fb6f835eda5ee8b94b8af
Instruction Fuzzy Hash: F811A03124024CBEEF205E69CC06FAB3BACFF95B64F114624FA55E60A0D6B1D8519B20

Function 00812F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007B6B57: _wcslen.LIBCMT ref: 007B6B6A

Part of subcall function 00812DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00812DC5
Part of subcall function 00812DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00812DD6
Part of subcall function 00812DA7: GetCurrentThreadId.KERNEL32 ref: 00812DDD
Part of subcall function 00812DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00812DE4

GetFocus.USER32 ref: 00812F78

Part of subcall function 00812DEE: GetParent.USER32(00000000), ref: 00812DF9

GetClassNameW.USER32(?,?,00000100), ref: 00812FC3
EnumChildWindows.USER32(?,0081303B), ref: 00812FEB

Strings

%s%d, xrefs: 00812FFF

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 7605e713fbe674ab2f0055302b50a4e49f4aff4dfee9a38fcc9cb182caac3481
Instruction ID: 6d864dc5c5774d7c430060042c3e1e0f4e23c3d1d4aab316c091cbe00412f79b
Opcode Fuzzy Hash: 7605e713fbe674ab2f0055302b50a4e49f4aff4dfee9a38fcc9cb182caac3481
Instruction Fuzzy Hash: 0811C0B5200209ABCF446F64DC99FEE37AEFF98304F048079B909DB252DE3499858B70

Function 00845882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008458C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008458EE
DrawMenuBar.USER32(?), ref: 008458FD

Strings

0, xrefs: 0084588F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 524baab536ef4b23e5035dc1e4346075572e79914686e47f72b029f046ebf28f
Instruction ID: 7aceac91597fe60d071b630399a89228b7d90c313046ff354b747c3d9f79646c
Opcode Fuzzy Hash: 524baab536ef4b23e5035dc1e4346075572e79914686e47f72b029f046ebf28f
Instruction Fuzzy Hash: DE016D3150121CEFDB619F11EC48BAEBFB9FB45764F108099E849DA152EB348A84EF21

Function 0081007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7d1563dfdedfb384480aa6b12b83faa3fe602aea29808be2f7e8236cb936180
Instruction ID: a866da967c318a4f187228eb2b4e7c0d2a871cc6cb3fb0c5c370d03d6d2ce90d
Opcode Fuzzy Hash: f7d1563dfdedfb384480aa6b12b83faa3fe602aea29808be2f7e8236cb936180
Instruction Fuzzy Hash: 86C13A75A0020AEFDB15CFA8C894AAEB7B9FF48704F208598E515EB251D771EDC1CB90

Function 0083342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00833459
CoUninitialize.OLE32 ref: 00833463
VariantInit.OLEAUT32(?), ref: 0083346E
VariantClear.OLEAUT32(?), ref: 0083371B

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 75b7353d982eb1e510f8e53a2ef54d8a8db8d23973a5207a08eea0dae982b883
Instruction ID: 92ce67a49cefdf139c223b5cde8093c237f6fd10137c43dda0d27d38cd258d19
Opcode Fuzzy Hash: 75b7353d982eb1e510f8e53a2ef54d8a8db8d23973a5207a08eea0dae982b883
Instruction Fuzzy Hash: 23A10575604200DFC714DF28C58AA6AB7E5FF89714F048859F98ADB362DB34EE41CB92

Function 00810436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0084FC08,?), ref: 008105F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0084FC08,?), ref: 00810608
CLSIDFromProgID.OLE32(?,?,00000000,0084CC40,000000FF,?,00000000,00000800,00000000,?,0084FC08,?), ref: 0081062D
_memcmp.LIBVCRUNTIME ref: 0081064E

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: c65a2eaed473acbcabbf1b14353dca9d19b167a6e3a89d09569248e735c725f5
Instruction ID: 6dc64e35e544a9c4072dd6513a524f173a7db8d840d7a988e65c304a5456cd02
Opcode Fuzzy Hash: c65a2eaed473acbcabbf1b14353dca9d19b167a6e3a89d09569248e735c725f5
Instruction Fuzzy Hash: 2481B775A00209EFCB04DF94C984AEEB7B9FF89315F204558E516EB250DB71AE86CF60

Function 0083A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0083A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0083A6BA

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0083A79C
CloseHandle.KERNEL32(00000000), ref: 0083A7AB

Part of subcall function 007CCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,007F3303,?), ref: 007CCE8A

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 771bec8836e8bba46e3356aa3ea86fee588db9d9079da85440cb71f3a9eb1574
Instruction ID: f8582203b07980ea2a3d63e398105691cbf7a9e247aae5b9f8a1441f5ff7c530
Opcode Fuzzy Hash: 771bec8836e8bba46e3356aa3ea86fee588db9d9079da85440cb71f3a9eb1574
Instruction Fuzzy Hash: 2E51F975508300AFD714EF24C88AAABBBE8FF89754F40892DF695D7251EB34D904CB92

Function 007F1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007F14C0

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 32fa48d7415a19909b8190b49d30b651249d8c61a608c21a9ee576cc2183b6e4
Instruction ID: f3aa2bdd580eb7ddab53caec05328eafaf2aee629d84bff199b61a06b2966724
Opcode Fuzzy Hash: 32fa48d7415a19909b8190b49d30b651249d8c61a608c21a9ee576cc2183b6e4
Instruction Fuzzy Hash: C441313250018CEBDB256BFD9C496BE3AB4FF85370F544226F619D7392E63C48415671

Function 00846278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008462E2
ScreenToClient.USER32(?,?), ref: 00846315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00846382

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 2828b9dcdc0ff39fcd2a647ef75036aed9943d27a0681dfa6a50cc024acf4ee1
Instruction ID: bb55c95fea430547b117a4c240ea1e73ca96b1ca5a051c331e0bd50b3f548383
Opcode Fuzzy Hash: 2828b9dcdc0ff39fcd2a647ef75036aed9943d27a0681dfa6a50cc024acf4ee1
Instruction Fuzzy Hash: 0A513A74A00249EFCF14DF68D884AAE7BB5FB46364F108259F815DB290E770ED91CB51

Function 00831AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00831AFD
WSAGetLastError.WSOCK32 ref: 00831B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00831B8A
WSAGetLastError.WSOCK32 ref: 00831B94

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 6665deaf2a74a8f154abda4d0dcd73083c38112c0f1c769ecec0018287a561a9
Instruction ID: edd746a5e746f2c5cc8df41684abfb45bdde96bb1e0a2ce7b018a806f65d2597
Opcode Fuzzy Hash: 6665deaf2a74a8f154abda4d0dcd73083c38112c0f1c769ecec0018287a561a9
Instruction Fuzzy Hash: 0E419035600200AFEB20AF24C88AF6677E5EB85718F54849CFA1A9F2D2D776DD41CBD0

Function 007EB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9108068d1149ba4d5a2882e77cbfdcb03d7c964b29cede1f05f572c0f4e29ca0
Instruction ID: 17ec7b6c3e38fc777425bb7cecab36a53ab7f859e837c94d787e9d951dba0b42
Opcode Fuzzy Hash: 9108068d1149ba4d5a2882e77cbfdcb03d7c964b29cede1f05f572c0f4e29ca0
Instruction Fuzzy Hash: 2741E4B2A01384EFD7249F79CC45B6BBFA9EB8D710F10452AF542DB2C2D779A9118780

Function 008256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00825783
GetLastError.KERNEL32(?,00000000), ref: 008257A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008257CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008257FA

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 98d15047776dfd438f62c5f904add460fbdc1dd46be7705f111a0fc12e407fe0
Instruction ID: c7ba3682f19bdefb39a0457eb554ffafce1564d766c87f88b9f208be4261ab9e
Opcode Fuzzy Hash: 98d15047776dfd438f62c5f904add460fbdc1dd46be7705f111a0fc12e407fe0
Instruction Fuzzy Hash: 58412B39600610DFCB25DF15C445A5EBBE6FF89320B18C498E84AAB762CB74FD40CB91

Function 007ED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,007D6D71,00000000,00000000,007D82D9,?,007D82D9,?,00000001,007D6D71,?,00000001,007D82D9,007D82D9), ref: 007ED910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007ED999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 007ED9AB
__freea.LIBCMT ref: 007ED9B4

Part of subcall function 007E3820: RtlAllocateHeap.NTDLL(00000000,?,00881444,?,007CFDF5,?,?,007BA976,00000010,00881440,007B13FC,?,007B13C6,?,007B1129), ref: 007E3852

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: a8d5c3998b6dea91c73d238f89002388254ce34ab4ff39e2401e3b881ae8f801
Instruction ID: 62d11487300ae86361eefad162754f9d9428c169aa3a29dc2cd312f2552c3e88
Opcode Fuzzy Hash: a8d5c3998b6dea91c73d238f89002388254ce34ab4ff39e2401e3b881ae8f801
Instruction Fuzzy Hash: AD31FE72A0124AABDF24CF66DC45EAE7BA5EF45310F054169FC04DB252EB39ED50CBA0

Function 008452C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00845352
GetWindowLongW.USER32(?,000000F0), ref: 00845375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00845382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008453A8

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: e62ed31fd5d1e050d23eba2cf42c4e8730d469434b17556289a5c05035504dc3
Instruction ID: 1155d0d8da569597d5be3e2e3f786d0f05c4c3c0c44215608415496398a0ba32
Opcode Fuzzy Hash: e62ed31fd5d1e050d23eba2cf42c4e8730d469434b17556289a5c05035504dc3
Instruction Fuzzy Hash: D7319E34A55A0CEFEB209E14CC19BED77A5FB06394F584145FA11D63E2C7B49D40DB41

Function 0081AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7608C0D0,?,00008000), ref: 0081ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0081AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0081AC74
SendInput.USER32(00000001,?,0000001C,7608C0D0,?,00008000), ref: 0081ACC6

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 32992018e734a913a8e53b8ba64cb2e32f1250e21b4bcc7aea413c9b6f1279a0
Instruction ID: 6f33f02a91c2618ca841ad655a6c3c4291f9daa839fc37c28b1edfc861fe1440
Opcode Fuzzy Hash: 32992018e734a913a8e53b8ba64cb2e32f1250e21b4bcc7aea413c9b6f1279a0
Instruction Fuzzy Hash: 1E31F270A02618AFEB39CB69C8047FA7BAEFF89310F04421AE485D22D1D37589C587D2

Function 00847674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0084769A
GetWindowRect.USER32(?,?), ref: 00847710
PtInRect.USER32(?,?,00848B89), ref: 00847720
MessageBeep.USER32(00000000), ref: 0084778C

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ee4ace036fc9b6b76380c39d2c90543b1b0013ae8466de1f196d4961695f139d
Instruction ID: 2192f2049da4cba4b1fbd9aed070848eecea182820d74dfd39f7364943461e58
Opcode Fuzzy Hash: ee4ace036fc9b6b76380c39d2c90543b1b0013ae8466de1f196d4961695f139d
Instruction Fuzzy Hash: 3F41A038605259DFDB11CF58C898EA9BBF9FF49314F9680A9E414DB261C730E942CF90

Function 008416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008416EB

Part of subcall function 00813A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00813A57
Part of subcall function 00813A3D: GetCurrentThreadId.KERNEL32 ref: 00813A5E
Part of subcall function 00813A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008125B3), ref: 00813A65

GetCaretPos.USER32(?), ref: 008416FF
ClientToScreen.USER32(00000000,?), ref: 0084174C
GetForegroundWindow.USER32 ref: 00841752

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: a91f512321ac22e7cbdf84f4e58311c564d3f0978e94eedf9e6c75f0ef576d72
Instruction ID: 0b8d8c4da40f51820a425779c94815b291c13322725b086a4ab5455a2d8e6567
Opcode Fuzzy Hash: a91f512321ac22e7cbdf84f4e58311c564d3f0978e94eedf9e6c75f0ef576d72
Instruction Fuzzy Hash: 28313D75D00149AFCB04EFA9C8859EEBBFDFF48304B5480AAE415E7211D6359E45CBA1

Function 0081DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 007B7620: _wcslen.LIBCMT ref: 007B7625

_wcslen.LIBCMT ref: 0081DFCB
_wcslen.LIBCMT ref: 0081DFE2
_wcslen.LIBCMT ref: 0081E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0081E018

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 09f8076e04ccaad828ecd3cbda52b69038beff06226a2a52bf5af3f5afcc3680
Instruction ID: ff5705144ecf747d79a906bb6658590d888e378fda7c29b0378acbda2546a94a
Opcode Fuzzy Hash: 09f8076e04ccaad828ecd3cbda52b69038beff06226a2a52bf5af3f5afcc3680
Instruction Fuzzy Hash: 9921BF71900614EFCB209FA8D881BAEB7F8FF49750F144069E805FB342D6749E41CBA1

Function 00848FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007C9BB2

GetCursorPos.USER32(?), ref: 00849001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00807711,?,?,?,?,?), ref: 00849016
GetCursorPos.USER32(?), ref: 0084905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00807711,?,?,?), ref: 00849094

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 9c3dc55b092400d9bd754e59ab5f6aa56974abd71316e4b1acb6b22b8b7d18a7
Instruction ID: 895513a63db2c0a3cc037b4a17a9b0046352f141bfd8e24ea4f8b01b62a8e786
Opcode Fuzzy Hash: 9c3dc55b092400d9bd754e59ab5f6aa56974abd71316e4b1acb6b22b8b7d18a7
Instruction Fuzzy Hash: 9F21AB35601418EFDB25CF98CC58EEB7BB9FB8A350F014069F9458B261C735A990DB60

Function 0081D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0084CB68), ref: 0081D2FB
GetLastError.KERNEL32 ref: 0081D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0081D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0084CB68), ref: 0081D376

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 8b54ba8a630571cf7ead8ff8fb40e39efc4b37852b22a00fb85a8c930b7c5dcf
Instruction ID: a462225bb752836ea9add0e225db0aaadaa41b232c6f82c28d2365f80847a51a
Opcode Fuzzy Hash: 8b54ba8a630571cf7ead8ff8fb40e39efc4b37852b22a00fb85a8c930b7c5dcf
Instruction Fuzzy Hash: 90216D74509301DF8710DF28C885AAAB7ECFE56364F104A1DF4A9C73A1EB359986CB93

Function 00811571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00811014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0081102A
Part of subcall function 00811014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00811036
Part of subcall function 00811014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00811045
Part of subcall function 00811014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0081104C
Part of subcall function 00811014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00811062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008115BE
_memcmp.LIBVCRUNTIME ref: 008115E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00811617
HeapFree.KERNEL32(00000000), ref: 0081161E

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 5b592aac3eb90ee84384de33dfdb77ccadc5c668f7b27132b5841e26f9b9f257
Instruction ID: 2f0dd5b005da9f80202475da1c0be02c6201c66e130a7a0070ef5d4b5b12f4bd
Opcode Fuzzy Hash: 5b592aac3eb90ee84384de33dfdb77ccadc5c668f7b27132b5841e26f9b9f257
Instruction Fuzzy Hash: 0C215531E01108ABDF00DFA4C949BEEB7B9FF94344F084459E541AB241E731AA85CBA0

Function 00842782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0084280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00842824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00842832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00842840

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 459599d348c72a4074221c6d1f30f13f0f7a81e4666e00cc7af659d3dca8b06f
Instruction ID: 6d6edc6f218f67560697b2ee54c1284ed801a6fc73095bf80e1ca62de043452d
Opcode Fuzzy Hash: 459599d348c72a4074221c6d1f30f13f0f7a81e4666e00cc7af659d3dca8b06f
Instruction Fuzzy Hash: 7021D335209119AFD714DB24C844FAA7B99FF46324F158258F826CB6E2CB75FC42CB91

Function 008178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00818D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0081790A,?,000000FF,?,00818754,00000000,?,0000001C,?,?), ref: 00818D8C
Part of subcall function 00818D7D: lstrcpyW.KERNEL32(00000000,?,?,0081790A,?,000000FF,?,00818754,00000000,?,0000001C,?,?,00000000), ref: 00818DB2
Part of subcall function 00818D7D: lstrcmpiW.KERNEL32(00000000,?,0081790A,?,000000FF,?,00818754,00000000,?,0000001C,?,?), ref: 00818DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00818754,00000000,?,0000001C,?,?,00000000), ref: 00817923
lstrcpyW.KERNEL32(00000000,?,?,00818754,00000000,?,0000001C,?,?,00000000), ref: 00817949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00818754,00000000,?,0000001C,?,?,00000000), ref: 00817984

Strings

cdecl, xrefs: 0081797B

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: ac89f60d3cc9dc836beda0055fa4e3b23edd2d470fd19e32de03d61f7b0faf15
Instruction ID: fa8c2db5284cc1c2cf2ba900f07e2d27de3cadca98e5b613c606a79864a0dbb5
Opcode Fuzzy Hash: ac89f60d3cc9dc836beda0055fa4e3b23edd2d470fd19e32de03d61f7b0faf15
Instruction Fuzzy Hash: AA11D33A201302ABCB159F38D845EBA7BBDFF95350B50802EF946C72A4EB359855C7A1

Function 00847CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00847D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00847D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00847D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0082B7AD,00000000), ref: 00847D6B

Part of subcall function 007C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007C9BB2

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: c050399ff5e834137a3bcc14b2a59bbf8e53bebd721d06c56e078df5a18b5a02
Instruction ID: 87094aa5715eee062c8cb7f1d4169a6ab2205526acabfd8d8aded194f60d2b02
Opcode Fuzzy Hash: c050399ff5e834137a3bcc14b2a59bbf8e53bebd721d06c56e078df5a18b5a02
Instruction Fuzzy Hash: DC117235615619AFCB109F68CC08B6A3BA9FF46360B158728F939D72F0E7349D51CB50

Function 00845660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008456BB
_wcslen.LIBCMT ref: 008456CD
_wcslen.LIBCMT ref: 008456D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00845816

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 0e4d1f276634818fcb86b1a879e1d557200c8c2cdf8c1fb243c237ff707999ff
Instruction ID: 3484552f2f3c67d321c276cb60f82bb38d1ce680c39090847b957b44be3e2dbf
Opcode Fuzzy Hash: 0e4d1f276634818fcb86b1a879e1d557200c8c2cdf8c1fb243c237ff707999ff
Instruction Fuzzy Hash: 9111D67560060CA7DF209F65DC85AEE7B7CFF11768B104026F915D6182EB74D984CB64

Function 007E1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a274c5cf5801c76e1aa9d3645680ea80ecbe37bb4d67c34d36d2e2504d840e92
Instruction ID: fe290e7e2c72f60db6776a24b9c03c6fedfcdf2f563bb5cfae85e83dbc079d88
Opcode Fuzzy Hash: a274c5cf5801c76e1aa9d3645680ea80ecbe37bb4d67c34d36d2e2504d840e92
Instruction Fuzzy Hash: 880126B230768A7EF620567A6CC6F27261CEF893B8F710325F520611D2DB788C008230

Function 00811A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00811A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00811A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00811A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00811A8A

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fbab5c9d7572e63aaca50371be4c4583fe74d3473cbe7cff835f32adddc45524
Instruction ID: c4ce0156bd020ed29fc44fdca4a23a53a34c0b2258e02c5a40e9d9a51a564818
Opcode Fuzzy Hash: fbab5c9d7572e63aaca50371be4c4583fe74d3473cbe7cff835f32adddc45524
Instruction Fuzzy Hash: 3811157A901229FFEF109BA48985FADBB78FF08750F200091EA00B7290D6716E50DB94

Function 0081E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0081E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0081E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0081E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0081E24D

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: f93c5fd011f796ec07efb20c578a342a3d16b6d9f3852c41420741f68444ab7d
Instruction ID: 5ed4ae3820332df490a8b6845d92a328e42ffdddab12b8037817139b0a97c0fd
Opcode Fuzzy Hash: f93c5fd011f796ec07efb20c578a342a3d16b6d9f3852c41420741f68444ab7d
Instruction Fuzzy Hash: 4511A176A04258ABCB119FACAC09ADA7BACFF46320F144255F925E3391D7B49D4487A0

Function 007DD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,007DCFF9,00000000,00000004,00000000), ref: 007DD218
GetLastError.KERNEL32 ref: 007DD224
__dosmaperr.LIBCMT ref: 007DD22B
ResumeThread.KERNEL32(00000000), ref: 007DD249

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 352b6130a77ccbddf48526a7e6c906f66062611a2b1cc07181f9c0b731c8a6d0
Instruction ID: e6c4c804c30b0d03289cef334efb6de2e75e4b90f32bfcfe37204c785bc332aa
Opcode Fuzzy Hash: 352b6130a77ccbddf48526a7e6c906f66062611a2b1cc07181f9c0b731c8a6d0
Instruction Fuzzy Hash: 7E01D236806208BBCB215BA5DC09BAE7A7DFF82330F10021BF925923D0DB799D01C6A0

Function 00849EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 007C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007C9BB2

GetClientRect.USER32(?,?), ref: 00849F31
GetCursorPos.USER32(?), ref: 00849F3B
ScreenToClient.USER32(?,?), ref: 00849F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00849F7A

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 680494a3136c8c5fcfdb74acc64cad369d0280f335facc23a24a5b0c55ed1445
Instruction ID: 5cafb044af27647778c73202dd575c9ba5e31d02f2852246e480be5465c7f854
Opcode Fuzzy Hash: 680494a3136c8c5fcfdb74acc64cad369d0280f335facc23a24a5b0c55ed1445
Instruction Fuzzy Hash: 9811363690111EABDB20DFA8D8499EE77BCFB46311F000455F941E3140DB34BE86CBA1

Function 007B600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007B604C
GetStockObject.GDI32(00000011), ref: 007B6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 007B606A

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 045f1a72f3a26d05369785865b7cb313a5ddb26b8ebb23e05a574f5b3063e17a
Instruction ID: 3309361e98cc23b9cd5a51cf7ca7c9fe72dea1382fae584b3c3a91f7236cf04a
Opcode Fuzzy Hash: 045f1a72f3a26d05369785865b7cb313a5ddb26b8ebb23e05a574f5b3063e17a
Instruction Fuzzy Hash: 6D115B72502508BFEF529FA59C44EFABBADFF197A4F040216FB1452120D73A9C60DBA0

Function 007D3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 007D3B56

Part of subcall function 007D3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 007D3AD2
Part of subcall function 007D3AA3: ___AdjustPointer.LIBCMT ref: 007D3AED

_UnwindNestedFrames.LIBCMT ref: 007D3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 007D3B7C
CallCatchBlock.LIBVCRUNTIME ref: 007D3BA4

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: cce51fc8d84b2eb94deed27e5dbd3e9b0634cff22a8469cc805a35ee2300c8b5
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 0C012D72100148BBDF115F95CC46DEB3F7AEF48754F04401AFE4856221C73AE961DBA1

Function 007E3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007B13C6,00000000,00000000,?,007E301A,007B13C6,00000000,00000000,00000000,?,007E328B,00000006,FlsSetValue), ref: 007E30A5
GetLastError.KERNEL32(?,007E301A,007B13C6,00000000,00000000,00000000,?,007E328B,00000006,FlsSetValue,00852290,FlsSetValue,00000000,00000364,?,007E2E46), ref: 007E30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,007E301A,007B13C6,00000000,00000000,00000000,?,007E328B,00000006,FlsSetValue,00852290,FlsSetValue,00000000), ref: 007E30BF

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 21b25d95abe8e4727473bc62f650161a6e36fb394b710fd07915f4c96f78dbe8
Instruction ID: ffe4ef273f0a4e12a9df7f7297eb37be5b9a71668a13bdf0df0555b1d2048d34
Opcode Fuzzy Hash: 21b25d95abe8e4727473bc62f650161a6e36fb394b710fd07915f4c96f78dbe8
Instruction Fuzzy Hash: 1601F736303266ABCB718B7A9C4CA677B9EBF4AB61B200720F905E3140C729D901C6E0

Function 00817464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0081747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00817497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008174AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008174CA

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 650b28fb4d1f4606f36a3286b1f94754efeb9c36d5742fb40b42ceb42fb32aae
Instruction ID: 075e860acb4a582f8c5229e99f74c871f2bc8db29abf888d9e46979e1510225f
Opcode Fuzzy Hash: 650b28fb4d1f4606f36a3286b1f94754efeb9c36d5742fb40b42ceb42fb32aae
Instruction Fuzzy Hash: 99118BB9206315ABE7208F18DD08FD27BFCFF00B04F10856EA656D6191DBB0E984DBA4

Function 0081B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0081ACD3,?,00008000), ref: 0081B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0081ACD3,?,00008000), ref: 0081B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0081ACD3,?,00008000), ref: 0081B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0081ACD3,?,00008000), ref: 0081B126

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 48a2ef8fb6b148cdac123c23a5e487312f96d426a28dff42fe670c231cd38b89
Instruction ID: da1fa793a2001e17270a5096d12a3f86bbcd1b0f2dc09c75e3182ef8c50a4a9d
Opcode Fuzzy Hash: 48a2ef8fb6b148cdac123c23a5e487312f96d426a28dff42fe670c231cd38b89
Instruction Fuzzy Hash: 38113931C0292DE7CF00AFE4E958AEEBB7CFF0A711F114089D955B2181DB309690CB51

Function 00847E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00847E33
ScreenToClient.USER32(?,?), ref: 00847E4B
ScreenToClient.USER32(?,?), ref: 00847E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00847E8A

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 650e60726384ca0732650777651d1df83275e1d1b7f884e1c791fbf75fad9e48
Instruction ID: 0ddbd39e18f86e502b8d5086b5f87fbfb66fe1da482e0a9919193be094b3d241
Opcode Fuzzy Hash: 650e60726384ca0732650777651d1df83275e1d1b7f884e1c791fbf75fad9e48
Instruction Fuzzy Hash: 771153B9D0020AAFDB41CF98C884AEEBBF9FF19310F509166E915E3210D735AA54CF90

Function 00812DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00812DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00812DD6
GetCurrentThreadId.KERNEL32 ref: 00812DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00812DE4

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: ee6c6068d4d00478175ac7889816a09b3f5d876ebf92eab2c29cb7e5b680033f
Instruction ID: 47df54622771c2c631a9e814110f028368c56dbe4443fc2fb7b64ba95f0b0cba
Opcode Fuzzy Hash: ee6c6068d4d00478175ac7889816a09b3f5d876ebf92eab2c29cb7e5b680033f
Instruction Fuzzy Hash: 35E0EDB56022287AD7601BA2EC0DEEB7E6CFF57BA1F414119B506D10909AA58981C6B1

Function 00848863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 007C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007C9693
Part of subcall function 007C9639: SelectObject.GDI32(?,00000000), ref: 007C96A2
Part of subcall function 007C9639: BeginPath.GDI32(?), ref: 007C96B9
Part of subcall function 007C9639: SelectObject.GDI32(?,00000000), ref: 007C96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00848887
LineTo.GDI32(?,?,?), ref: 00848894
EndPath.GDI32(?), ref: 008488A4
StrokePath.GDI32(?), ref: 008488B2

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 1d02b8c2d0304f3b9224204003e37026857f277bb04c0cdb940d10920d9ff681
Instruction ID: 20a38d9ed3dd85ae02279bfa6b9c1a4f6ad8188e8f8fe8181ec2984ddeb694ae
Opcode Fuzzy Hash: 1d02b8c2d0304f3b9224204003e37026857f277bb04c0cdb940d10920d9ff681
Instruction Fuzzy Hash: FFF03A3A042658FADB125F94AC0DFCE3F5DBF16310F448100FA11650E2CB795511CBA9

Function 007C98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007C98CC
SetTextColor.GDI32(?,?), ref: 007C98D6
SetBkMode.GDI32(?,00000001), ref: 007C98E9
GetStockObject.GDI32(00000005), ref: 007C98F1

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: bb042d19db3b5bb4f6906f3dc882655ad4791df2d0d743e664fc3f8eb4fca947
Instruction ID: 87c73e50b79ce0d56a9dc8e4514ff6f1d15e70f6bbe25832d6a4961b6a7a5c5d
Opcode Fuzzy Hash: bb042d19db3b5bb4f6906f3dc882655ad4791df2d0d743e664fc3f8eb4fca947
Instruction Fuzzy Hash: 10E06D35645680AAEBA15B74AC09BE83F24FB16336F04821AF7FA980E1C7715640DB10

Function 0081162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00811634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008111D9), ref: 0081163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008111D9), ref: 00811648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008111D9), ref: 0081164F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: a078a80f433d401bac9efca365a8b1257342b8008e380df04017da6c866e0e6d
Instruction ID: e64f9d6bbc5286c102c18ad84a9b7e0be76c1581370867597684db660c95620a
Opcode Fuzzy Hash: a078a80f433d401bac9efca365a8b1257342b8008e380df04017da6c866e0e6d
Instruction Fuzzy Hash: AEE04F356022119BDBA01FA19D0DB867B6CFF56791F144809F246C9090D6644480CB50

Function 0080D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0080D858
GetDC.USER32(00000000), ref: 0080D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0080D882
ReleaseDC.USER32(?), ref: 0080D8A3

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 71af866e893cf2f108df2042461eec6fefa9a422a0a2af59f33a3eb0dc9d6d73
Instruction ID: 13321e3ed673f8acc9d190eacb0a759ad6745cbe7fdaf895e1cfbf6239a866b8
Opcode Fuzzy Hash: 71af866e893cf2f108df2042461eec6fefa9a422a0a2af59f33a3eb0dc9d6d73
Instruction Fuzzy Hash: 1AE01AB9801204DFCB919FA0D80CA6DBBB9FB19310F15D45DF806E7260C7388941EF40

Function 0080D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0080D86C
GetDC.USER32(00000000), ref: 0080D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0080D882
ReleaseDC.USER32(?), ref: 0080D8A3

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 92930487ac24d5aeb003586e5637af17dc9f4d468713c256e5f06a10f4043d81
Instruction ID: fb8f7df383d276537f4b873886af573eceff8f8f58ac5c3633cf56e53c440740
Opcode Fuzzy Hash: 92930487ac24d5aeb003586e5637af17dc9f4d468713c256e5f06a10f4043d81
Instruction Fuzzy Hash: 03E012B9801200EFCB91AFA0D80CA6DBBB9BB18310B15904DF80AE7260CB385901EF40

Function 00824D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 007B7620: _wcslen.LIBCMT ref: 007B7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00824ED4

Strings

LPT, xrefs: 00824DFB
*, xrefs: 00824E10

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: de3851ac7415a48714198584cb8f17bb04a90975008747e8fd448ae4c52b6340
Instruction ID: e455c64542f3f60f92b3bc824cbfb99804a26d372fdb64951ebe8365511e19c9
Opcode Fuzzy Hash: de3851ac7415a48714198584cb8f17bb04a90975008747e8fd448ae4c52b6340
Instruction Fuzzy Hash: 90915D75A00214DFDB14DF54D584EA9BBF1FF84308F199099E80A9B3A2CB35ED85CBA1

Function 007DE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 007DE30D

Strings

pow, xrefs: 007DE2E5, 007DE302

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c24ba329d51ee94fb4fec6408fa400269111273a5592d596e66f879c91bccf1c
Instruction ID: d1aca00e533d87af2d3d85465686fa6d49425c17236073528bbe33e1683875b8
Opcode Fuzzy Hash: c24ba329d51ee94fb4fec6408fa400269111273a5592d596e66f879c91bccf1c
Instruction Fuzzy Hash: 55517D61A0D24296CB1BB715CD453793BB8FB44741F34899AF0D54A3E9EF3C8C81DA46

Function 007CE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 007CE1B1

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 731caa0cacfd3f05764a35a1f52625675a7d55b90583395a9d3c5173bf92b4da
Instruction ID: a0e0574afa566caabd0df11704e73db328291abee784368646056cd2d93df8d9
Opcode Fuzzy Hash: 731caa0cacfd3f05764a35a1f52625675a7d55b90583395a9d3c5173bf92b4da
Instruction Fuzzy Hash: 4A513335601246DFDB25DF28C885BFA7BA8FF55310F24845DE891DB2C0DA389D42CBA0

Function 007CF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 007CF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 007CF2BB

Strings

@, xrefs: 007CF2AF

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 4231ab75b2eb5cab69395742c67e2dbbb786614f2f3ecc27fb58f946dee20a4e
Instruction ID: 3bde580d16c01c80ca60aa0703b44a4a87176a18361d47c7f36ffcf31841fa65
Opcode Fuzzy Hash: 4231ab75b2eb5cab69395742c67e2dbbb786614f2f3ecc27fb58f946dee20a4e
Instruction Fuzzy Hash: 26512472418744DBD320AF10D88ABABBBF8FB84300F85885DF199811A5EB748529CB67

Function 00835745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008357E0
_wcslen.LIBCMT ref: 008357EC

Strings

CALLARGARRAY, xrefs: 008357E6, 008357EB

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: ef9914f2316c5b5c340b2b8de7b61d74cc9b7b2adf359d4ace5b879e325c03a6
Instruction ID: 9b4aa4ad0486f56b69684687b479536400e46f84f8c4f47c98e3771e86572609
Opcode Fuzzy Hash: ef9914f2316c5b5c340b2b8de7b61d74cc9b7b2adf359d4ace5b879e325c03a6
Instruction Fuzzy Hash: CE417B71A00209DFCB14EFA9C8869AEBBB5FF99724F14406DE505E7291E7349D81CBA0

Function 0082D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0082D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0082D13A

Strings

|, xrefs: 0082D10B

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: e6bdfb16a3302687b4c644f36a6cbc6ef092c59fb416fecf6aec27b1ca3c13bc
Instruction ID: 90cb027f29bb1966fd41cade51f9b97d776b7f7d4da69dfbe65080a66a028a56
Opcode Fuzzy Hash: e6bdfb16a3302687b4c644f36a6cbc6ef092c59fb416fecf6aec27b1ca3c13bc
Instruction Fuzzy Hash: DA313D71D00219EBCF15EFA4DC89AEEBFB9FF04304F100019F915A61A2E735AA56CB50

Function 0084356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00843621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0084365C

Strings

static, xrefs: 008435BC

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 688bd237000074de105d2383361a3d5fd7f51f6e6472c3abcd8a4bde059f4084
Instruction ID: b38273474efd00566f789cc8dc224cdf0dea4106e98ef89d1b150c0d8388403b
Opcode Fuzzy Hash: 688bd237000074de105d2383361a3d5fd7f51f6e6472c3abcd8a4bde059f4084
Instruction Fuzzy Hash: 2E318B71100208AEDB109F28DC81FFB73A9FF98724F01961DF9A5D7280DA34AD91D760

Function 00844537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0084461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00844634

Strings

', xrefs: 0084458E

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: ddc320d0b2ac1850c42bd35a704b1aa1591d15bcea3de07d3f71126650ad9518
Instruction ID: c4464c42456f18ed92abcffdef0fb7452e3bce76c10ba5e013144f27457a82e5
Opcode Fuzzy Hash: ddc320d0b2ac1850c42bd35a704b1aa1591d15bcea3de07d3f71126650ad9518
Instruction Fuzzy Hash: C1311674A0120A9FEF14CFA9C981BDABBB5FB09304F11516AE904EB341E770A941CF90

Function 008431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0084327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00843287

Strings

Combobox, xrefs: 00843249

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 0f3fc38bb4fa408a60f52cc42f8321a926c22700b88828db42fa5a3438f93434
Instruction ID: 56c278f566167a7f9c7c240396078fed9a4896da22fac78da8aee52565d0a99f
Opcode Fuzzy Hash: 0f3fc38bb4fa408a60f52cc42f8321a926c22700b88828db42fa5a3438f93434
Instruction Fuzzy Hash: C811E27130021CBFFF219E54DC84EBB376AFB94365F104129F918E7290D6B19D518760

Function 00843710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 007B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007B604C
Part of subcall function 007B600E: GetStockObject.GDI32(00000011), ref: 007B6060
Part of subcall function 007B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007B606A

GetWindowRect.USER32(00000000,?), ref: 0084377A
GetSysColor.USER32(00000012), ref: 00843794

Strings

static, xrefs: 00843757

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 98fb6cb6d2af43dfd6a7543cab4fda905cac549e0ee2f579513fbce18c972d3e
Instruction ID: bdebe9097ade9d6eb677833f92052c27917069f6c898326c9138d3eaf3068594
Opcode Fuzzy Hash: 98fb6cb6d2af43dfd6a7543cab4fda905cac549e0ee2f579513fbce18c972d3e
Instruction Fuzzy Hash: 1A1114B2610209AFDB00DFA8CC46AEA7BB8FB19314F014925F995E2250EB35E8519B60

Function 0082CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0082CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0082CDA6

Strings

<local>, xrefs: 0082CD66

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 7546942a85d1c6e1dbfb562718d782b7ccfa52b5ba45c7ef3892fb5f4ae9eb21
Instruction ID: 866c55de97b99e9a797e4d49d9dd54627f7970ff85f50d424ab671f10b64b5c5
Opcode Fuzzy Hash: 7546942a85d1c6e1dbfb562718d782b7ccfa52b5ba45c7ef3892fb5f4ae9eb21
Instruction Fuzzy Hash: CF11C675205635BAE7744B669C45EFBBE6CFF127A8F004226B109C3180D7749885D6F0

Function 00843429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008434AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008434BA

Strings

edit, xrefs: 0084348F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 0b05aa99c5084f3edc06199eae86ab3daaf553215719654eefe4616b8dbdac49
Instruction ID: 5ffc070907786c82c05a7ef23b8bbafb895468806aa7979e660796b310a58703
Opcode Fuzzy Hash: 0b05aa99c5084f3edc06199eae86ab3daaf553215719654eefe4616b8dbdac49
Instruction Fuzzy Hash: 1E118C7120020CABEB129E68DC44AEB3B6EFB25378F504324FA65D31E0C775DD519B68

Function 00816C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00816CB6
_wcslen.LIBCMT ref: 00816CC2

Strings

STOP, xrefs: 00816CBC, 00816CC1

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 0de969964638197b9059f1a4e327ba514083c316271e4de17f6dedfea8ee5a6e
Instruction ID: fe1d592cee2147167a732a5a081b95cd2af626aef173e5642108d64bb8716bb8
Opcode Fuzzy Hash: 0de969964638197b9059f1a4e327ba514083c316271e4de17f6dedfea8ee5a6e
Instruction Fuzzy Hash: 2001C832A005268BCB209FBDDC859FF77B9FF617147500524E9A2D6194FB35D990C690

Function 00811CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

Part of subcall function 00813CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00813CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00811D4C

Strings

ComboBox, xrefs: 00811CEB
ListBox, xrefs: 00811D16

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 44c664b64b4fc40eae469592dcfb40b3089f4f476fe2ffc8a953e8b8bd079b3f
Instruction ID: 355a8ff5885acc09cf363920a7c1f8545435a2eda2ff57a6f7f2e6c743d8a9b7
Opcode Fuzzy Hash: 44c664b64b4fc40eae469592dcfb40b3089f4f476fe2ffc8a953e8b8bd079b3f
Instruction Fuzzy Hash: 3E01D875601218AB8F04EBA4DC59DFE776CFF56350B140519FA36A73C1EA345948C660

Function 00811BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

Part of subcall function 00813CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00813CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00811C46

Strings

ComboBox, xrefs: 00811BE5
ListBox, xrefs: 00811C10

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: afcc4f6516009f8c547af5e5925e11f1a9e452c6337d5b4a97c9769845ccd119
Instruction ID: 3dbd65f795c5e87bdaf3cc0415f2a458daab8c1434daee9773a16fab64a6404e
Opcode Fuzzy Hash: afcc4f6516009f8c547af5e5925e11f1a9e452c6337d5b4a97c9769845ccd119
Instruction Fuzzy Hash: 24016775781108A7CF14EBA4C959AFFB7ACFF15340F140019BA27B7281EA649E48D6F1

Function 00811C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

Part of subcall function 00813CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00813CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00811CC8

Strings

ComboBox, xrefs: 00811C69
ListBox, xrefs: 00811C94

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c929876f72f8c983fd04f0f3843675249c88346ce7b9cad841efd8ec880a2e34
Instruction ID: af2df4fd33fa047b78ba71b34cd1b64b27c7ef02900a72a847b160a2c4dac923
Opcode Fuzzy Hash: c929876f72f8c983fd04f0f3843675249c88346ce7b9cad841efd8ec880a2e34
Instruction Fuzzy Hash: 16016775641118A7CF14E7A4CA59AFE77ACFF11340B540015BA16F3281EA659F48C6F1

Function 00811D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007B9CB3: _wcslen.LIBCMT ref: 007B9CBD

Part of subcall function 00813CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00813CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00811DD3

Strings

ComboBox, xrefs: 00811D75
ListBox, xrefs: 00811DA0

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b9cad59d8d61aa57293a647d1a203afce2228bac2b7668dd5f16f7051381456e
Instruction ID: 8ed1e5e2453ce5bfbb9405e2f0c8d69b5130a39d5efa73596a3fa99c785b1b4a
Opcode Fuzzy Hash: b9cad59d8d61aa57293a647d1a203afce2228bac2b7668dd5f16f7051381456e
Instruction Fuzzy Hash: C7F0A471A41218A7DF04E7A4DC9ABFE776CFF02354F140919BA36E32C1EA64994882A1

Function 0083747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00837493
_wcslen.LIBCMT ref: 008374B9

Strings

3, 3, 16, 1, xrefs: 00837483

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 9f12e271cb67e940d73a0713f41820832bd969109cbe90b71bf67f98d2b41939
Instruction ID: dc864e4d952e30fa594f8c27769b698985bfc8a4d0c7135bbed5b46ae303ab39
Opcode Fuzzy Hash: 9f12e271cb67e940d73a0713f41820832bd969109cbe90b71bf67f98d2b41939
Instruction Fuzzy Hash: 91E06182305320719331137BDCC597F5699EFC9750B10182BF9C5C236AFAA8ED9193E5

Function 00810B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00810B23

Strings

Error allocating memory., xrefs: 00810B1C
AutoIt, xrefs: 00810B17

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 0e0eeba441f5d5ca36342d55727677013595dadd99b6875fa6285fd5ba0b5588
Instruction ID: a4b8b483dcb5d5ef85070187c6243648818fb49017b1517cb1003bd9dc536497
Opcode Fuzzy Hash: 0e0eeba441f5d5ca36342d55727677013595dadd99b6875fa6285fd5ba0b5588
Instruction Fuzzy Hash: C9E0923128931876D2102694BC07F897B88EF05B20F10442AF798955C38AE9649046E9

Function 007D0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007CF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,007D0D71,?,?,?,007B100A), ref: 007CF7CE

IsDebuggerPresent.KERNEL32(?,?,?,007B100A), ref: 007D0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,007B100A), ref: 007D0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 007D0D7F

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: e547f1605994cf4680165de67cd9b24f8a37a5bb0e7f236ba47e2b23c8bf0abc
Instruction ID: a4fdf2cc0019c5a3ee43742a9bfa33ad10526c74e515400b607aa2db2b9dba03
Opcode Fuzzy Hash: e547f1605994cf4680165de67cd9b24f8a37a5bb0e7f236ba47e2b23c8bf0abc
Instruction Fuzzy Hash: E7E06D742003118BD3609FB8E4087427BF5BB04741F00492EE482C6752DBF8E444CBE1

Function 00823017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0082302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00823044

Strings

aut, xrefs: 00823038

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 33406ae8aef0cf0af239201b697ae239ba2021ab5c21085c1b2a3ce0146b08ef
Instruction ID: e81a3babe13f0b0b7251f081ce54f30b2f972fbd36cee2666586f44e4729a2d9
Opcode Fuzzy Hash: 33406ae8aef0cf0af239201b697ae239ba2021ab5c21085c1b2a3ce0146b08ef
Instruction Fuzzy Hash: 98D05E7650133867DA60A7A4AC4EFCB7B6CEB05750F0002A1B655E2091EAF4D984CAD4

Function 0080D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0080D220

Strings

%.3d, xrefs: 0080D22B
X64, xrefs: 0080D2A8

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 7110b61ffbe97b82b312c7f374fa5a5703d167400860c87300c3b0d261b88ea1
Instruction ID: df0cb18d1ddec9aa742374055d307fbc4bcf8584641ed9bd7d9ab1f796f90e1b
Opcode Fuzzy Hash: 7110b61ffbe97b82b312c7f374fa5a5703d167400860c87300c3b0d261b88ea1
Instruction Fuzzy Hash: 5BD012A180931CEACBD096E0CC49DB9B37CFB18305F508466F80AD1080D768E948AB61

Function 00842322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0084232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0084233F

Part of subcall function 0081E97B: Sleep.KERNEL32 ref: 0081E9F3

Strings

Shell_TrayWnd, xrefs: 00842325

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c8576065b501445a9aae6b6921dc2c580df56daef686a73fc5c60daae4d3c665
Instruction ID: 936b23977f1e719fe3cf86902c85832c08ded0b433b843a78ac64a7cf2d884d5
Opcode Fuzzy Hash: c8576065b501445a9aae6b6921dc2c580df56daef686a73fc5c60daae4d3c665
Instruction Fuzzy Hash: 20D0A93A381300B6E2E8A7309C0FFCA6A18BB00B00F018A06770AEA1D0C8A4A801CA00

Function 00842356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0084236C
PostMessageW.USER32(00000000), ref: 00842373

Part of subcall function 0081E97B: Sleep.KERNEL32 ref: 0081E9F3

Strings

Shell_TrayWnd, xrefs: 00842365

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4e1c624e1da4bd6ac43389eddc581ab89d77dc7f6dae138402ec877548a2774a
Instruction ID: 2d36e448977bbaa1e62ed39db9f3ddd06f4e3404d43831596448da2c508375ae
Opcode Fuzzy Hash: 4e1c624e1da4bd6ac43389eddc581ab89d77dc7f6dae138402ec877548a2774a
Instruction Fuzzy Hash: A6D0A9363823007AE2E8A7309C0FFCA6A18BB01B00F018A06770AEA1D0C8A4A801CA04

Function 007EBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 007EBE93
GetLastError.KERNEL32 ref: 007EBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007EBEFC

Memory Dump Source

Source File: 00000001.00000002.1293408586.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1293381407.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.000000000084C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293528650.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293654675.000000000087C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1293707942.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 7b6ada164a8ca295b88806f991881dc366a0924043faf2c6e5892e392aa0dff9
Instruction ID: 6ab9e0bb520bff7adada0835ff20473fbf7aa37c125d7e425345c7e21e527321
Opcode Fuzzy Hash: 7b6ada164a8ca295b88806f991881dc366a0924043faf2c6e5892e392aa0dff9
Instruction Fuzzy Hash: 5341D735602286EFCF218FA6CC84ABB7FA5AF49310F144169F959972A1DB349D01DB60

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 00000007.00000003.1453141327.000025DA71E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1354528903.0000021C1387D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000007.00000003.1453141327.000025DA71E03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 00000007.00000003.1335981919.0000021C1476E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 00000007.00000003.1450978155.00001E056B303000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000007.00000003.1450978155.00001E056B303000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 00000007.00000003.1475709484.0000021C14B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000007.00000003.1464967159.0000021C1B18C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000007.00000003.1477916191.0000021C14732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000007.00000003.1477916191.0000021C14732000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1467252079.0000021C15129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000007.00000003.1475709484.0000021C14B4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1440923336.0000021C1B3B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000007.00000003.1464967159.0000021C1B18C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000007.00000003.1477916191.0000021C14732000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1327098847.0000021C1326A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000007.00000003.1477916191.0000021C14732000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1467252079.0000021C15129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000002.2542300904.000001A235A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2543014174.000001B566C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000002.2542300904.000001A235A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2543014174.000001B566C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000002.2542300904.000001A235A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2543014174.000001B566C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.2543014174.000001B566C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2543014174.000001B566C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.2543014174.000001B566C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.youtube.com (Youtube)
Source: firefox.exe, 00000007.00000003.1464967159.0000021C1B18C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1481179182.0000021C1B18D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://7d71fa77-151c-427a-99c7-e68aa2a1f821/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 00000007.00000003.1475709484.0000021C14B4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1461022112.0000021C1B1DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1416317633.0000021C16A26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000007.00000003.1450607533.0000171A9D003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1450331890.00000121D7503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000007.00000003.1461329736.0000021C16B7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1464967159.0000021C1B18C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000007.00000003.1461022112.0000021C1B1DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000003.1481179182.0000021C1B1DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 00000007.00000003.1440923336.0000021C1B3E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.11:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.11:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.11:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.11:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.11:49925 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.11:49926 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.222.236.48:443 -> 192.168.2.11:49928 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.11:49935 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.11:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.11:49937 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.11:49938 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:62877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:62878 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:62879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:62881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:62882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:62880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:62883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:62885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:62888 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:62886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:62884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:62887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:62889 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62888 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62877
Source: unknown	Network traffic detected: HTTP traffic on port 62878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62880
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62881
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62890
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 62876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_d3450d45-af27-4057-91d8-01ac5afd9f15.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_d3450d45-af27-4057-91d8-01ac5afd9f15.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre