Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1528585
MD5:	924783f66ec78c390df83e006b84a1cd
SHA1:	595a7c09bdde702a0eb3bacb16c5f0c4d3abb548
SHA256:	8dac1f7daa6011af24aa06f24419d13c0ba6d9cd128dbcd6f14d0ac04acbfba0
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 3712 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 924783F66EC78C390DF83E006B84A1CD)

firefox.exe (PID: 4900 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6992 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3840 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5372 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5955411b-aca1-456f-b449-7b3f372f43c5} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 272dc46d910 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7256 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3764 -parentBuildID 20230927232528 -prefsHandle 3756 -prefMapHandle 3752 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d70f343f-4b14-423d-8c43-c25c18d31a8c} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 272ee5fab10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7340 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3000 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4948 -prefMapHandle 4844 -prefsLen 33202 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac2e6e33-e591-45c7-bba4-77c5e44e0230} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 272ecfab310 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 3712	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00FEEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00FEEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FEED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00FEED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00FEEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FDAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00FDAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01009576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_01009576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1242777506.0000000001032000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_64d59a5f-4
Source: file.exe, 00000000.00000000.1242777506.0000000001032000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_de76ea40-3
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c38a74e5-a
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1fdc9630-4

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 10_2_00000179C8457577 NtQuerySystemInformation,		10_2_00000179C8457577
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 10_2_00000179C89EBC72 NtQuerySystemInformation,		10_2_00000179C89EBC72

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FDD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00FDD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FD1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00FD1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FDE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00FDE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F78060	0_2_00F78060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE2046	0_2_00FE2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD8298	0_2_00FD8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAE4FF	0_2_00FAE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA676B	0_2_00FA676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01004873	0_2_01004873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F7CAF0	0_2_00F7CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9CAA0	0_2_00F9CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8CC39	0_2_00F8CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA6DD9	0_2_00FA6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F791C0	0_2_00F791C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8B119	0_2_00F8B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F91394	0_2_00F91394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F91706	0_2_00F91706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9781B	0_2_00F9781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F919B0	0_2_00F919B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8997D	0_2_00F8997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F77920	0_2_00F77920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F97A4A	0_2_00F97A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F97CA7	0_2_00F97CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F91C77	0_2_00F91C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA9EEE	0_2_00FA9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FFBE44	0_2_00FFBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F91F32	0_2_00F91F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 10_2_00000179C8457577	10_2_00000179C8457577
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 10_2_00000179C89EBC72	10_2_00000179C89EBC72
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 10_2_00000179C89EBCB2	10_2_00000179C89EBCB2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 10_2_00000179C89EC39C	10_2_00000179C89EC39C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F8F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F90A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F79CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@19/34@69/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE37B5 GetLastError,FormatMessageW,

0_2_00FE37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD10BF AdjustTokenPrivileges,CloseHandle,		0_2_00FD10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00FD16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FE51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FDD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00FDD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00FE648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F742A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user~1\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5955411b-aca1-456f-b449-7b3f372f43c5} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 272dc46d910 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3764 -parentBuildID 20230927232528 -prefsHandle 3756 -prefMapHandle 3752 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d70f343f-4b14-423d-8c43-c25c18d31a8c} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 272ee5fab10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3000 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4948 -prefMapHandle 4844 -prefsLen 33202 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac2e6e33-e591-45c7-bba4-77c5e44e0230} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 272ecfab310 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5955411b-aca1-456f-b449-7b3f372f43c5} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 272dc46d910 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3764 -parentBuildID 20230927232528 -prefsHandle 3756 -prefMapHandle 3752 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d70f343f-4b14-423d-8c43-c25c18d31a8c} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 272ee5fab10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3000 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4948 -prefMapHandle 4844 -prefsLen 33202 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac2e6e33-e591-45c7-bba4-77c5e44e0230} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 272ecfab310 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 00000004.00000003.1444211596.00000272F0901000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.4.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 00000004.00000003.1470958622.00000272EBC66000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 00000004.00000003.1473414450.00000272EBC60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: npmproxy.pdbUGP source: firefox.exe, 00000004.00000003.1474437372.00000272EBC60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 00000004.00000003.1470958622.00000272EBC66000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.4.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 00000004.00000003.1444211596.00000272F0901000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: npmproxy.pdb source: firefox.exe, 00000004.00000003.1474437372.00000272EBC60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 00000004.00000003.1473414450.00000272EBC60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: firefox.exe, 00000004.00000003.1472798146.00000272EFCFB000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F742DE

Source: gmpopenh264.dll.tmp.4.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F90A76 push ecx; ret

0_2_00F90A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F8F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01001C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01001C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97449

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 10_2_00000179C8457577 rdtsc

10_2_00000179C8457577

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FDDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAC2A2 FindFirstFileExW,	0_2_00FAC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE68EE FindFirstFileW,FindClose,	0_2_00FE68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00FE698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FDD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FDD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FE9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FE979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00FE9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00FE5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F742DE

Source: firefox.exe, 0000000A.00000002.2517405307.00000179C88E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: firefox.exe, 0000000A.00000002.2517405307.00000179C88E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
Source: firefox.exe, 00000007.00000002.2517532404.0000021F2EA00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2512564251.0000021F2E52A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2517405307.00000179C88E0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2511069530.00000179C806A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2516412063.000002F3B1D70000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2511218879.000002F3B195A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000007.00000002.2516881759.0000021F2E91A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000007.00000002.2517532404.0000021F2EA00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2517405307.00000179C88E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 10_2_00000179C8457577 rdtsc

10_2_00000179C8457577

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FEEAA2 BlockInput,

0_2_00FEEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FA2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F742DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F94CE8 mov eax, dword ptr fs:[00000030h]

0_2_00F94CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FD0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00FD0B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FA2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F9083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F909D5 SetUnhandledExceptionFilter,	0_2_00F909D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F90C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F90C21

Source: C:\Users\user\Desktop\file.exe

0_2_00FD1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00FB2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FDB226 SendInput,keybd_event,

0_2_00FDB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FF22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00FF22DA

Source: C:\Users\user\Desktop\file.exe

0_2_00FD0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FD1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00FD1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F90698 cpuid

0_2_00F90698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00FE8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FCD27A GetUserNameW,

0_2_00FCD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FAB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00FAB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F742DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 3712, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 3712, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00FF1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00FF1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	16%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://login.microsoftonline.com	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.65	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	52.222.236.23	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.185.78	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	216.58.212.174	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.129.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.2513438180.000002F3B1CC4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://detectportal.firefox.com/	firefox.exe, 00000004.00000003.1455921038.00000272F459F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 00000004.00000003.1471636161.00000272F7439000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1434861338.00000272F7439000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1424237944.00000272ED213000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1416450721.00000272F7494000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1424701104.00000272ED215000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.4.dr	false		unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 00000004.00000003.1381080738.00000272F4838000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=htT2	firefox.exe, 00000011.00000002.2516108607.000002F3B1D60000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000007.00000002.2514367516.0000021F2E872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2513252215.00000179C8386000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2513438180.000002F3B1C8F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.leboncoin.fr/	firefox.exe, 00000004.00000003.1458282179.00000272F433F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1488997872.00000272F433F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1431906974.00000272F433D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/spocs	firefox.exe, 00000004.00000003.1456180449.00000272F459A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1456321327.00000272F4574000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1315277499.00000272F457D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 00000004.00000003.1423385613.00000272F47D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1430990852.00000272F47D9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 00000004.00000003.1270397310.00000272EC040000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1270759352.00000272EC07F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1270035706.00000272EBE00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1270194313.00000272EC021000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1270566172.00000272EC060000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 00000004.00000003.1416981382.00000272F5AFC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 00000004.00000003.1421831374.00000272F49B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1429640321.00000272F49CA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000004.00000003.1323066148.00000272F45A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1270759352.00000272EC07F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1270035706.00000272EBE00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1270194313.00000272EC021000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1270566172.00000272EC060000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 00000004.00000003.1308575915.00000272EEDD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1489791258.00000272EEDD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1459408794.00000272EEDD5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 00000004.00000003.1270397310.00000272EC040000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1270035706.00000272EBE00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1270194313.00000272EC021000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1270566172.00000272EC060000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://youtube.com/	firefox.exe, 00000004.00000003.1459873550.00000272EED6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1489791258.00000272EEDD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1459408794.00000272EEDD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1309189038.00000272EE690000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 00000004.00000003.1455501812.00000272F45FA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	firefox.exe, 00000004.00000003.1425817639.00000272F8078000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 00000004.00000003.1439468571.00000272F7F4D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.instagram.com/	firefox.exe, 00000004.00000003.1366704328.00000272F5391000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.amazon.com/	firefox.exe, 00000004.00000003.1310351805.00000272F4A2A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1431906974.00000272F433D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 00000004.00000003.1421831374.00000272F49B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1429640321.00000272F49CA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 00000004.00000003.1402144919.00000272E827D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1487084534.00000272E827D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1488119855.00000272E827D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/	firefox.exe, 00000004.00000003.1310351805.00000272F4A2A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1431906974.00000272F433D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2513252215.00000179C8303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2513438180.000002F3B1C0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 00000004.00000003.1369354377.00000272ED411000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.bbc.co.uk/	firefox.exe, 00000004.00000003.1458282179.00000272F433F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1488997872.00000272F433F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1431906974.00000272F433D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 00000004.00000003.1439468571.00000272F7F40000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000011.00000002.2513438180.000002F3B1CC4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 00000004.00000003.1368528045.00000272ECCA4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 00000004.00000003.1333193068.00000272F5233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1332588697.00000272F522B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mo	firefox.exe, 00000004.00000003.1439468571.00000272F7F4D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.4.dr	false		unknown
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 00000007.00000002.2514367516.0000021F2E8E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2513252215.00000179C83EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2516622803.000002F3B1F05000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.4.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 00000004.00000003.1429640321.00000272F49CA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/	firefox.exe, 00000004.00000003.1458953745.00000272F4166000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1433804096.00000272F4163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1318196373.00000272F414F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2513252215.00000179C8312000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2513438180.000002F3B1C13000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.iqiyi.com/	firefox.exe, 00000004.00000003.1458282179.00000272F433F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1488997872.00000272F433F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1431906974.00000272F433D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/CN=The	firefox.exe, 00000011.00000002.2513438180.000002F3B1C13000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/about	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 00000004.00000003.1395131678.00000272F5240000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1377332290.00000272EFDE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1411097172.00000272F523A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1370412487.00000272EE08A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1429986956.00000272F49A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1411015794.00000272F52AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1276566374.00000272ED232000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1473942067.00000272F53A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1461362790.00000272EE690000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1442691995.00000272EE786000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1279886000.00000272EC5DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1410165137.00000272F5240000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1445029427.00000272EC52A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1397362719.00000272F5204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1482134850.00000272EC004000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1333193068.00000272F5233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1485123753.00000272ED25B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1371452146.00000272EC58B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1379041877.00000272F538E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1311872772.00000272F4981000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1444976844.00000272ED224000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 00000004.00000003.1308575915.00000272EEDD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1489791258.00000272EEDD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1459408794.00000272EEDD5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 00000004.00000003.1308575915.00000272EEDD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1489791258.00000272EEDD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1459408794.00000272EEDD5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.4.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 00000004.00000003.1433077659.00000272F4256000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://x1.c.lencr.org/0	firefox.exe, 00000004.00000003.1310351805.00000272F4A0E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 00000004.00000003.1310351805.00000272F4A0E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 00000004.00000003.1381080738.00000272F4838000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 00000004.00000003.1421831374.00000272F49B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1429640321.00000272F49CA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 00000004.00000003.1457317035.00000272F4381000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1431906974.00000272F4381000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 00000004.00000003.1421831374.00000272F49B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1429640321.00000272F49CA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 00000004.00000003.1274292994.00000272EB81E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1273023719.00000272EB833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1274733508.00000272EB833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1424857415.00000272EB82A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1445446086.00000272EB82A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 00000004.00000003.1369146072.00000272ECC9D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 00000004.00000003.1428801439.00000272F5AA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1417340320.00000272F5AA3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 00000004.00000003.1433804096.00000272F4186000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1440150920.00000272F418B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1318196373.00000272F4186000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 00000004.00000003.1369354377.00000272ED411000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1368528045.00000272ECCA4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 00000004.00000003.1402144919.00000272E827D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1487084534.00000272E827D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1488119855.00000272E827D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1274292994.00000272EB81E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1273023719.00000272EB833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1274733508.00000272EB833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1424857415.00000272EB82A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1445446086.00000272EB82A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=htt#	file.exe, 00000000.00000003.1263592629.00000000015EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1263645790.00000000015F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1264470771.00000000015F3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.msn.	firefox.exe, 00000004.00000003.1326382065.00000272ED8CB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 00000004.00000003.1439468571.00000272F7F40000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 00000004.00000003.1310351805.00000272F4AD0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.amazon.co.uk/	firefox.exe, 00000004.00000003.1458282179.00000272F433F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1488997872.00000272F433F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1431906974.00000272F433D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 00000004.00000003.1459873550.00000272EED62000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://screenshots.firefox.com/	firefox.exe, 00000004.00000003.1270566172.00000272EC060000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/search	firefox.exe, 00000004.00000003.1309469333.00000272ED5E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1335344208.00000272F5337000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1388299354.00000272F5337000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1334314318.00000272F5327000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1431326895.00000272F476A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1270397310.00000272EC040000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1270759352.00000272EC07F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1270035706.00000272EBE00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1270194313.00000272EC021000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1270566172.00000272EC060000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://relay.firefox.com/api/v1/	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	firefox.exe, 00000007.00000002.2514367516.0000021F2E8E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2513252215.00000179C83EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2516622803.000002F3B1F05000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.4.dr	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000007.00000002.2513627958.0000021F2E680000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2512657067.00000179C81C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2515983485.000002F3B1D00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.wykop.pl/	firefox.exe, 00000004.00000003.1458282179.00000272F433F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1488997872.00000272F433F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1431906974.00000272F433D000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.78	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
52.222.236.23	services.addons.mozilla.org	United States	16509	AMAZON-02US	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528585
Start date and time:	2024-10-08 03:21:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@19/34@69/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 97% Number of executed functions: 39 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.242.27.108, 44.238.148.23, 44.224.63.42, 142.250.185.202, 142.250.74.202, 142.250.185.238, 2.22.61.56, 2.22.61.59, 142.250.181.238
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, time.windows.com, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
21:22:21	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
52.222.236.23	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse
	7U5e5iJPJ0.exe	Get hash	malicious	Unknown	Browse
	duMykqEsmt.exe	Get hash	malicious	Unknown	Browse
	VlmNuDYKAv.exe	Get hash	malicious	Amadey, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	18.245.162.100
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse	52.222.236.23
	file.exe	Get hash	malicious	Unknown	Browse	52.222.236.80
	file.exe	Get hash	malicious	Unknown	Browse	52.222.236.120
	file.exe	Get hash	malicious	Unknown	Browse	52.222.236.120
	file.exe	Get hash	malicious	Unknown	Browse	52.222.236.80
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	http://kendellseafoods.com/	Get hash	malicious	Unknown	Browse	157.240.253.35
	DocuSign-Docx.pdf	Get hash	malicious	Unknown	Browse	157.240.253.35
	https://issuu.com/smart_media/docs/die_welt_wirtschaft/19	Get hash	malicious	Unknown	Browse	157.240.251.35
	High Court Summons Notice.pdf	Get hash	malicious	Unknown	Browse	157.240.253.35
	http://patjimmy323.wixsite.com/my-site-1/	Get hash	malicious	HTMLPhisher	Browse	157.240.251.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	High Court Summons Notice.pdf	Get hash	malicious	Unknown	Browse	34.117.162.98
	http://pub-f3922f20d4c74ba1869fd3db906e3295.r2.dev/gsecondcheck.html	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	http://jamesfortune619.wixsite.com/my-site-4/	Get hash	malicious	Unknown	Browse	34.117.77.79
	http://emaildlatt-mailcom-28e2uy93.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	34.117.77.79
	http://pan4477.onrender.com/	Get hash	malicious	Unknown	Browse	34.117.59.81
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	http://xdr.euw31usea1-carbonhelixbytedandomaincontrolpanele-for-github.sentinelone.net/	Get hash	malicious	Unknown	Browse	34.36.213.229
	cenSXPimaG.elf	Get hash	malicious	Mirai, Okiru	Browse	51.250.99.224
	2UngC9fiGa.elf	Get hash	malicious	Mirai, Okiru	Browse	48.131.111.170
	XvAqhy3FO6.elf	Get hash	malicious	Mirai, Okiru	Browse	51.65.109.90
	970Qh1XiFt.elf	Get hash	malicious	Mirai, Okiru	Browse	34.44.37.101
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	http://xdr.euw31usea1-carbonhelixbytedandomaincontrolpanele-for-github.sentinelone.net/	Get hash	malicious	Unknown	Browse	34.36.213.229
	cenSXPimaG.elf	Get hash	malicious	Mirai, Okiru	Browse	51.250.99.224
	2UngC9fiGa.elf	Get hash	malicious	Mirai, Okiru	Browse	48.131.111.170
	XvAqhy3FO6.elf	Get hash	malicious	Mirai, Okiru	Browse	51.65.109.90
	970Qh1XiFt.elf	Get hash	malicious	Mirai, Okiru	Browse	34.44.37.101
AMAZON-02US	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	18.245.162.100
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.48
	http://pay.christinagstewart.com/	Get hash	malicious	Unknown	Browse	18.245.86.11
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.ht.zpdzwq?v=frudxdBjlfmjfqymhfwj.ht.pjd.kwjsy___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzpiNGZlZGFhNjcxOTBhYjU4MTE5MjBlZTRiYTAxZmUwMTo3OmIxYWM6MDg1ODNlNjljZDkwNThkM2ZiM2RjYTI4MzFjZGY4NGFmMTYyZTlhYmVjYWYxY2Q4MmNkZDhiNmFmOWVkOWUxOTpoOlQ6VA#Sm9hbi5LbmlwcGVuQEVsa2F5LkNvbQ==	Get hash	malicious	Unknown	Browse	108.138.7.53
	https://www.dropbox.com/scl/fi/qo6796ed7hlrt0v8k9nr6/Patagonia-Health-Barcode-Scanner-Setup-2024.exe?rlkey=5bmndvx8124ztopqewiogbnlt&st=yvxpokhf&dl=0	Get hash	malicious	Unknown	Browse	35.157.212.223
	https://login.stmarytx.edu/cas/logout?service=http%3A%2F%2Fgoogle.com%2Famp%2Fmatrikaengineeringworks.com/hebc/?#?m=bWVsaXNzYWdAd2Utd29ybGR3aWRlLmNvbQ==	Get hash	malicious	Unknown	Browse	54.70.225.16
	https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.hfdzwq?v=frudxdkniljyAkC.sEd.frl___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzo2MGY0ZmI3MTkzODQ4OWRiOGFlZjY2ODI4ODlkMDk3NDo3OmRlYjY6NjI5YzkxZjFmNmQ3ZjI1NWIxN2UwYTI5ZTNmZjcyMTQyNTg3NmZhMDQyOWZlMDI4MDhmODRlNWVhYWU3MjJhZDpoOlQ6VA#ZHN5aHJlQG9sZ29vbmlrLmNvbQ==	Get hash	malicious	Unknown	Browse	108.156.46.98

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	me.zip	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8bc7c5a3-f070-47e0-8b7b-d9fdd475f173.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.177321817075484
Encrypted:	false
SSDEEP:	192:VMvMi6kvcbhbVbTbfbRbObtbyEl7nYrBJA6unSrDtTkd/S9PC:VFWcNhnzFSJ4r81nSrDhkd/cPC
MD5:	AF4037D0BC34176A31F9CC615F156906
SHA1:	50AC4796AC2F021F426B2BDAEB330B3847FE7D4E
SHA-256:	58D7BE055CE5930B88BFC5B79677B126CB726322A5C1DE79D5B890EE511D29E6
SHA-512:	C0EDFDB473CDA310081B2B539899DAC12749B34364FC61BB642306D7E903E303327C3C71EAAF28E6BFDB7CEF4FF425F2B935D52D28597DBEA5881ACBF339057B
Malicious:	false
Reputation:	low
Preview:	{"type":"uninstall","id":"8bc7c5a3-f070-47e0-8b7b-d9fdd475f173","creationDate":"2024-10-08T02:56:58.382Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8bc7c5a3-f070-47e0-8b7b-d9fdd475f173.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.177321817075484
Encrypted:	false
SSDEEP:	192:VMvMi6kvcbhbVbTbfbRbObtbyEl7nYrBJA6unSrDtTkd/S9PC:VFWcNhnzFSJ4r81nSrDhkd/cPC
MD5:	AF4037D0BC34176A31F9CC615F156906
SHA1:	50AC4796AC2F021F426B2BDAEB330B3847FE7D4E
SHA-256:	58D7BE055CE5930B88BFC5B79677B126CB726322A5C1DE79D5B890EE511D29E6
SHA-512:	C0EDFDB473CDA310081B2B539899DAC12749B34364FC61BB642306D7E903E303327C3C71EAAF28E6BFDB7CEF4FF425F2B935D52D28597DBEA5881ACBF339057B
Malicious:	false
Reputation:	low
Preview:	{"type":"uninstall","id":"8bc7c5a3-f070-47e0-8b7b-d9fdd475f173","creationDate":"2024-10-08T02:56:58.382Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.943613146452711
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLMsR8P:8S+Oc+UAOdwiOdKeQjDLMsR8P
MD5:	978772B0D2CF8A61326CA62DCA364BB5
SHA1:	1C8288792E9EB6FDF500C75BB808FED54C419BB4
SHA-256:	833E78C656B62F9A41C2CBD627991949F40CA2CA2754F4180DD447B18D300753
SHA-512:	83204A3D4A42D5D3F7F45300FC562C3328A88FB5F4AED8DA28383B8018EB02CECC440A66B55177427F2CD44C091DA3BD4DEAC5E7DD504C38D272CE2422253C46
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.943613146452711
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLMsR8P:8S+Oc+UAOdwiOdKeQjDLMsR8P
MD5:	978772B0D2CF8A61326CA62DCA364BB5
SHA1:	1C8288792E9EB6FDF500C75BB808FED54C419BB4
SHA-256:	833E78C656B62F9A41C2CBD627991949F40CA2CA2754F4180DD447B18D300753
SHA-512:	83204A3D4A42D5D3F7F45300FC562C3328A88FB5F4AED8DA28383B8018EB02CECC440A66B55177427F2CD44C091DA3BD4DEAC5E7DD504C38D272CE2422253C46
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07315978111851629
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiK:DLhesh7Owd4+jiK
MD5:	47F7A4F92705A2DB4D72487E87EFA858
SHA1:	AE86603397542048C3530FDD550453B37876AB61
SHA-256:	721B2A4122DC9132004EF43271D034E3C457F709D90574071CB5305C139D4A31
SHA-512:	B235C4C534D6AF11B9DE90F303C20A5D3EA5725AFF7E21B21C297CE9953A42353AE6D390F65A65882A09E5C2055E41DEFD4850D585E7D24ACC89A604DE73B3A2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035577876577226504
Encrypted:	false
SSDEEP:	6:GtWtoVQgnT7Oy4tWtoVQgnT7OqXJ89XuM:aQQOy4DQQOqZsuM
MD5:	D83758015DB7C1FDC19C127C2B96E356
SHA1:	AA07B573DE57071E7A7D5D2F81EA1EA9E6D3AA5C
SHA-256:	FFC240CC9C7BCB5F516817507879C61FED8355E567C67D1583AB89447B606CDD
SHA-512:	DFA2D5D4C218C0F241BA13B8F14223FC1594BE5377630A3E52066BB1F012C3289B62EF8F90F661FD668272D47BFF57B53B908834F0740FBA222092BB17C43790
Malicious:	false
Preview:	..-........................E@ .`GI...x.G..N!7.J...-........................E@ .`GI...x.G..N!7.J.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03950492520760278
Encrypted:	false
SSDEEP:	3:Ol1lo1/yisiL0nhf4wl8rEXsxdwhml8XW3R2:Kjoshwwl8dMhm93w
MD5:	5A8D55C4B62B62ED35089FCEFC52021B
SHA1:	94D032699DDA5487369F19F93BEE540BE226CC5C
SHA-256:	FA978AF443CB684EF174281191E30E6950C6AD0704A33B38E71EF7D454D24B90
SHA-512:	44659FC9D7DD93907B9E970E46162BD1CA546D6254120CB39F34D97395DD2F0F75DBC5A6F4682A41F04E5F1F1A904EB5E97E55C0A5C69E72BCCD8206F5E67992
Malicious:	false
Preview:	7....-..........GI...x.G..LZ............GI...x.GE...`. @................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	modified
Size (bytes):	13214
Entropy (8bit):	5.479342900375355
Encrypted:	false
SSDEEP:	192:l8nSRkyYbBp66qUCaXh6VhXNMcc5RHNBw8d+nSl:TeFqUwP9MJPwv0
MD5:	8D592C6BCCAE56FCB853CF80E8F8ED12
SHA1:	ABFE08CAE443EF072F9A61D5F59C208F65F3653B
SHA-256:	FCFC980A78DA7B61DACE51BA8F65E884F4BC04CF7095E3379FD6680AC708E963
SHA-512:	742E39E3C92267D5F82AE2BEE281EFA8B42C454E441BDCC13DAF06CF4D3258A6DC97801D88FE1DBBE0D0F4C9E631272AD54298CDDA372749D8AED93FA8494230
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728356189);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728356189);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728356189);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172835

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.479342900375355
Encrypted:	false
SSDEEP:	192:l8nSRkyYbBp66qUCaXh6VhXNMcc5RHNBw8d+nSl:TeFqUwP9MJPwv0
MD5:	8D592C6BCCAE56FCB853CF80E8F8ED12
SHA1:	ABFE08CAE443EF072F9A61D5F59C208F65F3653B
SHA-256:	FCFC980A78DA7B61DACE51BA8F65E884F4BC04CF7095E3379FD6680AC708E963
SHA-512:	742E39E3C92267D5F82AE2BEE281EFA8B42C454E441BDCC13DAF06CF4D3258A6DC97801D88FE1DBBE0D0F4C9E631272AD54298CDDA372749D8AED93FA8494230
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728356189);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728356189);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728356189);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172835

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.3445494143884575
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSU1IkLXnIg56f/pnxQwRlszT5sKhis3eHVVPNZTkamhuj3oGOGHb2+:GUpOx9+kR6ZnR6b3etZTk4YGudhad
MD5:	71AF9A913C84E6537793095564925AC3
SHA1:	74A7653FFC5D4DDF7C237DB352DB52E01F0265BC
SHA-256:	87C373B77935638C13D390007F805CCCCA1D5EF26FF80C7033AF0994FF29B46E
SHA-512:	85E266AFD1111660239C8CDD5488AA14E497589A2C9FBB1110F71652C0C08D11471FDE397CB4BB02D02502A922C99AF2F37921B71AAC57D3B9F03C6DA59514BA
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{63de2b0e-4742-46aa-98b6-93971139bc28}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728356192748,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P58075...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...68224,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.3445494143884575
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSU1IkLXnIg56f/pnxQwRlszT5sKhis3eHVVPNZTkamhuj3oGOGHb2+:GUpOx9+kR6ZnR6b3etZTk4YGudhad
MD5:	71AF9A913C84E6537793095564925AC3
SHA1:	74A7653FFC5D4DDF7C237DB352DB52E01F0265BC
SHA-256:	87C373B77935638C13D390007F805CCCCA1D5EF26FF80C7033AF0994FF29B46E
SHA-512:	85E266AFD1111660239C8CDD5488AA14E497589A2C9FBB1110F71652C0C08D11471FDE397CB4BB02D02502A922C99AF2F37921B71AAC57D3B9F03C6DA59514BA
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{63de2b0e-4742-46aa-98b6-93971139bc28}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728356192748,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P58075...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...68224,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.3445494143884575
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSU1IkLXnIg56f/pnxQwRlszT5sKhis3eHVVPNZTkamhuj3oGOGHb2+:GUpOx9+kR6ZnR6b3etZTk4YGudhad
MD5:	71AF9A913C84E6537793095564925AC3
SHA1:	74A7653FFC5D4DDF7C237DB352DB52E01F0265BC
SHA-256:	87C373B77935638C13D390007F805CCCCA1D5EF26FF80C7033AF0994FF29B46E
SHA-512:	85E266AFD1111660239C8CDD5488AA14E497589A2C9FBB1110F71652C0C08D11471FDE397CB4BB02D02502A922C99AF2F37921B71AAC57D3B9F03C6DA59514BA
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{63de2b0e-4742-46aa-98b6-93971139bc28}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728356192748,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P58075...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...68224,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.036687861544399
Encrypted:	false
SSDEEP:	96:ycWS6+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27:zRTEr5a3hzFChRe
MD5:	6A63E26B2DB6BA53686022AAEA42EC85
SHA1:	6156AD8EDC3B2273C4415EB9D874827FB7F3ED39
SHA-256:	BC500A39C32A731D69061F66B6B4F6A3A73795F215F7946DBBC45377875A38EB
SHA-512:	46F924F4FC44098DEFD158B61BD715B64F5A7504BE321EC438E7D59C1FC24AECD8C7E5D8597F6AE16A6E0AD047379695A09FE72D53843C2FE0252FB81D73E8CF
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-08T02:56:16.079Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.036687861544399
Encrypted:	false
SSDEEP:	96:ycWS6+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27:zRTEr5a3hzFChRe
MD5:	6A63E26B2DB6BA53686022AAEA42EC85
SHA1:	6156AD8EDC3B2273C4415EB9D874827FB7F3ED39
SHA-256:	BC500A39C32A731D69061F66B6B4F6A3A73795F215F7946DBBC45377875A38EB
SHA-512:	46F924F4FC44098DEFD158B61BD715B64F5A7504BE321EC438E7D59C1FC24AECD8C7E5D8597F6AE16A6E0AD047379695A09FE72D53843C2FE0252FB81D73E8CF
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-08T02:56:16.079Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.583714281030562
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'040 bytes
MD5:	924783f66ec78c390df83e006b84a1cd
SHA1:	595a7c09bdde702a0eb3bacb16c5f0c4d3abb548
SHA256:	8dac1f7daa6011af24aa06f24419d13c0ba6d9cd128dbcd6f14d0ac04acbfba0
SHA512:	446b6cd623928428a9ac3882b779cffae07cbc5f8acfc39cfefeef36d5c49587ece301cd5dc1cffb149f1b1e0f1dbfffd5daf7077305c1f6865645c958e19f7e
SSDEEP:	12288:nqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga3TD:nqDEvCTbMWu7rQYlBQcBiT6rprG8ajD
TLSH:	F5159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67048852 [Tue Oct 8 01:18:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F0778BE4983h
jmp 00007F0778BE428Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F0778BE446Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F0778BE443Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F0778BE702Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F0778BE7078h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F0778BE7061h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9bd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9bd0	0x9c00	d33bd0f5a12630abf0f4b9ec95e4283e	False	0.31720753205128205	data	5.330331905207604	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xe96	data			1.0029459025174077
RT_GROUP_ICON	0xdd650	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd6c8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd6dc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd6f0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd704	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd7e0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 03:22:15.984122038 CEST	49706	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:15.984158993 CEST	443	49706	35.190.72.216	192.168.2.7
Oct 8, 2024 03:22:15.984903097 CEST	49706	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:15.992603064 CEST	49706	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:15.992613077 CEST	443	49706	35.190.72.216	192.168.2.7
Oct 8, 2024 03:22:15.993377924 CEST	49707	443	192.168.2.7	142.250.185.78
Oct 8, 2024 03:22:15.993402004 CEST	443	49707	142.250.185.78	192.168.2.7
Oct 8, 2024 03:22:15.994582891 CEST	49708	443	192.168.2.7	142.250.185.78
Oct 8, 2024 03:22:15.994616985 CEST	443	49708	142.250.185.78	192.168.2.7
Oct 8, 2024 03:22:15.995488882 CEST	49707	443	192.168.2.7	142.250.185.78
Oct 8, 2024 03:22:15.996186972 CEST	49708	443	192.168.2.7	142.250.185.78
Oct 8, 2024 03:22:15.996875048 CEST	49707	443	192.168.2.7	142.250.185.78
Oct 8, 2024 03:22:15.996887922 CEST	443	49707	142.250.185.78	192.168.2.7
Oct 8, 2024 03:22:16.001837015 CEST	49708	443	192.168.2.7	142.250.185.78
Oct 8, 2024 03:22:16.001852989 CEST	443	49708	142.250.185.78	192.168.2.7
Oct 8, 2024 03:22:16.014944077 CEST	49709	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:16.019679070 CEST	80	49709	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:16.019995928 CEST	49709	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:16.020144939 CEST	49709	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:16.025079966 CEST	80	49709	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:16.350933075 CEST	49710	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:16.350986004 CEST	443	49710	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:16.352307081 CEST	49710	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:16.353605986 CEST	49710	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:16.353638887 CEST	443	49710	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:16.357002020 CEST	49711	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:16.357031107 CEST	443	49711	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:16.362663984 CEST	49711	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:16.363250017 CEST	49711	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:16.363272905 CEST	443	49711	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:16.425395012 CEST	49712	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:16.425435066 CEST	443	49712	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:16.425616026 CEST	49712	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:16.426805019 CEST	49712	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:16.426821947 CEST	443	49712	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:16.476067066 CEST	443	49706	35.190.72.216	192.168.2.7
Oct 8, 2024 03:22:16.476340055 CEST	49706	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:16.481431961 CEST	80	49709	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:16.508384943 CEST	49709	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:16.513616085 CEST	80	49709	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:16.513863087 CEST	49709	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:16.514249086 CEST	49706	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:16.514265060 CEST	443	49706	35.190.72.216	192.168.2.7
Oct 8, 2024 03:22:16.514414072 CEST	49706	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:16.514491081 CEST	443	49706	35.190.72.216	192.168.2.7
Oct 8, 2024 03:22:16.514827013 CEST	49713	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:16.514882088 CEST	49706	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:16.514904022 CEST	443	49713	35.190.72.216	192.168.2.7
Oct 8, 2024 03:22:16.514980078 CEST	49713	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:16.516355038 CEST	49713	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:16.516388893 CEST	443	49713	35.190.72.216	192.168.2.7
Oct 8, 2024 03:22:16.677728891 CEST	443	49707	142.250.185.78	192.168.2.7
Oct 8, 2024 03:22:16.677809954 CEST	49707	443	192.168.2.7	142.250.185.78
Oct 8, 2024 03:22:16.678322077 CEST	443	49708	142.250.185.78	192.168.2.7
Oct 8, 2024 03:22:16.678415060 CEST	49708	443	192.168.2.7	142.250.185.78
Oct 8, 2024 03:22:16.678724051 CEST	443	49707	142.250.185.78	192.168.2.7
Oct 8, 2024 03:22:16.678802013 CEST	49707	443	192.168.2.7	142.250.185.78
Oct 8, 2024 03:22:16.679023027 CEST	443	49708	142.250.185.78	192.168.2.7
Oct 8, 2024 03:22:16.679414988 CEST	49708	443	192.168.2.7	142.250.185.78
Oct 8, 2024 03:22:16.756037951 CEST	49707	443	192.168.2.7	142.250.185.78
Oct 8, 2024 03:22:16.756067991 CEST	443	49707	142.250.185.78	192.168.2.7
Oct 8, 2024 03:22:16.756146908 CEST	49707	443	192.168.2.7	142.250.185.78
Oct 8, 2024 03:22:16.756715059 CEST	443	49707	142.250.185.78	192.168.2.7
Oct 8, 2024 03:22:16.758307934 CEST	49708	443	192.168.2.7	142.250.185.78
Oct 8, 2024 03:22:16.758307934 CEST	49708	443	192.168.2.7	142.250.185.78
Oct 8, 2024 03:22:16.758330107 CEST	443	49708	142.250.185.78	192.168.2.7
Oct 8, 2024 03:22:16.758438110 CEST	49707	443	192.168.2.7	142.250.185.78
Oct 8, 2024 03:22:16.759031057 CEST	443	49708	142.250.185.78	192.168.2.7
Oct 8, 2024 03:22:16.761482000 CEST	49708	443	192.168.2.7	142.250.185.78
Oct 8, 2024 03:22:16.859549999 CEST	443	49710	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:16.859654903 CEST	49710	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:16.861882925 CEST	443	49711	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:16.862087965 CEST	49711	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:16.967952967 CEST	443	49712	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:16.968843937 CEST	49712	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:17.002654076 CEST	443	49713	35.190.72.216	192.168.2.7
Oct 8, 2024 03:22:17.011176109 CEST	49713	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:17.623408079 CEST	49711	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:17.623435020 CEST	443	49711	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:17.623758078 CEST	443	49711	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:17.637423992 CEST	49710	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:17.637506008 CEST	443	49710	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:17.637969017 CEST	49710	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:17.638060093 CEST	443	49710	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:17.638073921 CEST	49711	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:17.638238907 CEST	443	49711	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:17.638257980 CEST	49711	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:17.638269901 CEST	443	49711	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:17.639161110 CEST	49714	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:17.639198065 CEST	443	49714	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:17.640108109 CEST	49710	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:17.640253067 CEST	49714	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:17.643419027 CEST	49714	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:17.643434048 CEST	443	49714	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:17.647572041 CEST	49713	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:17.647651911 CEST	443	49713	35.190.72.216	192.168.2.7
Oct 8, 2024 03:22:17.647689104 CEST	49713	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:17.647841930 CEST	443	49713	35.190.72.216	192.168.2.7
Oct 8, 2024 03:22:17.648077011 CEST	49712	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:17.648094893 CEST	443	49712	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:17.648578882 CEST	443	49712	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:17.648667097 CEST	49712	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:17.648667097 CEST	49715	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:17.648689032 CEST	443	49712	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:17.648706913 CEST	443	49715	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:17.654774904 CEST	49713	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:17.654819965 CEST	49715	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:17.656229973 CEST	49715	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:17.656249046 CEST	443	49715	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:17.847419977 CEST	443	49711	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:17.849138021 CEST	49711	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:17.855427980 CEST	443	49712	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:17.857441902 CEST	49712	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:18.098064899 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:18.098263025 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:18.098520994 CEST	49719	443	192.168.2.7	34.160.144.191
Oct 8, 2024 03:22:18.098568916 CEST	443	49719	34.160.144.191	192.168.2.7
Oct 8, 2024 03:22:18.098997116 CEST	49719	443	192.168.2.7	34.160.144.191
Oct 8, 2024 03:22:18.099133015 CEST	49719	443	192.168.2.7	34.160.144.191
Oct 8, 2024 03:22:18.099139929 CEST	443	49719	34.160.144.191	192.168.2.7
Oct 8, 2024 03:22:18.103327990 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:18.103341103 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:18.103427887 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:18.103540897 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:18.103540897 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:18.103631020 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:18.109791994 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:18.109802961 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:18.271949053 CEST	443	49715	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:18.275404930 CEST	49715	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:18.276932001 CEST	443	49714	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:18.278275013 CEST	49714	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:18.278786898 CEST	49715	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:18.278801918 CEST	443	49715	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:18.279009104 CEST	443	49715	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:18.279231071 CEST	49715	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:18.279241085 CEST	443	49715	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:18.279320955 CEST	49715	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:18.281743050 CEST	49714	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:18.281743050 CEST	49714	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:18.281763077 CEST	443	49714	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:18.281934023 CEST	443	49714	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:18.282023907 CEST	49714	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:18.553880930 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:18.573219061 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:18.593080044 CEST	443	49719	34.160.144.191	192.168.2.7
Oct 8, 2024 03:22:18.593158960 CEST	49719	443	192.168.2.7	34.160.144.191
Oct 8, 2024 03:22:18.596573114 CEST	49719	443	192.168.2.7	34.160.144.191
Oct 8, 2024 03:22:18.596580029 CEST	443	49719	34.160.144.191	192.168.2.7
Oct 8, 2024 03:22:18.596839905 CEST	443	49719	34.160.144.191	192.168.2.7
Oct 8, 2024 03:22:18.599441051 CEST	49719	443	192.168.2.7	34.160.144.191
Oct 8, 2024 03:22:18.599458933 CEST	49719	443	192.168.2.7	34.160.144.191
Oct 8, 2024 03:22:18.599613905 CEST	443	49719	34.160.144.191	192.168.2.7
Oct 8, 2024 03:22:18.599687099 CEST	49719	443	192.168.2.7	34.160.144.191
Oct 8, 2024 03:22:18.615407944 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:18.615407944 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:18.685890913 CEST	49720	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:18.685920000 CEST	443	49720	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:18.686932087 CEST	49720	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:18.688388109 CEST	49720	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:18.688405991 CEST	443	49720	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:18.814878941 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:18.819899082 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:18.909790039 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:18.963179111 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:19.089366913 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:19.094959974 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:19.150378942 CEST	443	49720	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:19.150625944 CEST	49720	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:19.155733109 CEST	49720	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:19.155759096 CEST	443	49720	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:19.155852079 CEST	49720	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:19.155913115 CEST	443	49720	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:19.156229019 CEST	49722	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:19.156269073 CEST	443	49722	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:19.156317949 CEST	49720	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:19.156589031 CEST	49722	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:19.157875061 CEST	49722	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:19.157891035 CEST	443	49722	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:19.187252998 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:19.232815027 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:19.638323069 CEST	443	49722	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:19.638537884 CEST	49722	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:19.644398928 CEST	49722	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:19.644414902 CEST	443	49722	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:19.644490957 CEST	49722	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:19.644546032 CEST	443	49722	34.117.188.166	192.168.2.7
Oct 8, 2024 03:22:19.644752979 CEST	49722	443	192.168.2.7	34.117.188.166
Oct 8, 2024 03:22:21.825503111 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:21.830274105 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:21.920572042 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:21.974884987 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:22.454081059 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:22.459454060 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:22.576457977 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:22.585705996 CEST	49735	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:22.585751057 CEST	443	49735	34.107.243.93	192.168.2.7
Oct 8, 2024 03:22:22.586178064 CEST	49735	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:22.587409973 CEST	49735	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:22.587424040 CEST	443	49735	34.107.243.93	192.168.2.7
Oct 8, 2024 03:22:22.625380993 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:22.736864090 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:22.741767883 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:22.837522030 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:22.888401031 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:23.067233086 CEST	443	49735	34.107.243.93	192.168.2.7
Oct 8, 2024 03:22:23.067405939 CEST	49735	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:23.072315931 CEST	49735	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:23.072315931 CEST	49735	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:23.072328091 CEST	443	49735	34.107.243.93	192.168.2.7
Oct 8, 2024 03:22:23.072472095 CEST	443	49735	34.107.243.93	192.168.2.7
Oct 8, 2024 03:22:23.073374987 CEST	49735	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:25.798228979 CEST	49756	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:25.798268080 CEST	443	49756	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:25.799237967 CEST	49756	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:25.801213980 CEST	49756	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:25.801238060 CEST	443	49756	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:26.000216961 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:26.005480051 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:26.098500967 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:26.151429892 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:26.288347006 CEST	443	49756	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:26.288861036 CEST	49756	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:26.294064999 CEST	49756	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:26.294065952 CEST	49756	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:26.294090986 CEST	443	49756	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:26.294298887 CEST	443	49756	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:26.295425892 CEST	49756	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:26.876363039 CEST	49763	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:26.876410007 CEST	443	49763	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:26.876589060 CEST	49763	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:26.876748085 CEST	49763	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:26.876760006 CEST	443	49763	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:27.025176048 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:27.030055046 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:27.034598112 CEST	49768	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:27.034636974 CEST	443	49768	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:27.034915924 CEST	49768	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:27.036400080 CEST	49768	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:27.036416054 CEST	443	49768	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:27.099244118 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:27.104149103 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:27.109071970 CEST	49770	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:27.109107971 CEST	443	49770	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:27.109523058 CEST	49770	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:27.111536980 CEST	49770	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:27.111552954 CEST	443	49770	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:27.120429039 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:27.170118093 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:27.197140932 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:27.254848003 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:27.480983019 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:27.549686909 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:27.551369905 CEST	443	49763	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:27.551450014 CEST	49763	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:27.556452036 CEST	443	49768	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:27.556598902 CEST	49768	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:27.617785931 CEST	443	49770	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:27.622966051 CEST	49770	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:27.657231092 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:27.714232922 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:28.094856977 CEST	49763	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:28.094885111 CEST	443	49763	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:28.095916033 CEST	443	49763	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:28.102564096 CEST	49763	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:28.102790117 CEST	49763	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:28.102955103 CEST	49768	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:28.102974892 CEST	443	49763	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:28.103041887 CEST	443	49768	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:28.103074074 CEST	49770	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:28.103106022 CEST	443	49770	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:28.103128910 CEST	49770	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:28.103265047 CEST	49768	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:28.103672981 CEST	443	49770	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:28.103756905 CEST	49777	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:28.103780985 CEST	443	49777	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:28.103862047 CEST	49763	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:28.103887081 CEST	49770	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:28.104017019 CEST	49777	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:28.104111910 CEST	443	49768	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:28.105899096 CEST	49777	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:28.105909109 CEST	443	49777	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:28.106023073 CEST	49768	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:28.443000078 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:28.447846889 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:28.454351902 CEST	49779	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:28.454390049 CEST	443	49779	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:28.456682920 CEST	49779	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:28.459189892 CEST	49779	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:28.459203005 CEST	443	49779	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:28.546060085 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:28.604377985 CEST	443	49777	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:28.604456902 CEST	49777	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:28.608223915 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:28.934931993 CEST	443	49779	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:28.935005903 CEST	49779	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:29.174931049 CEST	49777	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:29.174971104 CEST	443	49777	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:29.175009012 CEST	49777	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:29.175287008 CEST	49779	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:29.175298929 CEST	443	49779	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:29.175312996 CEST	443	49777	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:29.175360918 CEST	49779	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:29.175519943 CEST	443	49779	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:29.175637960 CEST	49777	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:29.175656080 CEST	49779	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:29.179948092 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:29.185214996 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:29.275947094 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:29.325937033 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:30.297858953 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:30.302784920 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:30.311116934 CEST	49796	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:30.311163902 CEST	443	49796	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:30.311300993 CEST	49796	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:30.311419964 CEST	49796	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:30.311429024 CEST	443	49796	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:30.395648956 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:30.403525114 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:30.408319950 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:30.437679052 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:30.498110056 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:30.560699940 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:30.784224033 CEST	443	49796	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:30.791394949 CEST	443	49796	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:30.792220116 CEST	49796	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:30.999886990 CEST	49796	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:30.999914885 CEST	443	49796	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:31.000228882 CEST	443	49796	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:31.002882957 CEST	49803	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:31.002904892 CEST	443	49803	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:31.005125999 CEST	49796	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:31.005289078 CEST	443	49796	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:31.005304098 CEST	49796	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:31.005310059 CEST	443	49796	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:31.006534100 CEST	49796	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:31.006572962 CEST	49803	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:31.006630898 CEST	49796	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:31.006649971 CEST	49796	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:31.997327089 CEST	49803	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:31.997364044 CEST	443	49803	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:31.998279095 CEST	49809	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:31.998317003 CEST	443	49809	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:31.999105930 CEST	49809	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:32.000435114 CEST	49809	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:32.000446081 CEST	443	49809	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:32.004419088 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:32.009196997 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:32.021908998 CEST	49810	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.021981001 CEST	443	49810	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.022032022 CEST	49811	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.022073030 CEST	443	49811	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.026999950 CEST	49810	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.027009964 CEST	49811	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.027091980 CEST	49810	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.027113914 CEST	443	49810	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.027192116 CEST	49811	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.027203083 CEST	443	49811	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.028289080 CEST	49812	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:32.028335094 CEST	443	49812	34.107.243.93	192.168.2.7
Oct 8, 2024 03:22:32.028525114 CEST	49812	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:32.029925108 CEST	49812	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:32.029936075 CEST	443	49812	34.107.243.93	192.168.2.7
Oct 8, 2024 03:22:32.033668041 CEST	49813	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.033698082 CEST	443	49813	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.037003994 CEST	49813	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.038510084 CEST	49813	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.038533926 CEST	443	49813	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.102662086 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:32.105515957 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:32.110259056 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:32.149421930 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:32.221110106 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:32.265328884 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:32.474102974 CEST	443	49809	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:32.474591970 CEST	49809	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:32.479152918 CEST	49809	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:32.479173899 CEST	443	49809	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:32.479273081 CEST	49809	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:32.479374886 CEST	443	49809	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:32.479551077 CEST	49809	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:32.748605013 CEST	443	49803	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:32.748974085 CEST	49803	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:32.749073982 CEST	443	49813	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.749289036 CEST	49813	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.749651909 CEST	443	49811	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.749727011 CEST	49811	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.753424883 CEST	443	49810	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.753509045 CEST	49810	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.754631042 CEST	443	49812	34.107.243.93	192.168.2.7
Oct 8, 2024 03:22:32.754729033 CEST	49812	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:32.803647041 CEST	49811	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.803666115 CEST	443	49811	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.804059029 CEST	443	49811	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.805701971 CEST	49810	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.805736065 CEST	443	49810	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.806675911 CEST	443	49810	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.811754942 CEST	49803	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:32.811794043 CEST	443	49803	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:32.812192917 CEST	49803	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:32.812226057 CEST	443	49803	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:32.812299967 CEST	49813	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.812314034 CEST	443	49813	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.812324047 CEST	49811	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.812446117 CEST	49803	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:32.812572002 CEST	443	49811	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.812618017 CEST	443	49813	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.812674999 CEST	49811	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.812675953 CEST	49813	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.812699080 CEST	49811	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.812711954 CEST	443	49811	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.812753916 CEST	49813	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.812768936 CEST	443	49813	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.812849998 CEST	49810	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:32.813265085 CEST	443	49810	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:32.813421965 CEST	49810	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:33.042006016 CEST	49810	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:33.042043924 CEST	443	49810	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:33.044157982 CEST	49812	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:33.044188023 CEST	443	49812	34.107.243.93	192.168.2.7
Oct 8, 2024 03:22:33.044231892 CEST	49812	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:33.044528961 CEST	443	49812	34.107.243.93	192.168.2.7
Oct 8, 2024 03:22:33.045546055 CEST	49812	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:34.812422991 CEST	49829	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:34.812469959 CEST	443	49829	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:34.815229893 CEST	49829	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:34.815505028 CEST	49829	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:34.815520048 CEST	443	49829	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:34.822833061 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:34.826348066 CEST	49830	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:34.826378107 CEST	443	49830	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:34.827282906 CEST	49830	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:34.827647924 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:34.828644991 CEST	49830	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:34.828656912 CEST	443	49830	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:34.831665039 CEST	49831	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:34.831684113 CEST	443	49831	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:34.831912994 CEST	49831	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:34.832076073 CEST	49831	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:34.832083941 CEST	443	49831	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:34.932529926 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:34.936538935 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:34.941678047 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:34.973330975 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:35.032392025 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:35.073621988 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:35.294558048 CEST	443	49829	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:35.294642925 CEST	49829	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.295528889 CEST	443	49830	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:35.297504902 CEST	49829	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.297513962 CEST	443	49829	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:35.297755003 CEST	49830	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.297784090 CEST	443	49829	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:35.300324917 CEST	443	49831	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:35.301239967 CEST	49829	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.301343918 CEST	49829	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.301386118 CEST	443	49829	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:35.302465916 CEST	49830	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.302473068 CEST	443	49830	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:35.302571058 CEST	49830	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.302660942 CEST	443	49830	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:35.303391933 CEST	49829	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.303419113 CEST	49830	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.303483963 CEST	49831	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:35.306603909 CEST	49831	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:35.306613922 CEST	443	49831	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:35.307038069 CEST	443	49831	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:35.309359074 CEST	49831	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:35.309439898 CEST	49831	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:35.309600115 CEST	443	49831	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:35.309814930 CEST	49831	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:35.309830904 CEST	49831	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:35.313811064 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:35.316704988 CEST	49837	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.316740036 CEST	443	49837	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:35.316910982 CEST	49837	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.318234921 CEST	49837	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.318248034 CEST	443	49837	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:35.318600893 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:35.319760084 CEST	49838	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.319772005 CEST	443	49838	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:35.320211887 CEST	49838	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.320347071 CEST	49838	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.320355892 CEST	443	49838	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:35.412103891 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:35.415241003 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:35.420082092 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:35.459178925 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:35.509990931 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:35.559473991 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:35.793826103 CEST	443	49837	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:35.793912888 CEST	49837	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.794533968 CEST	443	49838	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:35.795079947 CEST	49838	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.798269033 CEST	49838	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.798279047 CEST	443	49838	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:35.798629045 CEST	443	49838	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:35.801518917 CEST	49837	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.801525116 CEST	443	49837	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:35.801641941 CEST	49837	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.801736116 CEST	49838	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.801762104 CEST	443	49837	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:35.801810026 CEST	49838	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.801913023 CEST	443	49838	34.120.208.123	192.168.2.7
Oct 8, 2024 03:22:35.803746939 CEST	49837	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.803766966 CEST	49838	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:22:35.804713011 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:35.809724092 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:35.904877901 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:35.908503056 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:35.915518045 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:35.945027113 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:36.003604889 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:36.045330048 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:43.289124012 CEST	49888	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:43.289216042 CEST	443	49888	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:43.291929007 CEST	49889	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:43.291954041 CEST	443	49889	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:43.292177916 CEST	49889	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:43.292191982 CEST	49888	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:43.292323112 CEST	49888	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:43.292350054 CEST	443	49888	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:43.292488098 CEST	49889	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:43.292500973 CEST	443	49889	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:43.298043013 CEST	49890	443	192.168.2.7	52.222.236.23
Oct 8, 2024 03:22:43.298067093 CEST	443	49890	52.222.236.23	192.168.2.7
Oct 8, 2024 03:22:43.298429012 CEST	49890	443	192.168.2.7	52.222.236.23
Oct 8, 2024 03:22:43.298588991 CEST	49890	443	192.168.2.7	52.222.236.23
Oct 8, 2024 03:22:43.298599958 CEST	443	49890	52.222.236.23	192.168.2.7
Oct 8, 2024 03:22:43.310673952 CEST	49891	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:43.310697079 CEST	443	49891	35.190.72.216	192.168.2.7
Oct 8, 2024 03:22:43.317291975 CEST	49891	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:43.318727970 CEST	49891	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:43.318751097 CEST	443	49891	35.190.72.216	192.168.2.7
Oct 8, 2024 03:22:43.325462103 CEST	49892	443	192.168.2.7	35.201.103.21
Oct 8, 2024 03:22:43.325510025 CEST	443	49892	35.201.103.21	192.168.2.7
Oct 8, 2024 03:22:43.326210976 CEST	49892	443	192.168.2.7	35.201.103.21
Oct 8, 2024 03:22:43.327620029 CEST	49892	443	192.168.2.7	35.201.103.21
Oct 8, 2024 03:22:43.327651978 CEST	443	49892	35.201.103.21	192.168.2.7
Oct 8, 2024 03:22:43.781840086 CEST	443	49889	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:43.781918049 CEST	49889	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:43.785501003 CEST	49889	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:43.785516977 CEST	443	49889	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:43.785789013 CEST	443	49889	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:43.787816048 CEST	49889	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:43.787906885 CEST	49889	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:43.787972927 CEST	443	49889	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:43.788237095 CEST	49889	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:43.789386034 CEST	443	49888	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:43.790714979 CEST	49888	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:43.794017076 CEST	49888	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:43.794030905 CEST	443	49888	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:43.794142962 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:43.794286013 CEST	443	49888	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:43.796323061 CEST	443	49891	35.190.72.216	192.168.2.7
Oct 8, 2024 03:22:43.796339035 CEST	443	49891	35.190.72.216	192.168.2.7
Oct 8, 2024 03:22:43.796406984 CEST	49891	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:43.798028946 CEST	49888	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:43.798232079 CEST	443	49888	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:43.798273087 CEST	49888	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:43.798279047 CEST	443	49888	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:43.798854113 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:43.800993919 CEST	49891	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:43.801006079 CEST	443	49891	35.190.72.216	192.168.2.7
Oct 8, 2024 03:22:43.801075935 CEST	49891	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:43.801218987 CEST	443	49891	35.190.72.216	192.168.2.7
Oct 8, 2024 03:22:43.801575899 CEST	49891	443	192.168.2.7	35.190.72.216
Oct 8, 2024 03:22:43.807434082 CEST	443	49892	35.201.103.21	192.168.2.7
Oct 8, 2024 03:22:43.807503939 CEST	49892	443	192.168.2.7	35.201.103.21
Oct 8, 2024 03:22:43.812110901 CEST	49892	443	192.168.2.7	35.201.103.21
Oct 8, 2024 03:22:43.812123060 CEST	443	49892	35.201.103.21	192.168.2.7
Oct 8, 2024 03:22:43.812196970 CEST	49892	443	192.168.2.7	35.201.103.21
Oct 8, 2024 03:22:43.812355995 CEST	443	49892	35.201.103.21	192.168.2.7
Oct 8, 2024 03:22:43.812474012 CEST	49892	443	192.168.2.7	35.201.103.21
Oct 8, 2024 03:22:43.815949917 CEST	49897	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:43.815992117 CEST	443	49897	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:43.816081047 CEST	49897	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:43.816195011 CEST	49897	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:43.816209078 CEST	443	49897	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:43.893496037 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:43.897217035 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:43.902076960 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:43.940784931 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:43.999619007 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:44.007407904 CEST	443	49888	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.007481098 CEST	49888	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.041078091 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:44.048649073 CEST	443	49890	52.222.236.23	192.168.2.7
Oct 8, 2024 03:22:44.048727036 CEST	49890	443	192.168.2.7	52.222.236.23
Oct 8, 2024 03:22:44.052265882 CEST	49890	443	192.168.2.7	52.222.236.23
Oct 8, 2024 03:22:44.052273989 CEST	443	49890	52.222.236.23	192.168.2.7
Oct 8, 2024 03:22:44.052556992 CEST	443	49890	52.222.236.23	192.168.2.7
Oct 8, 2024 03:22:44.055126905 CEST	49890	443	192.168.2.7	52.222.236.23
Oct 8, 2024 03:22:44.055236101 CEST	49890	443	192.168.2.7	52.222.236.23
Oct 8, 2024 03:22:44.055274010 CEST	443	49890	52.222.236.23	192.168.2.7
Oct 8, 2024 03:22:44.056703091 CEST	49890	443	192.168.2.7	52.222.236.23
Oct 8, 2024 03:22:44.064065933 CEST	49899	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.064097881 CEST	443	49899	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.064795017 CEST	49899	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.064918041 CEST	49899	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.064928055 CEST	443	49899	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.066438913 CEST	49900	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.066463947 CEST	443	49900	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.066848993 CEST	49900	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.066998959 CEST	49900	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.067013025 CEST	443	49900	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.068742037 CEST	49901	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.068770885 CEST	443	49901	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.069118977 CEST	49901	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.069227934 CEST	49901	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.069236040 CEST	443	49901	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.070619106 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:44.075432062 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:44.168437004 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:44.171428919 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:44.176250935 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:44.210402012 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:44.266154051 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:44.298211098 CEST	443	49897	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:44.298299074 CEST	49897	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:44.301501036 CEST	49897	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:44.301506042 CEST	443	49897	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:44.301744938 CEST	443	49897	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:44.304677963 CEST	49897	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:44.304784060 CEST	49897	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:44.304805994 CEST	443	49897	34.149.100.209	192.168.2.7
Oct 8, 2024 03:22:44.306740999 CEST	49897	443	192.168.2.7	34.149.100.209
Oct 8, 2024 03:22:44.310501099 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:44.310693026 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:44.315275908 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:44.409679890 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:44.412578106 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:44.417345047 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:44.457875013 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:44.507453918 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:44.525778055 CEST	443	49899	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.525846958 CEST	49899	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.528547049 CEST	49899	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.528559923 CEST	443	49899	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.528800011 CEST	443	49899	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.531377077 CEST	49899	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.531474113 CEST	49899	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.531537056 CEST	443	49899	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.531650066 CEST	49899	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.534934998 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:44.537585974 CEST	443	49900	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.537676096 CEST	49900	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.539705038 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:44.540143967 CEST	49900	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.540154934 CEST	443	49900	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.540905952 CEST	443	49900	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.542927027 CEST	49900	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.543004036 CEST	49900	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.543265104 CEST	443	49900	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.543335915 CEST	49900	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.544435024 CEST	443	49901	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.546135902 CEST	49901	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.548616886 CEST	49901	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.548624992 CEST	443	49901	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.548891068 CEST	443	49901	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.551237106 CEST	49901	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.551328897 CEST	49901	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.551398993 CEST	443	49901	35.244.181.201	192.168.2.7
Oct 8, 2024 03:22:44.552084923 CEST	49901	443	192.168.2.7	35.244.181.201
Oct 8, 2024 03:22:44.558146954 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:44.675822020 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:44.683969975 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:44.688762903 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:44.727513075 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:44.779552937 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:44.827820063 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:45.049676895 CEST	49908	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:45.049722910 CEST	443	49908	34.107.243.93	192.168.2.7
Oct 8, 2024 03:22:45.050180912 CEST	49908	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:45.051158905 CEST	49908	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:45.051172018 CEST	443	49908	34.107.243.93	192.168.2.7
Oct 8, 2024 03:22:45.637204885 CEST	443	49908	34.107.243.93	192.168.2.7
Oct 8, 2024 03:22:45.637285948 CEST	49908	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:45.641062021 CEST	49908	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:45.641062021 CEST	49908	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:45.641076088 CEST	443	49908	34.107.243.93	192.168.2.7
Oct 8, 2024 03:22:45.641268969 CEST	443	49908	34.107.243.93	192.168.2.7
Oct 8, 2024 03:22:45.641442060 CEST	49908	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:22:45.643589020 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:45.648360014 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:45.747802019 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:45.751399040 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:45.756197929 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:45.799509048 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:45.846102953 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:45.899780989 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:55.749037027 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:55.753833055 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:22:55.849456072 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:22:55.854306936 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:05.763005972 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:05.767748117 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:05.856185913 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:05.860989094 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:05.922641993 CEST	50027	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:23:05.922672987 CEST	443	50027	34.107.243.93	192.168.2.7
Oct 8, 2024 03:23:05.922740936 CEST	50027	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:23:05.924242973 CEST	50027	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:23:05.924254894 CEST	443	50027	34.107.243.93	192.168.2.7
Oct 8, 2024 03:23:07.304335117 CEST	443	50027	34.107.243.93	192.168.2.7
Oct 8, 2024 03:23:07.304617882 CEST	50027	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:23:07.308923960 CEST	50027	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:23:07.308923960 CEST	50027	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:23:07.308934927 CEST	443	50027	34.107.243.93	192.168.2.7
Oct 8, 2024 03:23:07.309165001 CEST	443	50027	34.107.243.93	192.168.2.7
Oct 8, 2024 03:23:07.310538054 CEST	50027	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:23:07.311813116 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:07.316593885 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:07.409812927 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:07.417372942 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:07.422280073 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:07.461098909 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:07.518738985 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:07.561326981 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:12.627093077 CEST	50028	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:12.627113104 CEST	443	50028	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:12.631695986 CEST	50029	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:12.631737947 CEST	443	50029	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:12.631932020 CEST	50030	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:12.631938934 CEST	443	50030	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:12.639550924 CEST	50031	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:12.639560938 CEST	443	50031	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:12.647332907 CEST	50028	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:12.647425890 CEST	50031	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:12.647425890 CEST	50029	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:12.647425890 CEST	50030	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:12.649074078 CEST	50028	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:12.649086952 CEST	443	50028	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:12.649209023 CEST	50029	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:12.649245024 CEST	443	50029	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:12.649310112 CEST	50030	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:12.649336100 CEST	443	50030	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:12.649382114 CEST	50031	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:12.649395943 CEST	443	50031	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:12.650857925 CEST	50032	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:12.650949955 CEST	443	50032	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:12.651248932 CEST	50033	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:12.651346922 CEST	443	50033	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:12.652784109 CEST	50032	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:12.652920961 CEST	50032	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:12.652925968 CEST	50033	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:12.652959108 CEST	443	50032	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:12.653048992 CEST	50033	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:12.653074980 CEST	443	50033	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.134232998 CEST	443	50029	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.134243011 CEST	443	50029	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.134377956 CEST	50029	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.134916067 CEST	443	50031	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.134932995 CEST	443	50031	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.135117054 CEST	50031	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.137631893 CEST	50029	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.137644053 CEST	443	50029	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.137911081 CEST	443	50029	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.140059948 CEST	50031	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.140077114 CEST	443	50031	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.140336990 CEST	443	50031	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.143532991 CEST	50029	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.143687010 CEST	443	50029	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.143722057 CEST	50029	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.143729925 CEST	443	50029	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.143924952 CEST	50031	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.144020081 CEST	50031	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.144084930 CEST	443	50031	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.144551039 CEST	50034	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.144598007 CEST	443	50034	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.144814968 CEST	50035	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.144848108 CEST	443	50035	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.144907951 CEST	50029	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.144922018 CEST	50031	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.144963980 CEST	50029	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.144979954 CEST	50029	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.144982100 CEST	50031	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.145020962 CEST	50034	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.145174026 CEST	50034	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.145184040 CEST	443	50034	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.145307064 CEST	50035	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.145535946 CEST	50035	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.145549059 CEST	443	50035	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.156754971 CEST	443	50033	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.156934023 CEST	50033	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.161434889 CEST	50033	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.161442995 CEST	443	50033	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.161710024 CEST	443	50033	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.165009975 CEST	50033	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.165127039 CEST	50033	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.165189028 CEST	443	50033	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.165318012 CEST	50033	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.166493893 CEST	443	50030	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.166532993 CEST	443	50030	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.166611910 CEST	50030	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.169926882 CEST	50030	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.169934988 CEST	443	50030	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.170173883 CEST	443	50030	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.172985077 CEST	50030	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.173074007 CEST	50030	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.173147917 CEST	443	50030	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.173238993 CEST	50030	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.175791979 CEST	443	50032	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.175904036 CEST	50032	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.178999901 CEST	50032	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.179008007 CEST	443	50032	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.179085970 CEST	443	50028	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.179105997 CEST	443	50028	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.179318905 CEST	443	50032	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.180174112 CEST	50028	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.183223009 CEST	50028	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.183232069 CEST	443	50028	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.183559895 CEST	443	50028	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.187361956 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:13.187737942 CEST	50032	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.187855005 CEST	50032	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.188025951 CEST	443	50032	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.188349962 CEST	50032	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.189655066 CEST	50028	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.189757109 CEST	50028	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.189928055 CEST	443	50028	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.189996958 CEST	50028	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.192234039 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:13.288062096 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:13.349556923 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:13.603899002 CEST	443	50035	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.604000092 CEST	50035	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.609102964 CEST	443	50034	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.609463930 CEST	50035	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.609476089 CEST	443	50035	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.609839916 CEST	443	50035	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.609852076 CEST	50034	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.613995075 CEST	50034	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.614006996 CEST	443	50034	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.614228964 CEST	443	50034	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.618438959 CEST	50035	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.618623972 CEST	50035	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.618689060 CEST	443	50035	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.619474888 CEST	50034	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.619579077 CEST	50034	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.619623899 CEST	443	50034	34.120.208.123	192.168.2.7
Oct 8, 2024 03:23:13.621403933 CEST	50035	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.621560097 CEST	50034	443	192.168.2.7	34.120.208.123
Oct 8, 2024 03:23:13.623423100 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:13.628405094 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:13.628873110 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:13.633748055 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:13.718673944 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:13.729029894 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:13.766366005 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:13.781982899 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:14.048855066 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:14.053708076 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:14.143681049 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:14.198743105 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:23.732409000 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:23.737302065 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:24.149297953 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:24.238137960 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:33.761113882 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:33.766143084 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:34.246515989 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:34.251476049 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:43.774313927 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:43.779114962 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:44.259455919 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:44.264458895 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:47.323128939 CEST	50036	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:23:47.323169947 CEST	443	50036	34.107.243.93	192.168.2.7
Oct 8, 2024 03:23:47.323333979 CEST	50036	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:23:47.325710058 CEST	50036	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:23:47.325719118 CEST	443	50036	34.107.243.93	192.168.2.7
Oct 8, 2024 03:23:47.784080029 CEST	443	50036	34.107.243.93	192.168.2.7
Oct 8, 2024 03:23:47.784229994 CEST	50036	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:23:47.790364981 CEST	50036	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:23:47.790386915 CEST	443	50036	34.107.243.93	192.168.2.7
Oct 8, 2024 03:23:47.790420055 CEST	50036	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:23:47.790636063 CEST	443	50036	34.107.243.93	192.168.2.7
Oct 8, 2024 03:23:47.790771961 CEST	50036	443	192.168.2.7	34.107.243.93
Oct 8, 2024 03:23:47.793478966 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:47.798429012 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:47.891351938 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:47.896147966 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:47.901057005 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:47.939023018 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:47.996490955 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:48.039293051 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:57.898403883 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:57.903295040 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:23:57.998281002 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:23:58.003494978 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:24:07.909842968 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:24:07.914804935 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:24:08.025748968 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:24:08.030653000 CEST	80	49717	34.107.221.82	192.168.2.7
Oct 8, 2024 03:24:17.935662031 CEST	49718	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:24:18.035825968 CEST	49717	80	192.168.2.7	34.107.221.82
Oct 8, 2024 03:24:18.096199989 CEST	80	49718	34.107.221.82	192.168.2.7
Oct 8, 2024 03:24:18.096205950 CEST	80	49717	34.107.221.82	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 03:22:15.973697901 CEST	57138	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:15.974010944 CEST	64733	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:15.980973959 CEST	53	64733	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:15.985742092 CEST	60404	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:15.985892057 CEST	61337	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:15.988944054 CEST	62431	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:15.992503881 CEST	53	61337	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:15.992527008 CEST	53	60404	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:15.994714975 CEST	54312	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:15.995682001 CEST	53	62431	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:15.998107910 CEST	55350	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:16.001303911 CEST	53	54312	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:16.005098104 CEST	53532	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:16.005331039 CEST	53	55350	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:16.012250900 CEST	53	53532	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:16.341893911 CEST	56918	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:16.350191116 CEST	53	56918	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:16.352195024 CEST	53570	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:16.357680082 CEST	57835	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:16.359365940 CEST	53	53570	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:16.364661932 CEST	53	57835	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:16.377927065 CEST	50305	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:16.379652977 CEST	49908	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:16.384669065 CEST	53	50305	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:16.386487007 CEST	53	49908	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:16.416507006 CEST	49200	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:16.423743010 CEST	53	49200	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:16.425869942 CEST	59388	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:16.433146954 CEST	53	59388	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:16.443312883 CEST	52687	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:16.449991941 CEST	53	52687	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:17.624197960 CEST	55025	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:17.624624968 CEST	61304	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:17.815656900 CEST	53	55025	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:17.815700054 CEST	53	61304	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:17.873182058 CEST	64802	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:17.873724937 CEST	59598	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:18.068310022 CEST	53	59598	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:18.098933935 CEST	56239	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:18.106765032 CEST	53	56239	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:18.107280016 CEST	57299	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:18.117074966 CEST	53	57299	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:21.820899010 CEST	62881	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:21.825292110 CEST	56382	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:21.832071066 CEST	53	56382	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:21.834434986 CEST	55462	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:21.842462063 CEST	53	55462	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:21.843579054 CEST	51713	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:21.850441933 CEST	53	51713	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:21.860898018 CEST	53	63107	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:22.561553955 CEST	49822	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:22.568135977 CEST	53	49822	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:22.569329023 CEST	64619	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:22.576035023 CEST	53	64619	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:22.577334881 CEST	51823	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:22.584173918 CEST	53	51823	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:25.799067020 CEST	59278	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:25.805887938 CEST	53	59278	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:25.808165073 CEST	61493	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:25.814790010 CEST	53	61493	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:26.244301081 CEST	51544	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:26.254204035 CEST	53	51544	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:27.025015116 CEST	51853	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:27.031774044 CEST	53	51853	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:27.034857035 CEST	56494	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:27.041367054 CEST	53	56494	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:27.042090893 CEST	52172	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:27.048940897 CEST	53	52172	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:32.024492025 CEST	60381	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:32.028650045 CEST	55412	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:32.033355951 CEST	53	60381	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:32.041357994 CEST	53	55412	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:34.809273958 CEST	59849	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:34.809330940 CEST	65432	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:34.809892893 CEST	61857	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:34.816020012 CEST	53	59849	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:34.816549063 CEST	53	65432	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:34.816729069 CEST	53	61857	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:34.818741083 CEST	58278	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:34.819392920 CEST	52455	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:34.823957920 CEST	50415	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:34.825712919 CEST	53	58278	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:34.825948000 CEST	53	52455	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:34.826631069 CEST	61020	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:34.829171896 CEST	61311	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:34.831044912 CEST	53	50415	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:34.832433939 CEST	60786	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:34.833329916 CEST	53	61020	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:34.834098101 CEST	52606	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:34.835843086 CEST	53	61311	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:34.836391926 CEST	64326	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:34.839538097 CEST	53	60786	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:34.840830088 CEST	53	52606	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:34.842509031 CEST	64508	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:34.842844009 CEST	53	64326	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:34.845494986 CEST	59705	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:34.849543095 CEST	53	64508	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:34.852264881 CEST	53	59705	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:34.857824087 CEST	54053	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:34.864655018 CEST	53	54053	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:34.872178078 CEST	62981	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:34.879164934 CEST	53	62981	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:43.288394928 CEST	55859	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:43.295599937 CEST	53	55859	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:43.296696901 CEST	49163	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:43.299065113 CEST	52809	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:43.303404093 CEST	53	49163	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:43.305852890 CEST	53	52809	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:43.306343079 CEST	55740	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:43.311943054 CEST	50474	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:43.313189030 CEST	53	55740	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:43.316869020 CEST	56493	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:43.324328899 CEST	53	56493	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:43.326139927 CEST	52691	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:43.333478928 CEST	53	52691	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:43.335694075 CEST	56714	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:43.342677116 CEST	53	56714	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:43.345746994 CEST	53	50474	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:43.348009109 CEST	64934	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:43.355103970 CEST	53	64934	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:45.049092054 CEST	59887	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:45.162517071 CEST	53	59887	1.1.1.1	192.168.2.7
Oct 8, 2024 03:22:45.164206028 CEST	62423	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:22:45.170943022 CEST	53	62423	1.1.1.1	192.168.2.7
Oct 8, 2024 03:23:05.915137053 CEST	61133	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:23:05.921746016 CEST	53	61133	1.1.1.1	192.168.2.7
Oct 8, 2024 03:23:05.922394037 CEST	53658	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:23:05.928909063 CEST	53	53658	1.1.1.1	192.168.2.7
Oct 8, 2024 03:23:07.312607050 CEST	63509	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:23:12.626512051 CEST	52063	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:23:12.633384943 CEST	53	52063	1.1.1.1	192.168.2.7
Oct 8, 2024 03:23:47.321754932 CEST	49274	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:23:47.328591108 CEST	53	49274	1.1.1.1	192.168.2.7
Oct 8, 2024 03:23:47.330046892 CEST	49182	53	192.168.2.7	1.1.1.1
Oct 8, 2024 03:23:47.337224007 CEST	53	49182	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 03:22:15.973697901 CEST	192.168.2.7	1.1.1.1	0x93fd	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:15.974010944 CEST	192.168.2.7	1.1.1.1	0x5270	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:15.985742092 CEST	192.168.2.7	1.1.1.1	0xf60c	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:15.985892057 CEST	192.168.2.7	1.1.1.1	0x3836	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:15.988944054 CEST	192.168.2.7	1.1.1.1	0x91c3	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:15.994714975 CEST	192.168.2.7	1.1.1.1	0xbd2c	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 03:22:15.998107910 CEST	192.168.2.7	1.1.1.1	0xa2bd	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 8, 2024 03:22:16.005098104 CEST	192.168.2.7	1.1.1.1	0x4253	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 03:22:16.341893911 CEST	192.168.2.7	1.1.1.1	0xf232	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:16.352195024 CEST	192.168.2.7	1.1.1.1	0x4181	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:16.357680082 CEST	192.168.2.7	1.1.1.1	0x9a55	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:16.377927065 CEST	192.168.2.7	1.1.1.1	0x1975	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 03:22:16.379652977 CEST	192.168.2.7	1.1.1.1	0x72ce	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 03:22:16.416507006 CEST	192.168.2.7	1.1.1.1	0x5a6c	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:16.425869942 CEST	192.168.2.7	1.1.1.1	0x7feb	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:16.443312883 CEST	192.168.2.7	1.1.1.1	0xeb37	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 03:22:17.624197960 CEST	192.168.2.7	1.1.1.1	0xd9fa	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:17.624624968 CEST	192.168.2.7	1.1.1.1	0x51ef	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:17.873182058 CEST	192.168.2.7	1.1.1.1	0x112e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:17.873724937 CEST	192.168.2.7	1.1.1.1	0x7ce	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:18.098933935 CEST	192.168.2.7	1.1.1.1	0xc325	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:18.107280016 CEST	192.168.2.7	1.1.1.1	0x2775	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 03:22:21.820899010 CEST	192.168.2.7	1.1.1.1	0xeb1f	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:21.825292110 CEST	192.168.2.7	1.1.1.1	0x40bb	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:21.834434986 CEST	192.168.2.7	1.1.1.1	0x92bf	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:21.843579054 CEST	192.168.2.7	1.1.1.1	0x23bb	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 03:22:22.561553955 CEST	192.168.2.7	1.1.1.1	0x363a	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:22.569329023 CEST	192.168.2.7	1.1.1.1	0xc23d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:22.577334881 CEST	192.168.2.7	1.1.1.1	0xbe85	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 03:22:25.799067020 CEST	192.168.2.7	1.1.1.1	0x9e1e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:25.808165073 CEST	192.168.2.7	1.1.1.1	0x28fd	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 03:22:26.244301081 CEST	192.168.2.7	1.1.1.1	0xe617	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 03:22:27.025015116 CEST	192.168.2.7	1.1.1.1	0xaed7	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:27.034857035 CEST	192.168.2.7	1.1.1.1	0xb8f6	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:27.042090893 CEST	192.168.2.7	1.1.1.1	0x410a	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 03:22:32.024492025 CEST	192.168.2.7	1.1.1.1	0x5ca5	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 03:22:32.028650045 CEST	192.168.2.7	1.1.1.1	0xa860	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 03:22:34.809273958 CEST	192.168.2.7	1.1.1.1	0x92e4	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.809330940 CEST	192.168.2.7	1.1.1.1	0x8125	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.809892893 CEST	192.168.2.7	1.1.1.1	0xe628	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.818741083 CEST	192.168.2.7	1.1.1.1	0xd9f7	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.819392920 CEST	192.168.2.7	1.1.1.1	0x597c	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.823957920 CEST	192.168.2.7	1.1.1.1	0xd289	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.826631069 CEST	192.168.2.7	1.1.1.1	0x9ba0	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 8, 2024 03:22:34.829171896 CEST	192.168.2.7	1.1.1.1	0x795e	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 8, 2024 03:22:34.832433939 CEST	192.168.2.7	1.1.1.1	0xa8d2	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 8, 2024 03:22:34.834098101 CEST	192.168.2.7	1.1.1.1	0x8ec4	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.836391926 CEST	192.168.2.7	1.1.1.1	0xb930	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.842509031 CEST	192.168.2.7	1.1.1.1	0x47d8	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.845494986 CEST	192.168.2.7	1.1.1.1	0xa347	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.857824087 CEST	192.168.2.7	1.1.1.1	0x41ba	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 8, 2024 03:22:34.872178078 CEST	192.168.2.7	1.1.1.1	0x7bd4	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 8, 2024 03:22:43.288394928 CEST	192.168.2.7	1.1.1.1	0x63ba	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:43.296696901 CEST	192.168.2.7	1.1.1.1	0xe093	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 03:22:43.299065113 CEST	192.168.2.7	1.1.1.1	0xfc62	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:43.306343079 CEST	192.168.2.7	1.1.1.1	0xff00	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 8, 2024 03:22:43.311943054 CEST	192.168.2.7	1.1.1.1	0x867b	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:43.316869020 CEST	192.168.2.7	1.1.1.1	0x2c46	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:43.326139927 CEST	192.168.2.7	1.1.1.1	0x5ca4	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:43.335694075 CEST	192.168.2.7	1.1.1.1	0x3a1c	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 03:22:43.348009109 CEST	192.168.2.7	1.1.1.1	0xea80	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 03:22:45.049092054 CEST	192.168.2.7	1.1.1.1	0x6d05	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:45.164206028 CEST	192.168.2.7	1.1.1.1	0x89ca	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 03:23:05.915137053 CEST	192.168.2.7	1.1.1.1	0xb954	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:23:05.922394037 CEST	192.168.2.7	1.1.1.1	0xe2f0	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 03:23:07.312607050 CEST	192.168.2.7	1.1.1.1	0x500f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:23:12.626512051 CEST	192.168.2.7	1.1.1.1	0x9f9	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 03:23:47.321754932 CEST	192.168.2.7	1.1.1.1	0x46c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:23:47.330046892 CEST	192.168.2.7	1.1.1.1	0xc9ce	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 03:22:15.980762005 CEST	1.1.1.1	192.168.2.7	0x93fd	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:15.980762005 CEST	1.1.1.1	192.168.2.7	0x93fd	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:15.980829954 CEST	1.1.1.1	192.168.2.7	0x2f22	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:15.980973959 CEST	1.1.1.1	192.168.2.7	0x5270	No error (0)	youtube.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:15.992503881 CEST	1.1.1.1	192.168.2.7	0x3836	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:15.992527008 CEST	1.1.1.1	192.168.2.7	0xf60c	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:15.995682001 CEST	1.1.1.1	192.168.2.7	0x91c3	No error (0)	youtube.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:16.001303911 CEST	1.1.1.1	192.168.2.7	0xbd2c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 8, 2024 03:22:16.005331039 CEST	1.1.1.1	192.168.2.7	0xa2bd	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 8, 2024 03:22:16.350191116 CEST	1.1.1.1	192.168.2.7	0xf232	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:16.352380991 CEST	1.1.1.1	192.168.2.7	0xe13c	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:16.352380991 CEST	1.1.1.1	192.168.2.7	0xe13c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:16.359365940 CEST	1.1.1.1	192.168.2.7	0x4181	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:16.364661932 CEST	1.1.1.1	192.168.2.7	0x9a55	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:16.423743010 CEST	1.1.1.1	192.168.2.7	0x5a6c	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:16.423743010 CEST	1.1.1.1	192.168.2.7	0x5a6c	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:16.433146954 CEST	1.1.1.1	192.168.2.7	0x7feb	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:17.815656900 CEST	1.1.1.1	192.168.2.7	0xd9fa	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:17.815700054 CEST	1.1.1.1	192.168.2.7	0x51ef	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:17.815700054 CEST	1.1.1.1	192.168.2.7	0x51ef	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:18.068299055 CEST	1.1.1.1	192.168.2.7	0x112e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:18.068299055 CEST	1.1.1.1	192.168.2.7	0x112e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:18.068310022 CEST	1.1.1.1	192.168.2.7	0x7ce	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:18.068310022 CEST	1.1.1.1	192.168.2.7	0x7ce	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:18.068310022 CEST	1.1.1.1	192.168.2.7	0x7ce	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:18.106765032 CEST	1.1.1.1	192.168.2.7	0xc325	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:18.117074966 CEST	1.1.1.1	192.168.2.7	0x2775	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 8, 2024 03:22:21.827795982 CEST	1.1.1.1	192.168.2.7	0xeb1f	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:21.832071066 CEST	1.1.1.1	192.168.2.7	0x40bb	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:21.832071066 CEST	1.1.1.1	192.168.2.7	0x40bb	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:21.832071066 CEST	1.1.1.1	192.168.2.7	0x40bb	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:21.842462063 CEST	1.1.1.1	192.168.2.7	0x92bf	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:22.568135977 CEST	1.1.1.1	192.168.2.7	0x363a	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:22.576035023 CEST	1.1.1.1	192.168.2.7	0xc23d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:25.795953989 CEST	1.1.1.1	192.168.2.7	0xa1ee	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:25.805887938 CEST	1.1.1.1	192.168.2.7	0x9e1e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:26.875312090 CEST	1.1.1.1	192.168.2.7	0x9109	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:26.875312090 CEST	1.1.1.1	192.168.2.7	0x9109	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:27.031774044 CEST	1.1.1.1	192.168.2.7	0xaed7	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:27.031774044 CEST	1.1.1.1	192.168.2.7	0xaed7	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:27.041367054 CEST	1.1.1.1	192.168.2.7	0xb8f6	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:27.107666969 CEST	1.1.1.1	192.168.2.7	0x9633	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816020012 CEST	1.1.1.1	192.168.2.7	0x92e4	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816020012 CEST	1.1.1.1	192.168.2.7	0x92e4	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816020012 CEST	1.1.1.1	192.168.2.7	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816020012 CEST	1.1.1.1	192.168.2.7	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816020012 CEST	1.1.1.1	192.168.2.7	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816020012 CEST	1.1.1.1	192.168.2.7	0x92e4	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816020012 CEST	1.1.1.1	192.168.2.7	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816020012 CEST	1.1.1.1	192.168.2.7	0x92e4	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816020012 CEST	1.1.1.1	192.168.2.7	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816020012 CEST	1.1.1.1	192.168.2.7	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816020012 CEST	1.1.1.1	192.168.2.7	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816020012 CEST	1.1.1.1	192.168.2.7	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816020012 CEST	1.1.1.1	192.168.2.7	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816020012 CEST	1.1.1.1	192.168.2.7	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816020012 CEST	1.1.1.1	192.168.2.7	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816020012 CEST	1.1.1.1	192.168.2.7	0x92e4	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816020012 CEST	1.1.1.1	192.168.2.7	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816549063 CEST	1.1.1.1	192.168.2.7	0x8125	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816549063 CEST	1.1.1.1	192.168.2.7	0x8125	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816729069 CEST	1.1.1.1	192.168.2.7	0xe628	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:34.816729069 CEST	1.1.1.1	192.168.2.7	0xe628	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.825712919 CEST	1.1.1.1	192.168.2.7	0xd9f7	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.825712919 CEST	1.1.1.1	192.168.2.7	0xd9f7	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.825712919 CEST	1.1.1.1	192.168.2.7	0xd9f7	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.825712919 CEST	1.1.1.1	192.168.2.7	0xd9f7	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.825712919 CEST	1.1.1.1	192.168.2.7	0xd9f7	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.825712919 CEST	1.1.1.1	192.168.2.7	0xd9f7	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.825712919 CEST	1.1.1.1	192.168.2.7	0xd9f7	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.825712919 CEST	1.1.1.1	192.168.2.7	0xd9f7	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.825712919 CEST	1.1.1.1	192.168.2.7	0xd9f7	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.825712919 CEST	1.1.1.1	192.168.2.7	0xd9f7	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.825712919 CEST	1.1.1.1	192.168.2.7	0xd9f7	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.825712919 CEST	1.1.1.1	192.168.2.7	0xd9f7	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.825712919 CEST	1.1.1.1	192.168.2.7	0xd9f7	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.825712919 CEST	1.1.1.1	192.168.2.7	0xd9f7	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.825712919 CEST	1.1.1.1	192.168.2.7	0xd9f7	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.825712919 CEST	1.1.1.1	192.168.2.7	0xd9f7	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.825948000 CEST	1.1.1.1	192.168.2.7	0x597c	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.831044912 CEST	1.1.1.1	192.168.2.7	0xd289	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.833329916 CEST	1.1.1.1	192.168.2.7	0x9ba0	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 8, 2024 03:22:34.833329916 CEST	1.1.1.1	192.168.2.7	0x9ba0	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 8, 2024 03:22:34.833329916 CEST	1.1.1.1	192.168.2.7	0x9ba0	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 8, 2024 03:22:34.833329916 CEST	1.1.1.1	192.168.2.7	0x9ba0	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 8, 2024 03:22:34.835843086 CEST	1.1.1.1	192.168.2.7	0x795e	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 8, 2024 03:22:34.839538097 CEST	1.1.1.1	192.168.2.7	0xa8d2	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 8, 2024 03:22:34.840830088 CEST	1.1.1.1	192.168.2.7	0x8ec4	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:34.840830088 CEST	1.1.1.1	192.168.2.7	0x8ec4	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.840830088 CEST	1.1.1.1	192.168.2.7	0x8ec4	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.840830088 CEST	1.1.1.1	192.168.2.7	0x8ec4	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.840830088 CEST	1.1.1.1	192.168.2.7	0x8ec4	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.842844009 CEST	1.1.1.1	192.168.2.7	0xb930	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.849543095 CEST	1.1.1.1	192.168.2.7	0x47d8	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.849543095 CEST	1.1.1.1	192.168.2.7	0x47d8	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.849543095 CEST	1.1.1.1	192.168.2.7	0x47d8	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.849543095 CEST	1.1.1.1	192.168.2.7	0x47d8	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:34.852264881 CEST	1.1.1.1	192.168.2.7	0xa347	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:43.294979095 CEST	1.1.1.1	192.168.2.7	0x45c8	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:43.294979095 CEST	1.1.1.1	192.168.2.7	0x45c8	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:43.295599937 CEST	1.1.1.1	192.168.2.7	0x63ba	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:43.295599937 CEST	1.1.1.1	192.168.2.7	0x63ba	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:43.295599937 CEST	1.1.1.1	192.168.2.7	0x63ba	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:43.295599937 CEST	1.1.1.1	192.168.2.7	0x63ba	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:43.305852890 CEST	1.1.1.1	192.168.2.7	0xfc62	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:43.305852890 CEST	1.1.1.1	192.168.2.7	0xfc62	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:43.305852890 CEST	1.1.1.1	192.168.2.7	0xfc62	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:43.305852890 CEST	1.1.1.1	192.168.2.7	0xfc62	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:43.318341970 CEST	1.1.1.1	192.168.2.7	0x5937	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:43.324328899 CEST	1.1.1.1	192.168.2.7	0x2c46	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:43.324328899 CEST	1.1.1.1	192.168.2.7	0x2c46	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:43.333478928 CEST	1.1.1.1	192.168.2.7	0x5ca4	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:43.345746994 CEST	1.1.1.1	192.168.2.7	0x867b	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:44.572058916 CEST	1.1.1.1	192.168.2.7	0x409b	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:44.572058916 CEST	1.1.1.1	192.168.2.7	0x409b	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:22:45.162517071 CEST	1.1.1.1	192.168.2.7	0x6d05	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:23:05.921746016 CEST	1.1.1.1	192.168.2.7	0xb954	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:23:07.319317102 CEST	1.1.1.1	192.168.2.7	0x500f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 03:23:07.319317102 CEST	1.1.1.1	192.168.2.7	0x500f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:23:12.624505997 CEST	1.1.1.1	192.168.2.7	0x262	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:23:47.328591108 CEST	1.1.1.1	192.168.2.7	0x46c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49709	34.107.221.82	80	3840	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 03:22:16.020144939 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:22:16.481431961 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71803 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49717	34.107.221.82	80	3840	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 03:22:18.103540897 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:22:18.553880930 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53880 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:22:18.814878941 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:22:18.909790039 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53880 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:22:21.825503111 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:22:21.920572042 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53883 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:22:22.736864090 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:22:22.837522030 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53884 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:22:27.025176048 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:22:27.120429039 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53889 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:22:27.480983019 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:22:27.657231092 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53889 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:22:29.179948092 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:22:29.275947094 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53891 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:22:30.403525114 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:22:30.498110056 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53892 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:22:32.105515957 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:22:32.221110106 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53894 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:22:34.936538935 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:22:35.032392025 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53896 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:22:35.415241003 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:22:35.509990931 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53897 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:22:35.908503056 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:22:36.003604889 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53897 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:22:43.897217035 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:22:43.999619007 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53905 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:22:44.171428919 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:22:44.266154051 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53906 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:22:44.412578106 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:22:44.507453918 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53906 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:22:44.683969975 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:22:44.779552937 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53906 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:22:45.751399040 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:22:45.846102953 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53907 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:22:55.849456072 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 03:23:05.856185913 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 03:23:07.417372942 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:23:07.518738985 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53929 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:23:13.623423100 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:23:13.718673944 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53935 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:23:14.048855066 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:23:14.143681049 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53936 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:23:24.149297953 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 03:23:34.246515989 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 03:23:44.259455919 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 03:23:47.896147966 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 03:23:47.996490955 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 53969 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 03:23:57.998281002 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 03:24:08.025748968 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 03:24:18.035825968 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49718	34.107.221.82	80	3840	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 03:22:18.103631020 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:22:18.573219061 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71805 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:22:19.089366913 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:22:19.187252998 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71806 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:22:22.454081059 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:22:22.576457977 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71809 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:22:26.000216961 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:22:26.098500967 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71813 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:22:27.099244118 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:22:27.197140932 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71814 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:22:28.443000078 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:22:28.546060085 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71815 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:22:30.297858953 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:22:30.395648956 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71817 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:22:32.004419088 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:22:32.102662086 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71819 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:22:34.822833061 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:22:34.932529926 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71821 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:22:35.313811064 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:22:35.412103891 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71822 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:22:35.804713011 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:22:35.904877901 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71822 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:22:43.794142962 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:22:43.893496037 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71830 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:22:44.070619106 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:22:44.168437004 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71831 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:22:44.310501099 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:22:44.409679890 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71831 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:22:44.534934998 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:22:44.675822020 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71831 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:22:45.643589020 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:22:45.747802019 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71832 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:22:55.749037027 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 03:23:05.763005972 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 03:23:07.311813116 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:23:07.409812927 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71854 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:23:13.187361956 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:23:13.288062096 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71860 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:23:13.628873110 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:23:13.729029894 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71860 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:23:23.732409000 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 03:23:33.761113882 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 03:23:43.774313927 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 03:23:47.793478966 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 03:23:47.891351938 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 05:25:33 GMT Age: 71894 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 03:23:57.898403883 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 03:24:07.909842968 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 03:24:17.935662031 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	21:22:08
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xf70000
File size:	919'040 bytes
MD5 hash:	924783F66EC78C390DF83E006B84A1CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:22:09
Start date:	07/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:22:09
Start date:	07/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:22:09
Start date:	07/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	21:22:11
Start date:	07/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5955411b-aca1-456f-b449-7b3f372f43c5} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 272dc46d910 socket
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	21:22:13
Start date:	07/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3764 -parentBuildID 20230927232528 -prefsHandle 3756 -prefMapHandle 3752 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d70f343f-4b14-423d-8c43-c25c18d31a8c} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 272ee5fab10 rdd
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	21:22:26
Start date:	07/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3000 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4948 -prefMapHandle 4844 -prefsLen 33202 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac2e6e33-e591-45c7-bba4-77c5e44e0230} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 272ecfab310 utility
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.9%
Total number of Nodes:	1476
Total number of Limit Nodes:	41

Executed Functions

Function 00F742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F7430D

Part of subcall function 00F76B57: _wcslen.LIBCMT ref: 00F76B6A

GetCurrentProcess.KERNEL32(?,0100CB64,00000000,?,?), ref: 00F74422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00F74429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F74454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F74466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00F74474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00F7447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00F744A0

Strings

|O, xrefs: 00FB36F8
kernel32.dll, xrefs: 00F7444F
GetNativeSystemInfo, xrefs: 00F74460

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: f81627774e75ca12677d4298a722c4aed07a37d418f005604b89ded5218d0bed
Instruction ID: dc1d649e3667fc43762e3a1bf7dd094041a7bfe35c1b9566d4cf78e05972a41a
Opcode Fuzzy Hash: f81627774e75ca12677d4298a722c4aed07a37d418f005604b89ded5218d0bed
Instruction Fuzzy Hash: AAA1B7FB90D2C0DFC731CB6976C02D57F946B26342B14C499D4C5A3A09E23A7584EF62

Function 00F742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F750AA,?,?,00000000,00000000), ref: 00F742B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F750AA,?,?,00000000,00000000), ref: 00F742C9
LoadResource.KERNEL32(?,00000000,?,?,00F750AA,?,?,00000000,00000000,?,?,?,?,?,?,00F74F20), ref: 00FB35BE
SizeofResource.KERNEL32(?,00000000,?,?,00F750AA,?,?,00000000,00000000,?,?,?,?,?,?,00F74F20), ref: 00FB35D3
LockResource.KERNEL32(00F750AA,?,?,00F750AA,?,?,00000000,00000000,?,?,?,?,?,?,00F74F20,?), ref: 00FB35E6

Strings

SCRIPT, xrefs: 00F742BF

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: afb2a39b394afbd699b49bd3ec3e61e2f383ff188156b2c90ea2bbea36b80888
Instruction ID: 0b92ffb349a08cd64edb147f7f42da51983f8603407eb507ce53d9ef6c3bdbd1
Opcode Fuzzy Hash: afb2a39b394afbd699b49bd3ec3e61e2f383ff188156b2c90ea2bbea36b80888
Instruction Fuzzy Hash: 7311A070200700BFE7228B65DD48F277BB9EBC5B51F2082A9B44A96680DB71EC10DB31

Function 00FB2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00F72B6B

Part of subcall function 00F73A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01041418,?,00F72E7F,?,?,?,00000000), ref: 00F73A78

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,01032224), ref: 00FB2C10
ShellExecuteW.SHELL32(00000000,?,?,01032224), ref: 00FB2C17

Strings

runas, xrefs: 00FB2C0B

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 047742a6746289f7f9c0cf65bc82f543fb0df2cdfbd715966aad66294fdd2180
Instruction ID: b8b91c2b8cbc2ed2f30807db0479416b909d1592962bd7aea6c3f2e01149d8ec
Opcode Fuzzy Hash: 047742a6746289f7f9c0cf65bc82f543fb0df2cdfbd715966aad66294fdd2180
Instruction Fuzzy Hash: 8E11B4716083056AC765FF64DC829AE77A4ABD5310F44842FF1CA56093CF399A4AB713

Function 00FDD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FDD501
Process32FirstW.KERNEL32(00000000,?), ref: 00FDD50F
Process32NextW.KERNEL32(00000000,?), ref: 00FDD52F
CloseHandle.KERNELBASE(00000000), ref: 00FDD5DC

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2f846e83db279f343ab59bf152cdca1cc171976669d0adcf4ccbe696870e1c8b
Instruction ID: 9f327634f5af947b1efb9cfe441b9ab4e38e275874b8cdb1ec18dfa56441658f
Opcode Fuzzy Hash: 2f846e83db279f343ab59bf152cdca1cc171976669d0adcf4ccbe696870e1c8b
Instruction Fuzzy Hash: 01319E320082009FD301EF64DC81AAFBBF9AF99354F18492EF585862A1EB759945DB93

Function 00FDDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00FB5222), ref: 00FDDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00FDDBDD
FindFirstFileW.KERNEL32(?,?), ref: 00FDDBEE
FindClose.KERNEL32(00000000), ref: 00FDDBFA

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 4116a68bf420f403d3c01e7abfcbe41bd8683f743d4c98a13ee30667630810c0
Instruction ID: 6a3e20b1b7e33c4bb2b2554243dbc062398483532d299601da47594168f843bd
Opcode Fuzzy Hash: 4116a68bf420f403d3c01e7abfcbe41bd8683f743d4c98a13ee30667630810c0
Instruction Fuzzy Hash: EBF0E5318209105792316B7CAE0E8BA376D9E02334F284743F8BAC22E0EBB55D54E7D5

Function 00F94CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00FA28E9,?,00F94CBE,00FA28E9,010388B8,0000000C,00F94E15,00FA28E9,00000002,00000000,?,00FA28E9), ref: 00F94D09
TerminateProcess.KERNEL32(00000000,?,00F94CBE,00FA28E9,010388B8,0000000C,00F94E15,00FA28E9,00000002,00000000,?,00FA28E9), ref: 00F94D10
ExitProcess.KERNEL32 ref: 00F94D22

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 9ab8a55dda44b0d335647413a45d6b15b98a0d0dffa3bc753af8568ee9d2d0cd
Instruction ID: dc87aaa58169ef50afc8a8e03089ec2e1f5b9c46d52efc63d7048c0f2cfb90e2
Opcode Fuzzy Hash: 9ab8a55dda44b0d335647413a45d6b15b98a0d0dffa3bc753af8568ee9d2d0cd
Instruction Fuzzy Hash: 1BE0B635810148ABEF26AF54DE09E583B69FB56791F108155FC458A226CB3AEE42EB80

Function 00FFAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00FFB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FFB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FFB1D4
_wcslen.LIBCMT ref: 00FFB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FFB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FFB236
_wcslen.LIBCMT ref: 00FFB332

Part of subcall function 00FE05A7: GetStdHandle.KERNEL32(000000F6), ref: 00FE05C6

_wcslen.LIBCMT ref: 00FFB34B
_wcslen.LIBCMT ref: 00FFB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FFB3B6
GetLastError.KERNEL32(00000000), ref: 00FFB407
CloseHandle.KERNEL32(?), ref: 00FFB439
CloseHandle.KERNEL32(00000000), ref: 00FFB44A
CloseHandle.KERNEL32(00000000), ref: 00FFB45C
CloseHandle.KERNEL32(00000000), ref: 00FFB46E
CloseHandle.KERNEL32(?), ref: 00FFB4E3

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: b553619e80830de51fa7e84b2fb0aa41ffe4b0e5fabf1286081c424686af529b
Instruction ID: d69ab04204bcb0121f6c4e12c91168ea3cd10f484ea37f308ad6869a364a2a95
Opcode Fuzzy Hash: b553619e80830de51fa7e84b2fb0aa41ffe4b0e5fabf1286081c424686af529b
Instruction Fuzzy Hash: CCF1C031908304DFD715EF24C881B6EBBE5AF85324F18855EF5998B2A2CB35EC44DB52

Function 00F7D730 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00F7D807
timeGetTime.WINMM ref: 00F7DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F7DB28
TranslateMessage.USER32(?), ref: 00F7DB7B
DispatchMessageW.USER32(?), ref: 00F7DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F7DB9F
Sleep.KERNELBASE(0000000A), ref: 00F7DBB1

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: eb1f766fdb255d18fa8fc5735e86fee511ebd260afc81a9af90755db02bdba9d
Instruction ID: 445be93b75be26d764803e15f16bc089be116b56f7820159b5ccaee3fdf6757f
Opcode Fuzzy Hash: eb1f766fdb255d18fa8fc5735e86fee511ebd260afc81a9af90755db02bdba9d
Instruction Fuzzy Hash: AC420370A04242DFE739CB24C985FAAB7B0FF85310F54865EE59987291C779E844EB83

Function 00F72CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F72D07
RegisterClassExW.USER32(00000030), ref: 00F72D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F72D42
InitCommonControlsEx.COMCTL32(?), ref: 00F72D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F72D6F
LoadIconW.USER32(000000A9), ref: 00F72D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F72D94

Strings

0, xrefs: 00F72CE9
TaskbarCreated, xrefs: 00F72D37
+, xrefs: 00F72CF0
AutoIt v3 GUI, xrefs: 00F72D23

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 49fa5ac83e624634322dbf624d3aad6dff03ece58e3949f7bea83ceefbe14b4a
Instruction ID: ccca9af98d8144ea1eed9909180665fe11e20dbeff0c0b4c7380334b79d8f758
Opcode Fuzzy Hash: 49fa5ac83e624634322dbf624d3aad6dff03ece58e3949f7bea83ceefbe14b4a
Instruction Fuzzy Hash: 742121B9D01308AFEB11DF94EA89BDD7FB4FB08701F00425AF591A6284D7BA1544CF51

Function 00FB065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FB039A: CreateFileW.KERNELBASE(00000000,00000000,?,00FB0704,?,?,00000000,?,00FB0704,00000000,0000000C), ref: 00FB03B7

GetLastError.KERNEL32 ref: 00FB076F
__dosmaperr.LIBCMT ref: 00FB0776
GetFileType.KERNELBASE(00000000), ref: 00FB0782
GetLastError.KERNEL32 ref: 00FB078C
__dosmaperr.LIBCMT ref: 00FB0795
CloseHandle.KERNEL32(00000000), ref: 00FB07B5
CloseHandle.KERNEL32(?), ref: 00FB08FF
GetLastError.KERNEL32 ref: 00FB0931
__dosmaperr.LIBCMT ref: 00FB0938

Strings

H, xrefs: 00FB08BD

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: a54ca21259f2139832f5b00715ae35086e56ac2ec78f6c9f1d31d5e1ecbcc5e1
Instruction ID: 41f16807f5e5003415910389eb18f8671be364ee5e5d938f04bb644ae057fa73
Opcode Fuzzy Hash: a54ca21259f2139832f5b00715ae35086e56ac2ec78f6c9f1d31d5e1ecbcc5e1
Instruction Fuzzy Hash: 6EA13732A141048FDF19EF68DC91BEE7BA0AB06320F240159F855EB391CB399D16EF91

Function 00F7344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F73A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01041418,?,00F72E7F,?,?,?,00000000), ref: 00F73A78

Part of subcall function 00F73357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F73379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F7356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FB318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FB31CE
RegCloseKey.ADVAPI32(?), ref: 00FB3210
_wcslen.LIBCMT ref: 00FB3277
_wcslen.LIBCMT ref: 00FB3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00F73560
Include, xrefs: 00FB3184, 00FB31C5
\Include\, xrefs: 00F73527
\, xrefs: 00FB328C

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: c14f4a63a7e2d7307f6f45599b5b39ce4c3a1fdac47747fc439d8d59769c97f5
Instruction ID: 1ef3c44f1cced97fb0d88113416708c1c871ff58fd0aab95d22abbd575c99359
Opcode Fuzzy Hash: c14f4a63a7e2d7307f6f45599b5b39ce4c3a1fdac47747fc439d8d59769c97f5
Instruction Fuzzy Hash: 5471C2B15043019FD324EF25ED8289BBBF8FF85740F40852EF589931A4DB799A48DB52

Function 00F72B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F72B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00F72B9D
LoadIconW.USER32(00000063), ref: 00F72BB3
LoadIconW.USER32(000000A4), ref: 00F72BC5
LoadIconW.USER32(000000A2), ref: 00F72BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F72BEF
RegisterClassExW.USER32(?), ref: 00F72C40

Part of subcall function 00F72CD4: GetSysColorBrush.USER32(0000000F), ref: 00F72D07
Part of subcall function 00F72CD4: RegisterClassExW.USER32(00000030), ref: 00F72D31
Part of subcall function 00F72CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F72D42
Part of subcall function 00F72CD4: InitCommonControlsEx.COMCTL32(?), ref: 00F72D5F
Part of subcall function 00F72CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F72D6F
Part of subcall function 00F72CD4: LoadIconW.USER32(000000A9), ref: 00F72D85
Part of subcall function 00F72CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F72D94

Strings

0, xrefs: 00F72C0F
#, xrefs: 00F72C16
AutoIt v3, xrefs: 00F72C2F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: eb1cbb03c8cd90bf6f105c4faa28afd102baf211c4eac9b290798407575e3f44
Instruction ID: 2d51fc7a2e132e28e33683aff643e9597a9c3c7ffed58377fb99a66d1c09d791
Opcode Fuzzy Hash: eb1cbb03c8cd90bf6f105c4faa28afd102baf211c4eac9b290798407575e3f44
Instruction Fuzzy Hash: D72192B8E40314AFDB219F95EA84B9D7FB5FB08B51F00815AF584A6684D3BA2580DF80

Function 00F73170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F7316A,?,?), ref: 00F731D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00F7316A,?,?), ref: 00F73204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F73227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F7316A,?,?), ref: 00F73232
CreatePopupMenu.USER32 ref: 00F73246
PostQuitMessage.USER32(00000000), ref: 00F73267

Strings

TaskbarCreated, xrefs: 00F7322D

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 0539d7be32a107ae44809edeb3c2a03cc26461b0519f16490a9c0b8defd4640a
Instruction ID: 721c31605df6d2201ae26c75fe42fa3471c3b9b3ef1f12016c5622d4ff831350
Opcode Fuzzy Hash: 0539d7be32a107ae44809edeb3c2a03cc26461b0519f16490a9c0b8defd4640a
Instruction Fuzzy Hash: 3A412975A50104B7DB251B38DE497B93716F705350F14812BF58E85286C7BA9E80F763

Function 00F71410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F71459
CoUninitialize.COMBASE ref: 00F714F8
UnregisterHotKey.USER32(?), ref: 00F716DD
DestroyWindow.USER32(?), ref: 00FB24B9
FreeLibrary.KERNEL32(?), ref: 00FB251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FB254B

Strings

close all, xrefs: 00F71454

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: df1566a55f40461a5f243fb38e97289f093fbeae4da1fca262c6f3250e87bec0
Instruction ID: 54781c335c58ecffa2b5662838af1027340f3d925b134ed9d9e8d6d49315d524
Opcode Fuzzy Hash: df1566a55f40461a5f243fb38e97289f093fbeae4da1fca262c6f3250e87bec0
Instruction Fuzzy Hash: 32D1A031701212CFDB29EF19C899B69F7A0BF05710F1482AEE44A6B251CB30ED16EF52

Function 00F72C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F72C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F72CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F71CAD,?), ref: 00F72CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F71CAD,?), ref: 00F72CCF

Strings

edit, xrefs: 00F72CAC
AutoIt v3, xrefs: 00F72C89, 00F72C8E, 00F72C8F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 2e8510708ca4b90df76825bef1e1799f2f65a4b53218f24886f272ee559db901
Instruction ID: cbbfe00d7910c248fc575755ac3a7451a47b4b468c89b85b3383be7fc1b5729d
Opcode Fuzzy Hash: 2e8510708ca4b90df76825bef1e1799f2f65a4b53218f24886f272ee559db901
Instruction Fuzzy Hash: DEF03AB95402907BFB321713AD8CE772EBDE7C6F51F00805EF944A2194C27A2884DBB0

Function 00F73B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F73B0F,SwapMouseButtons,00000004,?), ref: 00F73B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F73B0F,SwapMouseButtons,00000004,?), ref: 00F73B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00F73B0F,SwapMouseButtons,00000004,?), ref: 00F73B83

Strings

Control Panel\Mouse, xrefs: 00F73B3E

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 3010b6255f542de4a6a1b2da42f537d62b249317fbacb5b255af2bee93acc9ab
Instruction ID: 097dd3087245932328aa09f330fd8d55890c2aec4a5ef446bffa259240221ada
Opcode Fuzzy Hash: 3010b6255f542de4a6a1b2da42f537d62b249317fbacb5b255af2bee93acc9ab
Instruction Fuzzy Hash: 43112AB5510208FFEB21CFA9DC44AEEB7BCEF45754B10855AB809D7114D2319E40A7A1

Function 00F73923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FB33A2

Part of subcall function 00F76B57: _wcslen.LIBCMT ref: 00F76B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F73A04

Strings

Line: , xrefs: 00FB33EB

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 398b9e32a9a32873a7927f32670d5d1d88c1c21db57873c1bbb31fadebcb3c23
Instruction ID: 94ff751aa37d11adbf23204495ec6dc9a5f61261d7fdfdfd45f8d3b6c76e4687
Opcode Fuzzy Hash: 398b9e32a9a32873a7927f32670d5d1d88c1c21db57873c1bbb31fadebcb3c23
Instruction Fuzzy Hash: 0431A371848310BBD725EB20DC45BDB77E8AB84710F04852BF59D82181DB78A649E7C3

Function 00F8FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00F90668

Part of subcall function 00F932A4: RaiseException.KERNEL32(?,?,?,00F9068A,?,01041444,?,?,?,?,?,?,00F9068A,00F71129,01038738,00F71129), ref: 00F93304

__CxxThrowException@8.LIBVCRUNTIME ref: 00F90685

Strings

Unknown exception, xrefs: 00F90692

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 9c0cf0a75cb6e204a400c1e66423f23c42080583c7bfcaf3a375a14f9c47194f
Instruction ID: bf76817ea63553804cef7b05537cf63ed6eda059afdb5617bd1166ab7e6a90c3
Opcode Fuzzy Hash: 9c0cf0a75cb6e204a400c1e66423f23c42080583c7bfcaf3a375a14f9c47194f
Instruction Fuzzy Hash: FDF0C235D0020DBBAF00B664DC46D9E776C6E40320B604165BA24D6591EF75EA6AFAC0

Function 00F710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F71BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F71BF4
Part of subcall function 00F71BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F71BFC
Part of subcall function 00F71BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F71C07
Part of subcall function 00F71BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F71C12
Part of subcall function 00F71BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F71C1A
Part of subcall function 00F71BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F71C22

Part of subcall function 00F71B4A: RegisterWindowMessageW.USER32(00000004,?,00F712C4), ref: 00F71BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F7136A
OleInitialize.OLE32 ref: 00F71388
CloseHandle.KERNEL32(00000000,00000000), ref: 00FB24AB

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 1bcd1e137da939966d05123081a20a4e098401f5f5aab72d6da7293fa87f4baf
Instruction ID: f0bfac337b767a27a555c76b6ffa2a5d8c82d82218fb43d64c69a0164a393c3f
Opcode Fuzzy Hash: 1bcd1e137da939966d05123081a20a4e098401f5f5aab72d6da7293fa87f4baf
Instruction Fuzzy Hash: 8D71A0F8911300CFE3A4DF79E6C56953AE1BB88344758826ED4DAC7249EB3A64C5CF81

Function 00FDC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F73923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F73A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FDC259
KillTimer.USER32(?,00000001,?,?), ref: 00FDC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FDC270

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 5f9502a4b136215d05238c1299df500553f5f6da6618eb5e31036ffaa9356bee
Instruction ID: ec7778f26c4f192edd0d7def5388dd4874c321b61d8debc77b20c1d94c75783c
Opcode Fuzzy Hash: 5f9502a4b136215d05238c1299df500553f5f6da6618eb5e31036ffaa9356bee
Instruction Fuzzy Hash: 7031D571904344AFEB329F648885BE7BBEDAF06305F08449EE6DE93241C7746A84DB91

Function 00FA86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00FA85CC,?,01038CC8,0000000C), ref: 00FA8704
GetLastError.KERNEL32(?,00FA85CC,?,01038CC8,0000000C), ref: 00FA870E
__dosmaperr.LIBCMT ref: 00FA8739

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: b4593e7456a32681a276c01a2861a07e172b492e11c51c176fce7fd6d7c6cff8
Instruction ID: a391e4c427a4c4793f0bf8ea917db7f71c087e9270b210072bf96c18e424575c
Opcode Fuzzy Hash: b4593e7456a32681a276c01a2861a07e172b492e11c51c176fce7fd6d7c6cff8
Instruction Fuzzy Hash: B8016FF3E0462026E6606234A945B7E37454BC3BF4F380159F8049B2D2DDE9CC82B290

Function 00F7DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00F7DB7B
DispatchMessageW.USER32(?), ref: 00F7DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F7DB9F
Sleep.KERNELBASE(0000000A), ref: 00F7DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00FC1CC9

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 93e3f917b2fa8956970e72c38f676026257e2b627d3fd5ed84d47b0d129991a8
Instruction ID: 329cfd01b9d6ad1c44698b96ca3d4d9f2e1f95c0eac9905fb5a2b97b5b452762
Opcode Fuzzy Hash: 93e3f917b2fa8956970e72c38f676026257e2b627d3fd5ed84d47b0d129991a8
Instruction Fuzzy Hash: FEF03A31A443419BF730CB649D89FEA73B8BF85320F504619F69E930C0DB35A488AB16

Function 00F81310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F817F6

Strings

CALL, xrefs: 00F817C6

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 1134287d33a203daeca2ca94ccd268bb9892dc7fff978a4bbc563fadc63febed
Instruction ID: aa2ef1a9869f19b89322381502ab93a4e524d77f8b67ee48aa5598a4d6fbc874
Opcode Fuzzy Hash: 1134287d33a203daeca2ca94ccd268bb9892dc7fff978a4bbc563fadc63febed
Instruction Fuzzy Hash: 8322AD706082419FC714EF14C881F6ABBF5BF85314F288A6DF4968B361D735E846EB82

Function 00F72DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00FB2C8C

Part of subcall function 00F73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F73A97,?,?,00F72E7F,?,?,?,00000000), ref: 00F73AC2

Part of subcall function 00F72DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F72DC4

Strings

X, xrefs: 00FB2C5A

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 36256892bdab3a288f6130562492431dfbeba4392574ea242543715da48b2b21
Instruction ID: 7a68385f091281d69770b20a78cedd9dc7661ac8a4207daccf273027ddaf1ca3
Opcode Fuzzy Hash: 36256892bdab3a288f6130562492431dfbeba4392574ea242543715da48b2b21
Instruction Fuzzy Hash: 0521C671E00258ABDB51DF94CC45BEE7BFCAF49314F00805AE449A7241DBB85A499F61

Function 00F73837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F73908

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: cf0996eea66e3f5d6a97505bc9bce91622557acefbbf557d33cb1bc91904fa46
Instruction ID: 4792b95ecd1c34938872ca62c72f1c13297a0271364a638f91c0b4d03f364d35
Opcode Fuzzy Hash: cf0996eea66e3f5d6a97505bc9bce91622557acefbbf557d33cb1bc91904fa46
Instruction Fuzzy Hash: 7C3191B1904301AFE721DF24D584B97BBE8FB49719F00492EF5DA83240E776AA44EB53

Function 00F8F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F8F661

Part of subcall function 00F7D730: GetInputState.USER32 ref: 00F7D807

Sleep.KERNEL32(00000000), ref: 00FCF2DE

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 8139a9d34f922069798dfb94aeff0b1ae37fe02c13c6a3b45619d0135bf1c407
Instruction ID: 00e700f5dd814e44bd2ce5cf6ea6f3c96146aa41c0384e22aa21db3d1cec7b72
Opcode Fuzzy Hash: 8139a9d34f922069798dfb94aeff0b1ae37fe02c13c6a3b45619d0135bf1c407
Instruction Fuzzy Hash: 04F08C312402059FD314EF69D949BAAB7E9FF46761F00416AE85DC7290DB70A800DB92

Function 00F74ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F74E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F74EDD,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74E9C
Part of subcall function 00F74E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F74EAE
Part of subcall function 00F74E90: FreeLibrary.KERNEL32(00000000,?,?,00F74EDD,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74EFD

Part of subcall function 00F74E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FB3CDE,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74E62
Part of subcall function 00F74E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F74E74
Part of subcall function 00F74E59: FreeLibrary.KERNEL32(00000000,?,?,00FB3CDE,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74E87

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 265c41748fadf20a985728e32a625591fcf42ebd0985fe83ea53d30fa0ba87ae
Instruction ID: 99b719eb55ff3e4fd486ae4c901f871aff8342ffc12b2b0d8d75c08c26c2a0a6
Opcode Fuzzy Hash: 265c41748fadf20a985728e32a625591fcf42ebd0985fe83ea53d30fa0ba87ae
Instruction Fuzzy Hash: 8F11C432600205AADB15AB61DD12BED77A59F40B10F10C42EF54AAB1C1EFB8AA05BB51

Function 00FA8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00FA8440

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 84835761c31cc6e62d461e4eeefb6511dab8c415dc2eb71a316e6fa4ee9528ad
Instruction ID: 4d69d9b312fb724695bde263352790175a55142eb65d0b04561ab26ed663d854
Opcode Fuzzy Hash: 84835761c31cc6e62d461e4eeefb6511dab8c415dc2eb71a316e6fa4ee9528ad
Instruction Fuzzy Hash: E31148B590420AAFCB05DF58E9409DA7BF8EF49310F104059FC08AB302DA71EA12DBA4

Function 00FA5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FA4C7D: RtlAllocateHeap.NTDLL(00000008,00F71129,00000000,?,00FA2E29,00000001,00000364,?,?,?,00F9F2DE,00FA3863,01041444,?,00F8FDF5,?), ref: 00FA4CBE

_free.LIBCMT ref: 00FA506C

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: aacab9c0f7aa4a30524d715863d8915661d78d3ec9ce94941d134d982d07ce43
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 3A0149B26047056BE331CF69DC81A5AFBECFB8A370F25051DE584832C0EA70A805C7B4

Function 00F9E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 9dedec9bfae141bf83fdd74b233568bdf357c658943d11acf07e5057a18b0be8
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 93F0F972920E1496EF317A69CC05B5633989F93370F100715F420962D1DBB8D806B9A5

Function 00FA4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00F71129,00000000,?,00FA2E29,00000001,00000364,?,?,?,00F9F2DE,00FA3863,01041444,?,00F8FDF5,?), ref: 00FA4CBE

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3680b65f1a2d96a71930a4d16a5e4713649527b1ce785bbc02a27c27d49aaf8f
Instruction ID: a9dcd464d3cdb61d724def35e2a7f1b61d036f19490a4e7d2bab3e5b0c8d14e5
Opcode Fuzzy Hash: 3680b65f1a2d96a71930a4d16a5e4713649527b1ce785bbc02a27c27d49aaf8f
Instruction Fuzzy Hash: FAF0B472A0623467EB215F629D05F5A3788AFD37B1B144221B81DE7184CAF5F80176A0

Function 00FA3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,01041444,?,00F8FDF5,?,?,00F7A976,00000010,01041440,00F713FC,?,00F713C6,?,00F71129), ref: 00FA3852

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fcd5ae013021821f79e2f0ae616667ee8b1ae69a7aec52818e5b28fb8268fd3a
Instruction ID: 7d29e7ea762b97cd663ccfd01e93e8484e2aa7ecf301f9076b4ddf430abbf333
Opcode Fuzzy Hash: fcd5ae013021821f79e2f0ae616667ee8b1ae69a7aec52818e5b28fb8268fd3a
Instruction Fuzzy Hash: C8E0E57390122457EA3127669C04F9A374CAF437B0F050120BC4492480DB2DED01B2E0

Function 00F74F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74F6D

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d378f0a611108971b9a6dbfcf3cd6fff6146fab6d7c4cd772d664a5cd85bcebd
Instruction ID: 94363479a80cbefe089a528ac8e49db53890bd0be98505607d45cb597baf1e0a
Opcode Fuzzy Hash: d378f0a611108971b9a6dbfcf3cd6fff6146fab6d7c4cd772d664a5cd85bcebd
Instruction Fuzzy Hash: ADF01571505752CFDB349F64D4A09A2BBE4AF15329320CA6FE1EE83610C732A844EB12

Function 00F730F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F7314E

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 752f0034d3b2f2844690dc8524750c9e4356c829b32894a4a8bd5c4e40272310
Instruction ID: 1da424ca6d113cf5341071ef3ca239df387b1dcef6204f5f02b06c1a999ebf96
Opcode Fuzzy Hash: 752f0034d3b2f2844690dc8524750c9e4356c829b32894a4a8bd5c4e40272310
Instruction Fuzzy Hash: 84F0A7B0900314AFEB729B24D8857D57BFCA701708F0040E5A18896185DB7957C8CF41

Function 00F72DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F72DC4

Part of subcall function 00F76B57: _wcslen.LIBCMT ref: 00F76B6A

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 5b9b59ee94864f4bc657173af0b46884865964e993ac441ba15fcf85c3e3fe49
Instruction ID: e5318910c09dbffff60a5071cd6b44872a5a7fa7085bad612d2db8581f5c10c1
Opcode Fuzzy Hash: 5b9b59ee94864f4bc657173af0b46884865964e993ac441ba15fcf85c3e3fe49
Instruction Fuzzy Hash: CAE0CD726001245BC72192589C05FEA77DDDFC8790F0441B1FD0DD7249D964AD80C651

Function 00F72B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F73837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F73908

Part of subcall function 00F7D730: GetInputState.USER32 ref: 00F7D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00F72B6B

Part of subcall function 00F730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F7314E

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 92c2dbee79d4a94da6d792bc80df5487208073ab69f9e3c276968f2f6ab41b9d
Instruction ID: e7f1193852df1ca60c890135cd07de65dd1c6dd31f693138bc02e2c0a0104322
Opcode Fuzzy Hash: 92c2dbee79d4a94da6d792bc80df5487208073ab69f9e3c276968f2f6ab41b9d
Instruction Fuzzy Hash: B3E0263270420813CA18BB34AC5246DB7599BD1311F40853FF18A43193CF3D46866313

Function 00FB039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00FB0704,?,?,00000000,?,00FB0704,00000000,0000000C), ref: 00FB03B7

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 37ded99acdf855b8694d83418399497ff884219fae108be6537b49f59cef3a1f
Instruction ID: 4faea014995c396adef58e92be4bf2020c5e11d5618a69bca7699a7bcda40579
Opcode Fuzzy Hash: 37ded99acdf855b8694d83418399497ff884219fae108be6537b49f59cef3a1f
Instruction Fuzzy Hash: FAD06C3204010DBBDF128F84DD06EDA3BAAFB48714F014140BE5856020C736E821AB90

Function 00F71CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00F71CBC

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 21c64c451f578a45877e897376b2f297a0d84baaef84735098f3d44121993e72
Instruction ID: c283d19d0d1154372cfcbe018f60de7f984211b5f97a6a76a755aff9ade13289
Opcode Fuzzy Hash: 21c64c451f578a45877e897376b2f297a0d84baaef84735098f3d44121993e72
Instruction Fuzzy Hash: 98C09B7D380304EFF2354780BE8AF107755A348F01F048001F689555C7C3B71490D750

Non-executed Functions

Function 01009576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0100961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0100965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0100969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010096C9
SendMessageW.USER32 ref: 010096F2
GetKeyState.USER32(00000011), ref: 0100978B
GetKeyState.USER32(00000009), ref: 01009798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 010097AE
GetKeyState.USER32(00000010), ref: 010097B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010097E9
SendMessageW.USER32 ref: 01009810
SendMessageW.USER32(?,00001030,?,01007E95), ref: 01009918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0100992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 01009941
SetCapture.USER32(?), ref: 0100994A
ClientToScreen.USER32(?,?), ref: 010099AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 010099BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010099D6
ReleaseCapture.USER32 ref: 010099E1
GetCursorPos.USER32(?), ref: 01009A19
ScreenToClient.USER32(?,?), ref: 01009A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 01009A80
SendMessageW.USER32 ref: 01009AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 01009AEB
SendMessageW.USER32 ref: 01009B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 01009B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 01009B4A
GetCursorPos.USER32(?), ref: 01009B68
ScreenToClient.USER32(?,?), ref: 01009B75
GetParent.USER32(?), ref: 01009B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 01009BFA
SendMessageW.USER32 ref: 01009C2B
ClientToScreen.USER32(?,?), ref: 01009C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 01009CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 01009CDE
SendMessageW.USER32 ref: 01009D01
ClientToScreen.USER32(?,?), ref: 01009D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 01009D82

Part of subcall function 00F89944: GetWindowLongW.USER32(?,000000EB), ref: 00F89952

GetWindowLongW.USER32(?,000000F0), ref: 01009E05

Strings

@GUI_DRAGID, xrefs: 0100997D
F, xrefs: 01009D07

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: be68022390f6e79ab188765efff417d7fa643270626bd1f367551a2ef33314e7
Instruction ID: c664ea7808c32573b94e92e598eda9b289f5f47fbb8b61f19fd169350589d353
Opcode Fuzzy Hash: be68022390f6e79ab188765efff417d7fa643270626bd1f367551a2ef33314e7
Instruction Fuzzy Hash: 7C429F75208201AFF726CF28CD84AAABBE5FF4D314F040699F6D9872E2D735A850CB51

Function 01004873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 010048F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 01004908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 01004927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0100494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0100495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0100497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 010049AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 010049D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 01004A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01004A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01004A7E
IsMenu.USER32(?), ref: 01004A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01004AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01004B20
GetWindowLongW.USER32(?,000000F0), ref: 01004B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 01004BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 01004C82
wsprintfW.USER32 ref: 01004CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01004CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 01004CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01004D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01004D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 01004D5A

Strings

%d/%02d/%02d, xrefs: 01004CA8

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: cf14c2b4a6dbaa1a6f93edf6d6d6eee11597b896190b84905df8ed00523632b7
Instruction ID: a87b51c24d950267f1396e4bcc04b57030d5ff49fc039c66914c39655069c54b
Opcode Fuzzy Hash: cf14c2b4a6dbaa1a6f93edf6d6d6eee11597b896190b84905df8ed00523632b7
Instruction Fuzzy Hash: 2212E071500214ABFB369F28CD49FAE7BF8EF85310F0042A9F695DA2D1DB789941CB54

Function 00F8F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00F8F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FCF474
IsIconic.USER32(00000000), ref: 00FCF47D
ShowWindow.USER32(00000000,00000009), ref: 00FCF48A
SetForegroundWindow.USER32(00000000), ref: 00FCF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FCF4AA
GetCurrentThreadId.KERNEL32 ref: 00FCF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FCF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FCF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FCF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00FCF4DE
SetForegroundWindow.USER32(00000000), ref: 00FCF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCF4F6
keybd_event.USER32(00000012,00000000), ref: 00FCF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCF50B
keybd_event.USER32(00000012,00000000), ref: 00FCF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCF519
keybd_event.USER32(00000012,00000000), ref: 00FCF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCF528
keybd_event.USER32(00000012,00000000), ref: 00FCF52D
SetForegroundWindow.USER32(00000000), ref: 00FCF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00FCF557

Strings

Shell_TrayWnd, xrefs: 00FCF46F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 816e9d1c0e9ae2c918f0dad446d5c1ad487ac1db11adcee2879a380568a4f636
Instruction ID: de9e4a708187afdcb879b4985bc4ff78bc9e1317e704b66071adc519a33333b6
Opcode Fuzzy Hash: 816e9d1c0e9ae2c918f0dad446d5c1ad487ac1db11adcee2879a380568a4f636
Instruction Fuzzy Hash: 1E319271A40218BFFB316BB58D4AFBF7E6DEB44B50F140569FA00E61C1C6B65D00ABA0

Function 00FD1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00FD16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FD170D
Part of subcall function 00FD16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FD173A
Part of subcall function 00FD16C3: GetLastError.KERNEL32 ref: 00FD174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00FD1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00FD12A8
CloseHandle.KERNEL32(?), ref: 00FD12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FD12D1
GetProcessWindowStation.USER32 ref: 00FD12EA
SetProcessWindowStation.USER32(00000000), ref: 00FD12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FD1310

Part of subcall function 00FD10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FD11FC), ref: 00FD10D4
Part of subcall function 00FD10BF: CloseHandle.KERNEL32(?,?,00FD11FC), ref: 00FD10E9

Strings

, xrefs: 00FD125A
default, xrefs: 00FD130B
winsta0, xrefs: 00FD12CC

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 75d576b6c2d7f392ecac059bb9293010693610bfb98a107a5fb956685af742b2
Instruction ID: 42254577d1659fea6c4981421b400579f9511eb12abd342da62fd080f26634d3
Opcode Fuzzy Hash: 75d576b6c2d7f392ecac059bb9293010693610bfb98a107a5fb956685af742b2
Instruction Fuzzy Hash: DB819D71900208BBEF21DFA4DD49FEE7BBAFF06710F18416AF910A6290C7759955EB20

Function 00FD0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FD1114
Part of subcall function 00FD10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FD0B9B,?,?,?), ref: 00FD1120
Part of subcall function 00FD10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FD0B9B,?,?,?), ref: 00FD112F
Part of subcall function 00FD10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FD0B9B,?,?,?), ref: 00FD1136
Part of subcall function 00FD10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FD114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FD0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FD0C00
GetLengthSid.ADVAPI32(?), ref: 00FD0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00FD0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FD0C6D
GetLengthSid.ADVAPI32(?), ref: 00FD0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FD0C8C
HeapAlloc.KERNEL32(00000000), ref: 00FD0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FD0CB4
CopySid.ADVAPI32(00000000), ref: 00FD0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FD0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FD0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FD0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FD0D45
HeapFree.KERNEL32(00000000), ref: 00FD0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FD0D55
HeapFree.KERNEL32(00000000), ref: 00FD0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FD0D65
HeapFree.KERNEL32(00000000), ref: 00FD0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00FD0D78
HeapFree.KERNEL32(00000000), ref: 00FD0D7F

Part of subcall function 00FD1193: GetProcessHeap.KERNEL32(00000008,00FD0BB1,?,00000000,?,00FD0BB1,?), ref: 00FD11A1
Part of subcall function 00FD1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FD0BB1,?), ref: 00FD11A8
Part of subcall function 00FD1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FD0BB1,?), ref: 00FD11B7

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 3d0d5b20ff3bb529c631f85b168b5c5b65371ac575687397d6294677fc9f97cd
Instruction ID: e580448a40ce55f2a22f22bac34fb50363681b2b8017b4278cb927f751c7d81e
Opcode Fuzzy Hash: 3d0d5b20ff3bb529c631f85b168b5c5b65371ac575687397d6294677fc9f97cd
Instruction Fuzzy Hash: DD715C71D0020AABEF11DFA4DD44FEEBBBABF05310F084656F954A7280DB75A905DB60

Function 00FEEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0100CC08), ref: 00FEEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00FEEB37
GetClipboardData.USER32(0000000D), ref: 00FEEB43
CloseClipboard.USER32 ref: 00FEEB4F
GlobalLock.KERNEL32(00000000), ref: 00FEEB87
CloseClipboard.USER32 ref: 00FEEB91
GlobalUnlock.KERNEL32(00000000), ref: 00FEEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00FEEBC9
GetClipboardData.USER32(00000001), ref: 00FEEBD1
GlobalLock.KERNEL32(00000000), ref: 00FEEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00FEEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00FEEC38
GetClipboardData.USER32(0000000F), ref: 00FEEC44
GlobalLock.KERNEL32(00000000), ref: 00FEEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00FEEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FEEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FEECD2
GlobalUnlock.KERNEL32(00000000), ref: 00FEECF3
CountClipboardFormats.USER32 ref: 00FEED14
CloseClipboard.USER32 ref: 00FEED59

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 1cf4b3f311d612e3222cfc7c983985a9e4468bb2fb3963b9a331483a8b8f788e
Instruction ID: 4bf68e4ef7513a134201f07dd76fe7e0a117697e9b2d25092036828de52ddf45
Opcode Fuzzy Hash: 1cf4b3f311d612e3222cfc7c983985a9e4468bb2fb3963b9a331483a8b8f788e
Instruction Fuzzy Hash: 956123342043419FE321EF21ED84F2A77A4AF84710F14865DF49A87292DB76ED09EB62

Function 00FE698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FE69BE
FindClose.KERNEL32(00000000), ref: 00FE6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FE6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FE6A75

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00FE6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FE6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00FE6B32
%03d, xrefs: 00FE6DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00FE6B6A
%4d, xrefs: 00FE6BB1
%02d, xrefs: 00FE6C00, 00FE6C0A, 00FE6C5A, 00FE6CAA, 00FE6CFA, 00FE6D4A

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 8f84a82404628a6dafe89c2550bd1721acba1565ca0b01a373b9f700550f3e10
Instruction ID: 9861446543826c4e07a12d00c702279a10b82068dde5549cd653c695be189651
Opcode Fuzzy Hash: 8f84a82404628a6dafe89c2550bd1721acba1565ca0b01a373b9f700550f3e10
Instruction Fuzzy Hash: 3DD15072508344AEC710EB60CC81EABB7ECAF98704F44491EF589C7191EB78DA48DB63

Function 00FE9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00FE9663
GetFileAttributesW.KERNEL32(?), ref: 00FE96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00FE96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00FE96D3
FindClose.KERNEL32(00000000), ref: 00FE96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00FE96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00FE974A
SetCurrentDirectoryW.KERNEL32(01036B7C), ref: 00FE9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FE9772
FindClose.KERNEL32(00000000), ref: 00FE977F
FindClose.KERNEL32(00000000), ref: 00FE978F

Strings

*.*, xrefs: 00FE96F5

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 52ebe1c70e1ecac7806abfb06c48c58e02710755269debb7dba0e6b98aba60b7
Instruction ID: 77b1bf863dd8bd801b70cfb46ed1413e6815aac007e868a2dcf0b619be72a0bb
Opcode Fuzzy Hash: 52ebe1c70e1ecac7806abfb06c48c58e02710755269debb7dba0e6b98aba60b7
Instruction Fuzzy Hash: A93106329042597EEF25EFB6DD08ADE77AC9F49320F1041A6F854E2091DB75DE449F20

Function 00FE979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00FE97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00FE9819
FindClose.KERNEL32(00000000), ref: 00FE9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00FE9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00FE9890
SetCurrentDirectoryW.KERNEL32(01036B7C), ref: 00FE98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FE98B8
FindClose.KERNEL32(00000000), ref: 00FE98C5
FindClose.KERNEL32(00000000), ref: 00FE98D5

Part of subcall function 00FDDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FDDB00

Strings

*.*, xrefs: 00FE983B

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 2aa1f75cd66c0e97b4173997f86aeb2d39a7e1e4a09510ab7088d64804c3cc7e
Instruction ID: f989de43332e39d8e7f40c31b0a7465a399e8786cf226fb1aa2816dfd6b8d1b0
Opcode Fuzzy Hash: 2aa1f75cd66c0e97b4173997f86aeb2d39a7e1e4a09510ab7088d64804c3cc7e
Instruction Fuzzy Hash: 283116319042496AEF25EFB6DC48ADE33AC9F46330F1041A9E840A21A0DB75DF84DB30

Function 00FFBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FFB6AE,?,?), ref: 00FFC9B5
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFC9F1
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFCA68
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FFBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00FFBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00FFBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FFC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00FFC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FFC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FFC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00FFC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FFC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FFC382
RegCloseKey.ADVAPI32(00000000), ref: 00FFC38F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 02216eb85a5fe49ff97729ca976a0a4d6d5ffb6c2e8e88cea01d6cf4aa10767c
Instruction ID: 342216114c451016494bbe25d2ebaf6c025117e8dcfec2448cb703a8e948228c
Opcode Fuzzy Hash: 02216eb85a5fe49ff97729ca976a0a4d6d5ffb6c2e8e88cea01d6cf4aa10767c
Instruction Fuzzy Hash: 36028D716042049FD714DF24C981E2ABBE5EF89318F18C49DF94ACB2A2DB31EC45DB92

Function 00FE8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FE8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FE8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FE8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FE8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00FE8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00FE8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FE838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00FE8395

Strings

*.*, xrefs: 00FE839B

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 7cee4d7039141963cecbbab1900b9c3ad62dac23d423d0581e5a39a3d53ce3fe
Instruction ID: 52d5d50698c14bb669d7ee4ecf98c979328de682384ef65e5215a6c002601a4f
Opcode Fuzzy Hash: 7cee4d7039141963cecbbab1900b9c3ad62dac23d423d0581e5a39a3d53ce3fe
Instruction Fuzzy Hash: 3B619C725043459FDB10EF61C84099EB3E8FF89314F04891EF98D97251DB39E906DB92

Function 00FDD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F73A97,?,?,00F72E7F,?,?,?,00000000), ref: 00F73AC2

Part of subcall function 00FDE199: GetFileAttributesW.KERNEL32(?,00FDCF95), ref: 00FDE19A

FindFirstFileW.KERNEL32(?,?), ref: 00FDD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00FDD1DD
MoveFileW.KERNEL32(?,?), ref: 00FDD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FDD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FDD237

Part of subcall function 00FDD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00FDD21C,?,?), ref: 00FDD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00FDD253
FindClose.KERNEL32(00000000), ref: 00FDD264

Strings

\*.*, xrefs: 00FDD0CD, 00FDD0D6, 00FDD0EB

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 1158ee8e3ba8fefe51ff83619df9be5c24eb667c635ff3f0bb37a26f10abeb7d
Instruction ID: a53cdd0d151c771f6dbf45bc050f1ce47bd2c2ba2b939ed40895969cbce3dce6
Opcode Fuzzy Hash: 1158ee8e3ba8fefe51ff83619df9be5c24eb667c635ff3f0bb37a26f10abeb7d
Instruction Fuzzy Hash: B2618E31C0510DAADF15EBE0CE92DEDB776AF54300F288166E40577292EB395F09EB62

Function 00FEED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00FEED91
EmptyClipboard.USER32 ref: 00FEED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00FEEDAC
CloseClipboard.USER32 ref: 00FEEEA3

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 66145abe12413af5447e5fd1fb95cc2892620a2e6f0730500d4e2bc42e1a60a0
Instruction ID: 794326ad4fc412b22db81150550767a1a097c917b921214c069286064955ee6e
Opcode Fuzzy Hash: 66145abe12413af5447e5fd1fb95cc2892620a2e6f0730500d4e2bc42e1a60a0
Instruction Fuzzy Hash: 3B41CF35604251AFE331DF16E888F19BBE1EF44328F15C199E45A8B662C73AFC41DB90

Function 00FDE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FD170D
Part of subcall function 00FD16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FD173A
Part of subcall function 00FD16C3: GetLastError.KERNEL32 ref: 00FD174A

ExitWindowsEx.USER32(?,00000000), ref: 00FDE932

Strings

, xrefs: 00FDE95C
SeShutdownPrivilege, xrefs: 00FDE902
, xrefs: 00FDE920
@, xrefs: 00FDE925

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: e4d48a2be197491f8492fa986f8007648270513a343833110e5c50cd13670ae9
Instruction ID: 5fae3cbdb8987d81ab8a1848d95d8ca039613b65bfd8ca5bd1da4a6a13d2adad
Opcode Fuzzy Hash: e4d48a2be197491f8492fa986f8007648270513a343833110e5c50cd13670ae9
Instruction Fuzzy Hash: 6C014973A11211BBFB2432B49C9AFBF725EA714750F1C0927FC43EA3C1D6A55C40A291

Function 00FF1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00FF1276
WSAGetLastError.WSOCK32 ref: 00FF1283
bind.WSOCK32(00000000,?,00000010), ref: 00FF12BA
WSAGetLastError.WSOCK32 ref: 00FF12C5
closesocket.WSOCK32(00000000), ref: 00FF12F4
listen.WSOCK32(00000000,00000005), ref: 00FF1303
WSAGetLastError.WSOCK32 ref: 00FF130D
closesocket.WSOCK32(00000000), ref: 00FF133C

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: c5ee56e21c542754a3fa06d4c07f8df83b01971153294f8495d94da268def161
Instruction ID: d2a8fe8df7b49ddaf4fdd06d3666250bc9430e2f0fac2def53304b22c1d716b9
Opcode Fuzzy Hash: c5ee56e21c542754a3fa06d4c07f8df83b01971153294f8495d94da268def161
Instruction Fuzzy Hash: F2419331A00104DFD720DF64C584B29BBE5BF46328F188189D9569F2E6C775ED81DBE1

Function 00FAB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FAB9D4
_free.LIBCMT ref: 00FAB9F8
_free.LIBCMT ref: 00FABB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01013700), ref: 00FABB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0104121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00FABC09
WideCharToMultiByte.KERNEL32(00000000,00000000,01041270,000000FF,?,0000003F,00000000,?), ref: 00FABC36
_free.LIBCMT ref: 00FABD4B

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 5ffe9b65455af65eb91c03945a949e3e753c913179b7d0408a132e75ff0f81bf
Instruction ID: 709927be68b8ac5cbe65d56dd712efd5997e471463bb995031223d4c69be4244
Opcode Fuzzy Hash: 5ffe9b65455af65eb91c03945a949e3e753c913179b7d0408a132e75ff0f81bf
Instruction Fuzzy Hash: F3C147F1E04244AFDB209F68DD41BAA7BB8EF47320F14419AE890D7247EB399E41E750

Function 00FDD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F73A97,?,?,00F72E7F,?,?,?,00000000), ref: 00F73AC2

Part of subcall function 00FDE199: GetFileAttributesW.KERNEL32(?,00FDCF95), ref: 00FDE19A

FindFirstFileW.KERNEL32(?,?), ref: 00FDD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FDD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FDD481
FindClose.KERNEL32(00000000), ref: 00FDD498
FindClose.KERNEL32(00000000), ref: 00FDD4A1

Strings

\*.*, xrefs: 00FDD3F2

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: af763d062607d2f64b0309a74d467a47950c704e4088942ffe3cdbb8869daa1b
Instruction ID: 3cd919e493eb0e087bd3ada50df99fc939561e3430b4a5433c65ad18d3564437
Opcode Fuzzy Hash: af763d062607d2f64b0309a74d467a47950c704e4088942ffe3cdbb8869daa1b
Instruction Fuzzy Hash: 0631A4314083459BC315EF60CC518AF77A9AE92314F448A1EF4D953291EB35AA09E763

Function 00FAE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00FAE645

Strings

1#IND, xrefs: 00FAF83D
1#QNAN, xrefs: 00FAF84B
1#SNAN, xrefs: 00FAF844
1#INF, xrefs: 00FAF852

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 8f119886bb527f5d8cc982bbce8f42632d339c6e91d7e4c68ba8b0247738edaa
Instruction ID: 080e576cd5f3bf1f3285590d03431a022502bf1a8fef701d17eb9302712a26d1
Opcode Fuzzy Hash: 8f119886bb527f5d8cc982bbce8f42632d339c6e91d7e4c68ba8b0247738edaa
Instruction Fuzzy Hash: CAC25EB2E046288FDF25CE68DD407EAB7B5EB4A314F1441EAD44DE7240E778AE859F40

Function 00FE648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FE64DC
CoInitialize.OLE32(00000000), ref: 00FE6639
CoCreateInstance.OLE32(0100FCF8,00000000,00000001,0100FB68,?), ref: 00FE6650
CoUninitialize.OLE32 ref: 00FE68D4

Strings

.lnk, xrefs: 00FE64BA, 00FE6524, 00FE65E0

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 32adf7c0a1243757eaa8b1743affd76a36c07707066be705db1865f1b8df3084
Instruction ID: 3a46fed7dee34261eec50954e90687163bc34f58f9ed43e3c9046530431a3b36
Opcode Fuzzy Hash: 32adf7c0a1243757eaa8b1743affd76a36c07707066be705db1865f1b8df3084
Instruction Fuzzy Hash: 54D15971608345AFD314EF24C881D6BB7E8BF94304F04895DF5998B2A1EB70E905DBA2

Function 00FF22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00FF22E8

Part of subcall function 00FEE4EC: GetWindowRect.USER32(?,?), ref: 00FEE504

GetDesktopWindow.USER32 ref: 00FF2312
GetWindowRect.USER32(00000000), ref: 00FF2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00FF2355
GetCursorPos.USER32(?), ref: 00FF2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FF23DF

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 78337a1aedb7dad1fa3a0c95bc3a0e8d42ff23a9ccc88dd77b6709809838b086
Instruction ID: 2599eb2f51a1598edb6b7a0cd30cb402ac8bc4c8e0a68a02d7e54c39485a4aab
Opcode Fuzzy Hash: 78337a1aedb7dad1fa3a0c95bc3a0e8d42ff23a9ccc88dd77b6709809838b086
Instruction Fuzzy Hash: FF31E3B2505319AFD721DF14C845F6BBBAAFF88314F000A19F98597191DB79E908CB92

Function 00FE9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00FE9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00FE9C8B

Part of subcall function 00FE3874: GetInputState.USER32 ref: 00FE38CB
Part of subcall function 00FE3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FE3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00FE9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00FE9C75

Strings

*.*, xrefs: 00FE9B5D

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 511fbab75f2c9fce5fbb1e953af5a6c85eb202ff42e45eec4cf364178d40fcf2
Instruction ID: 00f060b6359389600fe052a2828c80e9c42e1933f7d8ee0038ec1923872eaa87
Opcode Fuzzy Hash: 511fbab75f2c9fce5fbb1e953af5a6c85eb202ff42e45eec4cf364178d40fcf2
Instruction Fuzzy Hash: F041E271C0824AAFDF25EF69CD45AEE7BB8EF05310F204196E405A2191EB749F84EF61

Function 00F8997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F89A4E
GetSysColor.USER32(0000000F), ref: 00F89B23
SetBkColor.GDI32(?,00000000), ref: 00F89B36

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 18e46d58c6c01fd839ace901fbfddd10f8449cf122a0daa70f2dee0ca27d9d10
Instruction ID: 6d7291e90a5a3c54b090d22feca0a73450c33db3e926124eb2678fe5c223929d
Opcode Fuzzy Hash: 18e46d58c6c01fd839ace901fbfddd10f8449cf122a0daa70f2dee0ca27d9d10
Instruction Fuzzy Hash: 3EA13A7160C505BEE729BA2C8D89FFB369DEB82360F18020DF542C69C5CA6A9D41F771

Function 00FF1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FF307A
Part of subcall function 00FF304E: _wcslen.LIBCMT ref: 00FF309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00FF185D
WSAGetLastError.WSOCK32 ref: 00FF1884
bind.WSOCK32(00000000,?,00000010), ref: 00FF18DB
WSAGetLastError.WSOCK32 ref: 00FF18E6
closesocket.WSOCK32(00000000), ref: 00FF1915

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: f27cd5d93f69b2c3a5f556e2516cab9fd21829d6c668a7b52dee18c91639016b
Instruction ID: 2c2218ae68eb96f73f60005169ce154ab7a389fa07f28f887a9e33384221df8b
Opcode Fuzzy Hash: f27cd5d93f69b2c3a5f556e2516cab9fd21829d6c668a7b52dee18c91639016b
Instruction Fuzzy Hash: 2951D371A002009FEB20EF24C886F6A77A5AF44718F088098F9099F393C675AD41DBA1

Function 01001C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 01001CC0
IsWindowEnabled.USER32 ref: 01001CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 01001CDB
IsIconic.USER32 ref: 01001CE9
IsZoomed.USER32 ref: 01001CF7

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: f29fbeb0af4f8117fd43f450853fdf92ead71a1eb57530364c59f964bca1790b
Instruction ID: 419a73461d10a0c9a560b4d03d40fa5219bdca3dc8668eec3629aa8410af6414
Opcode Fuzzy Hash: f29fbeb0af4f8117fd43f450853fdf92ead71a1eb57530364c59f964bca1790b
Instruction Fuzzy Hash: A72194317006055FF7229F2AC884F5A7BE5BF95315F1980ADE88A8B281CB76D842CB90

Function 00F78060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00F7843C
VUUU, xrefs: 00F783FA
VUUU, xrefs: 00FB5DF0
ERCP, xrefs: 00F7813C
VUUU, xrefs: 00F783E8

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 6e03d930a43640cd7c6e641e080e8f9e41b6fabddbf2c3b0fb98561619edd55d
Instruction ID: ca7e5863c72129e075453303badee2f46894a18656596981643b3e224c22874c
Opcode Fuzzy Hash: 6e03d930a43640cd7c6e641e080e8f9e41b6fabddbf2c3b0fb98561619edd55d
Instruction Fuzzy Hash: 85A2A171E0021ACBDF24CF59C8447EDB7B1BF44760F2481AAD819A7285DB789D82EF91

Function 00FDAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00FDAAAC
SetKeyboardState.USER32(00000080), ref: 00FDAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00FDAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00FDAB88

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5dc8151e5646cc178cbe55bc9013f455ec3e1cb9031bdae09e296a42fe57e40b
Instruction ID: a5802984c705ea11f73c5594ac1d89b58b91e48aef6dabf5ddecd4ee75f13eb6
Opcode Fuzzy Hash: 5dc8151e5646cc178cbe55bc9013f455ec3e1cb9031bdae09e296a42fe57e40b
Instruction Fuzzy Hash: 6C311E31E40604AEFB359B648C057FA7BA7AB85320F0C431BF181553D1D3798982E75A

Function 00FECE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00FECE89
GetLastError.KERNEL32(?,00000000), ref: 00FECEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00FECEFE

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: c9bf10762f1c2f3a45e66d934b3a4821069865ac1e4b2bb3b995fdc93d80c471
Instruction ID: d31cf666ac04e49c8821331fca1879bca67fd149dfb9a83c25861706e869cd0b
Opcode Fuzzy Hash: c9bf10762f1c2f3a45e66d934b3a4821069865ac1e4b2bb3b995fdc93d80c471
Instruction Fuzzy Hash: 4421BD71900345AFEB30DFA6C949BAA77FCEB40324F10441EF586D2141E775EE06ABA0

Function 00FD8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FD82AA

Strings

(, xrefs: 00FD82F0
|, xrefs: 00FD82DA

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 713e4dae68280aaa76a09ffb26755045f239e0027fad2e57160ea1c93de854d8
Instruction ID: 482d248e435e9a0e63b28b4ae3665d5840cdcf86ba82d5aca876788e83f9ec5a
Opcode Fuzzy Hash: 713e4dae68280aaa76a09ffb26755045f239e0027fad2e57160ea1c93de854d8
Instruction Fuzzy Hash: 89324675A007059FCB28CF19C481A6AB7F1FF48760B15C56EE49ADB3A1EB70E942DB40

Function 00FE5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FE5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00FE5D17
FindClose.KERNEL32(?), ref: 00FE5D5F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 0439232c737d40801cf9af98c0521a3f0e712043d21845df526c85d85a51bd77
Instruction ID: ed6fe76a13fbe602996d20aa3c7443575070680eaa90a4714905fe855bd51117
Opcode Fuzzy Hash: 0439232c737d40801cf9af98c0521a3f0e712043d21845df526c85d85a51bd77
Instruction Fuzzy Hash: 4651CE34A046419FC714DF29C894E9AB7E4FF49328F14855EE99A8B3A2CB34ED04DF91

Function 00FA2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00FA271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FA2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00FA2731

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 32e1c5a6b7165986238ac065137a10c48cebd9759d56fab00658876130cad26d
Instruction ID: 34d40e84978ce7da9638080435382cb37fd4bb0cc9f858718f7b541107b0c218
Opcode Fuzzy Hash: 32e1c5a6b7165986238ac065137a10c48cebd9759d56fab00658876130cad26d
Instruction Fuzzy Hash: 4131D87491121CABDB61DF68DD887DCB7B8AF08310F5041DAE80CA7250E7349F819F44

Function 00FE51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FE51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FE5238
SetErrorMode.KERNEL32(00000000), ref: 00FE52A1

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: a5c25b03ed0d3af56574413606e112dd91608fbb8788c9c16d36e927e88f1eb2
Instruction ID: 83947e8936f078320d50b170bcae42681623870ea7ecf5f23772dd3ef635d1ea
Opcode Fuzzy Hash: a5c25b03ed0d3af56574413606e112dd91608fbb8788c9c16d36e927e88f1eb2
Instruction Fuzzy Hash: 19318E35A00508DFDB00DF54D884EADBBB4FF09318F088099E949AB396CB76E855CBA1

Function 00FD16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F8FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F90668
Part of subcall function 00F8FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F90685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FD170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FD173A
GetLastError.KERNEL32 ref: 00FD174A

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 3260c95ffdeb893582d1f93989f33bfd2f594c1c35790433e138ca79585f1c38
Instruction ID: b96a5fc732d4afc13065854f5c2c8d2bdc101e8771d724507d23bbde63e8af20
Opcode Fuzzy Hash: 3260c95ffdeb893582d1f93989f33bfd2f594c1c35790433e138ca79585f1c38
Instruction Fuzzy Hash: F811BFB2400204BFE728AF54DC86DAAB7BDFB04714B24852EF45652241EB74BC418B20

Function 00FDD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FDD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00FDD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FDD650

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: c65499ded277a9d57df712ad5f93ef006789865fce94e7cc14e757c496edeeb7
Instruction ID: 8c2b63fa7f80c380e1b7ff1d333f9602c0ffb941b9053a0b4016e8ff2b116c56
Opcode Fuzzy Hash: c65499ded277a9d57df712ad5f93ef006789865fce94e7cc14e757c496edeeb7
Instruction Fuzzy Hash: C8118E71E01228BFEB208F94DC44FAFBBBCEB45B60F108152F904E7280D2704A018BE1

Function 00FD1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00FD168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FD16A1
FreeSid.ADVAPI32(?), ref: 00FD16B1

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: ba95d149fb821f3bc25663f5780b9875f93fe366b5c36b634a069b3e2eaa0c9d
Instruction ID: 3684a44071d3724ee50d75001fa0827898afab171240fb3f6da46973a4b62619
Opcode Fuzzy Hash: ba95d149fb821f3bc25663f5780b9875f93fe366b5c36b634a069b3e2eaa0c9d
Instruction Fuzzy Hash: 3AF04471940308BBEB00CFE08989AAEBBBCFB08200F0045A1F500E2180E335AA048B50

Function 00FAC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00FAC36C

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 53f13259a8bd218e3b0f0a2bbccd8a160de13a1eda2d5e4039d50cea1177a46f
Instruction ID: c10437da6dae249ae61e96257c1bbd6e38cc7e775648a459060d2640785fc916
Opcode Fuzzy Hash: 53f13259a8bd218e3b0f0a2bbccd8a160de13a1eda2d5e4039d50cea1177a46f
Instruction Fuzzy Hash: E5415BB69003186FCB20DFB9CC48EBB77B8EB85324F1042A9F905D7180E6709E40DB90

Function 00FCD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00FCD28C

Strings

X64, xrefs: 00FCD2A8

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: f4fc10fb820cdd2e409c75b43c4429195d6d6199012abeeeb6d7007a63aa1aa2
Instruction ID: 6ac9a1ca2cd0f9e13fc2e68fd78097bda86660ed10b8525b393f235b830ed359
Opcode Fuzzy Hash: f4fc10fb820cdd2e409c75b43c4429195d6d6199012abeeeb6d7007a63aa1aa2
Instruction Fuzzy Hash: DBD0C9B580511DEACB94DB90D988EDDB37CBB04305F100295F106A2040D73495499F10

Function 00F9CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: cf1723d9a7813c0fe1bb4733617cb0dc73a4e3feae9491a449bd1d362225534d
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 95022D72E002199FDF14DFA9C8806ADFBF1FF88324F25416AD919E7380D731AA419B94

Function 00FE68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FE6918
FindClose.KERNEL32(00000000), ref: 00FE6961

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f740b951fc958e138e04198ed2d0d335a5739223b53f82637e742d1d73e94d8b
Instruction ID: 81851a0371c8d55e7d23edb128c12667603e92ce220227b3939aa402ea356b49
Opcode Fuzzy Hash: f740b951fc958e138e04198ed2d0d335a5739223b53f82637e742d1d73e94d8b
Instruction Fuzzy Hash: FB1190316042449FD710DF2AD884A1ABBE5FF85328F14C69DE4698F6A2C734EC05DB91

Function 00FE37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00FF4891,?,?,00000035,?), ref: 00FE37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00FF4891,?,?,00000035,?), ref: 00FE37F4

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 62811d196099a6a97c0a33fda0f07798d6d0b74d83b0d537738bd362419e5180
Instruction ID: 94981d6f8e4f834092190060bc17adbb2ab7b9c87fe76b6e28e09208b08fbb44
Opcode Fuzzy Hash: 62811d196099a6a97c0a33fda0f07798d6d0b74d83b0d537738bd362419e5180
Instruction Fuzzy Hash: A1F0E5B16092292AEB2117678C4DFEB3BAEEFC4761F000265F509D3285D9649A04D7B0

Function 00FDB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00FDB25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00FDB270

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: d2d865d2ccb740703d321ed38a775a0257d1d34ee2e8e6ca18e2cef90404790f
Instruction ID: 212c812c1fa47c8bf28a43865a79f632a524b56531e5fc4118a57bc169fcce77
Opcode Fuzzy Hash: d2d865d2ccb740703d321ed38a775a0257d1d34ee2e8e6ca18e2cef90404790f
Instruction Fuzzy Hash: AEF01D7580424DABEB169FA0C805BAE7BB4FF04315F04805AF955A5191C37986119F94

Function 00FD10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FD11FC), ref: 00FD10D4
CloseHandle.KERNEL32(?,?,00FD11FC), ref: 00FD10E9

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 00eee4009760ac06e99acfc3d96f69af4d20cd9b17a1d57281d5952471e6f6bc
Instruction ID: 39261f9250e2d835b204ca264b9d91df23d2d260f4a8908ca7845ed4d76fa94a
Opcode Fuzzy Hash: 00eee4009760ac06e99acfc3d96f69af4d20cd9b17a1d57281d5952471e6f6bc
Instruction Fuzzy Hash: 68E04F32014600BEF7362B11FC09EB377A9EB04320F14892EF5A5804B5DB676CA0EB10

Function 00F7CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00FC0C40

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 472e622584b197492ce5164acd37224dd34d723e782dea4576c121b34998464a
Instruction ID: 64545d508fe38ef71d7c97557e19824274cebd0b17034647b333fcb4974aa6f6
Opcode Fuzzy Hash: 472e622584b197492ce5164acd37224dd34d723e782dea4576c121b34998464a
Instruction Fuzzy Hash: 8C32AE31900219DBDF14DF94C981FEDB7B5BF05314F14806EE80AAB281DB75AD46EBA2

Function 00FA676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00FA6766,?,?,00000008,?,?,00FAFEFE,00000000), ref: 00FA6998

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 591e959da23b94b0b15770f715d0cb37c07ad756e50fc558cfa5ac88ef1eb239
Instruction ID: dd987ff6221a0a3b034849ea1e937dc79b839af8dae058a6f6e2bd0c779611f4
Opcode Fuzzy Hash: 591e959da23b94b0b15770f715d0cb37c07ad756e50fc558cfa5ac88ef1eb239
Instruction Fuzzy Hash: 47B15EB2510608DFD715CF28C48AB657BE0FF46364F298658E899CF2A1C739E991DB40

Function 00F8B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00FC851F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3f3d09502f3ea8441b501bc7ecae4440df8de28e9e795636fbf840840c034d3f
Instruction ID: e73fb2a14b51c47e9c2da1cc5202f26b600158345bdf7d8378b6537bffd2a9d6
Opcode Fuzzy Hash: 3f3d09502f3ea8441b501bc7ecae4440df8de28e9e795636fbf840840c034d3f
Instruction Fuzzy Hash: C3127F71D0022ADBDB24DF58C981BEEB7B5FF48710F14819AE849EB241DB749E81DB90

Function 00FEEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00FEEABD

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ba1f8849396d92b2dafb20d83d1a1f2e9eac06cd94893dcba8aedcb9032a96d0
Instruction ID: eb13ea7dc1e34c8c3162df31c39c55821e5bcf670156ac98afc3fb1d9bd75f78
Opcode Fuzzy Hash: ba1f8849396d92b2dafb20d83d1a1f2e9eac06cd94893dcba8aedcb9032a96d0
Instruction Fuzzy Hash: C5E048352002049FD710DF5AD804E9AF7D9AF59770F00C42AFC49C7351D774E8409B91

Function 00F909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00F903EE), ref: 00F909DA

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c0ef898a993844408ef40368661d74f69a254c5b36d79816388e1256375430ec
Instruction ID: 004db05c8885d383fee5d96783f1027c2f128469cc679bf6916b6c4b66d084cf
Opcode Fuzzy Hash: c0ef898a993844408ef40368661d74f69a254c5b36d79816388e1256375430ec
Instruction Fuzzy Hash:

Function 00F9781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00F9798B

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 6504e2ccde53075a998bb9c7b210c8a6289ee0b687e40e8794766e43efa0ec2c
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 66516772E3C7055BFF38B528885E7BF6385DB42364F280509E882DB292C619DE06F356

Function 00FA6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb1c485bc45ef01d561531f9d55093d3b060e5e90cb524ed6c2e8aeb0123de1
Instruction ID: e8b8c17ddb9cd3f6234310b69e306da8244ef8278a9ec79bcb62dce2016895cb
Opcode Fuzzy Hash: 7cb1c485bc45ef01d561531f9d55093d3b060e5e90cb524ed6c2e8aeb0123de1
Instruction Fuzzy Hash: DD322272D29F014DD723A534DC22336A689AFB73D5F25C737E81AB5999EB2EC4835200

Function 00F8CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9490369ea636d2b6f68c4a72ad8e85262c1f2f2f16116723e72812a7289d449
Instruction ID: b0acbd89f9c8e774ad7e25b47a1de575dd8439815df6a188dadd53fed9248a37
Opcode Fuzzy Hash: d9490369ea636d2b6f68c4a72ad8e85262c1f2f2f16116723e72812a7289d449
Instruction Fuzzy Hash: 6732F932E001478BCF24DE29C696BBD77A1EB45320F28856ED55E8B291D234DD81FBD0

Function 00F77920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e133da5ca3cb2a8cdf8c18896c8e4aaa7b9b3c022d9662065e085ce79a828e
Instruction ID: e5d7edfd7178925a39d90e57d45c271f3503202d91effe91b14c6f2e06a93d8c
Opcode Fuzzy Hash: f9e133da5ca3cb2a8cdf8c18896c8e4aaa7b9b3c022d9662065e085ce79a828e
Instruction Fuzzy Hash: 9622BF71E04609DFDF14DF69C881BEEB3B6FF48710F14812AE816A7290EB399914EB51

Function 00F791C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655ea972be63a0f97ef9dc1c2ee858e706de8a1f4eb550cc9a882b612e5b156b
Instruction ID: 327acd8b4f6cc35b264884e3bf3989bbdb8c0727584d261d5a743f6ad819c52a
Opcode Fuzzy Hash: 655ea972be63a0f97ef9dc1c2ee858e706de8a1f4eb550cc9a882b612e5b156b
Instruction Fuzzy Hash: 9902A3B1E00109EFDB04EF65D881AEDB7B5FF44310F10C169E81A9B291EB75A924EF91

Function 00FA9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e7680656f8f9bc9aecb16168e77450739ef99b5bf680408eab610e3e955786
Instruction ID: 8cfe1dc7cc82162ae13946838f76ab4ecf48461d06e530cca5f1f17fd734d4a4
Opcode Fuzzy Hash: a8e7680656f8f9bc9aecb16168e77450739ef99b5bf680408eab610e3e955786
Instruction Fuzzy Hash: FFB1EF30D2AF404DD22396398821336FA5CBFBB6D5B91D31BFC5678E16EB2A85834240

Function 00F91C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: ca5a6c1edfa96352aee6dd70518bf2e7ea0fe3c0f6a1d8fe1613a58726f79dbe
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 49916773A090A34AFF6D463A857417EFFE16A523B131A07BED4F2CA1C5EE209554F620

Function 00F91F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: f5b098b3c954263ee560e6c26f7e1ad62380d46d24a93445cbbb7a8077153beb
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: F7915673A090A359FFAD4239857413EFFE15A923B131A07ADD4F2CB1D5EE248568F620

Function 00F919B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 44e8734edcf96b1791d811e1193c38af858e033393d2446375aa4e7f3ce6dcca
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: BB9133726090A34AFF6D467A857407EFFE16A923B231A07BDD4F2CA1C1FD148964B620

Function 00F97A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da7d705327bb03ee573dfa1e22f83e9ee49b10a76c5bfdd2b8753866f874d52d
Instruction ID: 60675c65fe4f1ff8336812a99065ee74b2fb85738118e06315a88603e5ca24a2
Opcode Fuzzy Hash: da7d705327bb03ee573dfa1e22f83e9ee49b10a76c5bfdd2b8753866f874d52d
Instruction Fuzzy Hash: 1F618932A3830956FE38BD2C8C91BBE3385EFC1760F14091AE943DB2A5D6199E43B355

Function 00F97CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7e071aa2a03f615793990fa83e52f2274efffbe08240b07d8757bd682e0c60
Instruction ID: 6bdb95cb4d888eb89592313375e70b5201aeac2b6b9a00d46d98fefa5485b03f
Opcode Fuzzy Hash: cb7e071aa2a03f615793990fa83e52f2274efffbe08240b07d8757bd682e0c60
Instruction Fuzzy Hash: 41617972E2870997FE387A288C51BBF3384AF42764F14095BE843DB281DA16AD42B655

Function 00F91706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 5f2865e29626974c676b8c34788d7fdd28c5ed34b4269c4e4cc79e0beb5ddefb
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: AE814F73A090A309FF6E427A853443EFFE16A923B131A07ADD4F2CA1C1EE249554F620

Function 00FE2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c26623695748c7a08a5edbfdb5a7feec561fcb65156b15d6300a58608f891d4
Instruction ID: e822489eee89d71f84cc9bc229a51331c4e04bffb2643a58a566774d91812934
Opcode Fuzzy Hash: 9c26623695748c7a08a5edbfdb5a7feec561fcb65156b15d6300a58608f891d4
Instruction Fuzzy Hash: 7921EB727205118BD728CE79C95367E73D9A754320F15862EF4A7C37C4DE3AA904D780

Function 00FF2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FF2B30
DeleteObject.GDI32(00000000), ref: 00FF2B43
DestroyWindow.USER32 ref: 00FF2B52
GetDesktopWindow.USER32 ref: 00FF2B6D
GetWindowRect.USER32(00000000), ref: 00FF2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00FF2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00FF2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF2CF8
GetClientRect.USER32(00000000,?), ref: 00FF2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FF2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF2D80
GlobalLock.KERNEL32(00000000), ref: 00FF2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF2D98
GlobalUnlock.KERNEL32(00000000), ref: 00FF2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF2DA8
GlobalFree.KERNEL32(00000000), ref: 00FF2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0100FC38,00000000), ref: 00FF2DDB
GlobalFree.KERNEL32(00000000), ref: 00FF2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00FF2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00FF2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF303F

Strings

, xrefs: 00FF2FC5
static, xrefs: 00FF2D3A, 00FF2E91
AutoIt v3, xrefs: 00FF2CF2
DISPLAY, xrefs: 00FF2EA2

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 06691151c2ec2bd98eaa71ccc45ca81594b95425a8869cf56e5023275592b319
Instruction ID: 0ea5969834a3fa56c97e4e71eb81f88ba9269ed8fe6dd525a0aa80b71cd6bb61
Opcode Fuzzy Hash: 06691151c2ec2bd98eaa71ccc45ca81594b95425a8869cf56e5023275592b319
Instruction Fuzzy Hash: DC02A271900208AFDB25DF64CD89EAE7BB9FF49710F048159F915AB2A4CB39ED01DB60

Function 010070D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0100712F
GetSysColorBrush.USER32(0000000F), ref: 01007160
GetSysColor.USER32(0000000F), ref: 0100716C
SetBkColor.GDI32(?,000000FF), ref: 01007186
SelectObject.GDI32(?,?), ref: 01007195
InflateRect.USER32(?,000000FF,000000FF), ref: 010071C0
GetSysColor.USER32(00000010), ref: 010071C8
CreateSolidBrush.GDI32(00000000), ref: 010071CF
FrameRect.USER32(?,?,00000000), ref: 010071DE
DeleteObject.GDI32(00000000), ref: 010071E5
InflateRect.USER32(?,000000FE,000000FE), ref: 01007230
FillRect.USER32(?,?,?), ref: 01007262
GetWindowLongW.USER32(?,000000F0), ref: 01007284

Part of subcall function 010073E8: GetSysColor.USER32(00000012), ref: 01007421
Part of subcall function 010073E8: SetTextColor.GDI32(?,?), ref: 01007425
Part of subcall function 010073E8: GetSysColorBrush.USER32(0000000F), ref: 0100743B
Part of subcall function 010073E8: GetSysColor.USER32(0000000F), ref: 01007446
Part of subcall function 010073E8: GetSysColor.USER32(00000011), ref: 01007463
Part of subcall function 010073E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 01007471
Part of subcall function 010073E8: SelectObject.GDI32(?,00000000), ref: 01007482
Part of subcall function 010073E8: SetBkColor.GDI32(?,00000000), ref: 0100748B
Part of subcall function 010073E8: SelectObject.GDI32(?,?), ref: 01007498
Part of subcall function 010073E8: InflateRect.USER32(?,000000FF,000000FF), ref: 010074B7
Part of subcall function 010073E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010074CE
Part of subcall function 010073E8: GetWindowLongW.USER32(00000000,000000F0), ref: 010074DB

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 94c8ca3f95fd725ff353ae0900921e08037a8a24f00ce408d4840aa524b55e75
Instruction ID: e50712f7458ee7b50549fbe347c2f881dbc50d50159845cf1c4ee6057732bfc8
Opcode Fuzzy Hash: 94c8ca3f95fd725ff353ae0900921e08037a8a24f00ce408d4840aa524b55e75
Instruction Fuzzy Hash: 9DA1AF72008301AFE7229F64DD48A9B7BE9FB49321F104B59FAE2961D0D73AE944CB51

Function 00F88D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00F88E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00FC6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FC6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00FC6F43

Part of subcall function 00F88F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F88BE8,?,00000000,?,?,?,?,00F88BBA,00000000,?), ref: 00F88FC5

SendMessageW.USER32(?,00001053), ref: 00FC6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FC6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00FC6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00FC6FB7

Strings

0, xrefs: 00FC6DCF

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: dad7cbf000f55c1929eb33947e48b6739f2041de175a30e5fe55b4419f3b1470
Instruction ID: 9d124bbdd210b6c9835024f0c3f49cfe9d39d92e9041d3ea056fb07ffc9721ba
Opcode Fuzzy Hash: dad7cbf000f55c1929eb33947e48b6739f2041de175a30e5fe55b4419f3b1470
Instruction Fuzzy Hash: 1A12ED38A08202AFDB25DF14CA85FA5BBE1FB48321F54456DF485CB251CB36EC92EB51

Function 00FF2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00FF273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00FF286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00FF28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00FF28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00FF2900
GetClientRect.USER32(00000000,?), ref: 00FF290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00FF2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FF2964
GetStockObject.GDI32(00000011), ref: 00FF2974
SelectObject.GDI32(00000000,00000000), ref: 00FF2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00FF2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FF2991
DeleteDC.GDI32(00000000), ref: 00FF299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00FF29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00FF29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00FF2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00FF2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00FF2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00FF2A77
GetStockObject.GDI32(00000011), ref: 00FF2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00FF2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00FF2A97

Strings

static, xrefs: 00FF294F, 00FF2A71
msctls_progress32, xrefs: 00FF2A13
AutoIt v3, xrefs: 00FF28F8
DISPLAY, xrefs: 00FF295A

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: ead665769233cc88116ce04655d4670ef4fc31174793c2e4ca37dc60acb27498
Instruction ID: 382e432b4f19dfcb4e615b3b807a7ad6ee9a66a7499aa7c91bc99fd68a714a95
Opcode Fuzzy Hash: ead665769233cc88116ce04655d4670ef4fc31174793c2e4ca37dc60acb27498
Instruction Fuzzy Hash: 56B16FB5A40209AFEB24DF68CD85FAE7BA9EF08711F008255FA54E72D0D775AD40CB90

Function 00FE4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FE4AED
GetDriveTypeW.KERNEL32(?,0100CB68,?,\\.\,0100CC08), ref: 00FE4BCA
SetErrorMode.KERNEL32(00000000,0100CB68,?,\\.\,0100CC08), ref: 00FE4D36

Strings

SAS, xrefs: 00FE4CC9
SSA, xrefs: 00FE4CA6
Network, xrefs: 00FE4C02
SSD, xrefs: 00FE4C4A
ATA, xrefs: 00FE4C98
USB, xrefs: 00FE4CB4
Virtual, xrefs: 00FE4CE5
RAMDisk, xrefs: 00FE4BF4
iSCSI, xrefs: 00FE4CC2
MMC, xrefs: 00FE4CDE
\\.\, xrefs: 00FE4B3F
Removable, xrefs: 00FE4C10, 00FE4C15
Unknown, xrefs: 00FE4BED, 00FE4C83
RAID, xrefs: 00FE4CBB
SATA, xrefs: 00FE4CD0
SCSI, xrefs: 00FE4C8A
Fibre, xrefs: 00FE4CAD
PhysicalDrive, xrefs: 00FE4B76
CDROM, xrefs: 00FE4BFB
Fixed, xrefs: 00FE4C09
1394, xrefs: 00FE4C9F
ATAPI, xrefs: 00FE4C91
FileBackedVirtual, xrefs: 00FE4CEC

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ee3e2fe55576997a1ab7220f8f210f2108df8d3bdf46a3a20644686e82ab4826
Instruction ID: 08d3262e617effef0ba46ea6724fad3a7d7062293d5c93cbdb748b96472238b1
Opcode Fuzzy Hash: ee3e2fe55576997a1ab7220f8f210f2108df8d3bdf46a3a20644686e82ab4826
Instruction Fuzzy Hash: FC61F731A05145ABCB14EF1ACA81E6877B5AB85300B34802EF44A9F691DB36FE41FB42

Function 010073E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 01007421
SetTextColor.GDI32(?,?), ref: 01007425
GetSysColorBrush.USER32(0000000F), ref: 0100743B
GetSysColor.USER32(0000000F), ref: 01007446
CreateSolidBrush.GDI32(?), ref: 0100744B
GetSysColor.USER32(00000011), ref: 01007463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 01007471
SelectObject.GDI32(?,00000000), ref: 01007482
SetBkColor.GDI32(?,00000000), ref: 0100748B
SelectObject.GDI32(?,?), ref: 01007498
InflateRect.USER32(?,000000FF,000000FF), ref: 010074B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010074CE
GetWindowLongW.USER32(00000000,000000F0), ref: 010074DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0100752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 01007554
InflateRect.USER32(?,000000FD,000000FD), ref: 01007572
DrawFocusRect.USER32(?,?), ref: 0100757D
GetSysColor.USER32(00000011), ref: 0100758E
SetTextColor.GDI32(?,00000000), ref: 01007596
DrawTextW.USER32(?,010070F5,000000FF,?,00000000), ref: 010075A8
SelectObject.GDI32(?,?), ref: 010075BF
DeleteObject.GDI32(?), ref: 010075CA
SelectObject.GDI32(?,?), ref: 010075D0
DeleteObject.GDI32(?), ref: 010075D5
SetTextColor.GDI32(?,?), ref: 010075DB
SetBkColor.GDI32(?,?), ref: 010075E5

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 56f5f83227d3037f4894b82ab146f4b6006056aa6149588ca18ecdbf723eddea
Instruction ID: 202aeff075e775fd5ed29afb76242ae8fd7ca8ab4675313105ac1efaac1b6a11
Opcode Fuzzy Hash: 56f5f83227d3037f4894b82ab146f4b6006056aa6149588ca18ecdbf723eddea
Instruction Fuzzy Hash: 45619371900218AFEF129FA4DC48EDE7FB9EB09321F114251FA51A72D1D77AA940CF90

Function 01000FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 01001128
GetDesktopWindow.USER32 ref: 0100113D
GetWindowRect.USER32(00000000), ref: 01001144
GetWindowLongW.USER32(?,000000F0), ref: 01001199
DestroyWindow.USER32(?), ref: 010011B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 010011ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0100120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0100121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 01001232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 01001245
IsWindowVisible.USER32(00000000), ref: 010012A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 010012BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 010012D0
GetWindowRect.USER32(00000000,?), ref: 010012E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0100130E
GetMonitorInfoW.USER32(00000000,?), ref: 01001328
CopyRect.USER32(?,?), ref: 0100133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 010013AA

Strings

0, xrefs: 010010D3
(, xrefs: 0100131B
tooltips_class32, xrefs: 010011E6

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 936d5ca130d70c02278e48653d6f132db5281025e9981c34ff68e4294afc563f
Instruction ID: fbe2e92396deb5323674bb04880ffcd7c61b6efccacf60d1fbdb2aa591bb4d0f
Opcode Fuzzy Hash: 936d5ca130d70c02278e48653d6f132db5281025e9981c34ff68e4294afc563f
Instruction Fuzzy Hash: 0CB1AE71608341AFE715DF68C984BAEBBE4FF88310F008959F9D99B291C771E844CB92

Function 01000241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010002E5
_wcslen.LIBCMT ref: 0100031F
_wcslen.LIBCMT ref: 01000389
_wcslen.LIBCMT ref: 010003F1
_wcslen.LIBCMT ref: 01000475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 010004C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01000504

Part of subcall function 00F8F9F2: _wcslen.LIBCMT ref: 00F8F9FD

Part of subcall function 00FD223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FD2258
Part of subcall function 00FD223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FD228A

Strings

GETSELECTEDCOUNT, xrefs: 01000470, 0100048B
SELECTINVERT, xrefs: 0100057E
ISSELECTED, xrefs: 010004DD
GETTEXT, xrefs: 010003EC, 01000407
VIEWCHANGE, xrefs: 01000675
SELECTALL, xrefs: 01000515
FINDITEM, xrefs: 01000627
DESELECT, xrefs: 0100059C
GETSUBITEMCOUNT, xrefs: 01000384, 0100039F
SELECTCLEAR, xrefs: 0100052D
GETITEMCOUNT, xrefs: 01000316, 01000337
GETSELECTED, xrefs: 010005E1
SELECT, xrefs: 01000548

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: ca823c50616c46e081d132bfedde04f1c94034ac13262bf35ebb647b33698635
Instruction ID: e55cc9429dc4348c51ff219d1771ab4ff72dd1244f68b4e45ed967841b2d64fa
Opcode Fuzzy Hash: ca823c50616c46e081d132bfedde04f1c94034ac13262bf35ebb647b33698635
Instruction Fuzzy Hash: 2EE1C1712082018FD716DF28C850A2EB7E6BFC8354F14859DF4D69B29ADB34ED45C752

Function 00F88891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F88968
GetSystemMetrics.USER32(00000007), ref: 00F88970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F8899B
GetSystemMetrics.USER32(00000008), ref: 00F889A3
GetSystemMetrics.USER32(00000004), ref: 00F889C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F889E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F889F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F88A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F88A3C
GetClientRect.USER32(00000000,000000FF), ref: 00F88A5A
GetStockObject.GDI32(00000011), ref: 00F88A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F88A81

Part of subcall function 00F8912D: GetCursorPos.USER32(?), ref: 00F89141
Part of subcall function 00F8912D: ScreenToClient.USER32(00000000,?), ref: 00F8915E
Part of subcall function 00F8912D: GetAsyncKeyState.USER32(00000001), ref: 00F89183
Part of subcall function 00F8912D: GetAsyncKeyState.USER32(00000002), ref: 00F8919D

SetTimer.USER32(00000000,00000000,00000028,00F890FC), ref: 00F88AA8

Strings

AutoIt v3 GUI, xrefs: 00F88A20

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: f1bd62d35dee9e8a28c950a4d6687fa612abb56277e9b89150e3d0d9e78ee711
Instruction ID: e2574a1ce133fb42669e19bcbb960c9f18034b82a2128cebd5dc34eb067e9d3e
Opcode Fuzzy Hash: f1bd62d35dee9e8a28c950a4d6687fa612abb56277e9b89150e3d0d9e78ee711
Instruction Fuzzy Hash: DEB19175A0020AAFEB14DF68C985BEE3BB4FB48314F104219FA45E72C4DB39E841DB51

Function 00FD0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FD1114
Part of subcall function 00FD10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FD0B9B,?,?,?), ref: 00FD1120
Part of subcall function 00FD10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FD0B9B,?,?,?), ref: 00FD112F
Part of subcall function 00FD10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FD0B9B,?,?,?), ref: 00FD1136
Part of subcall function 00FD10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FD114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FD0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FD0E29
GetLengthSid.ADVAPI32(?), ref: 00FD0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00FD0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FD0E96
GetLengthSid.ADVAPI32(?), ref: 00FD0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FD0EB5
HeapAlloc.KERNEL32(00000000), ref: 00FD0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FD0EDD
CopySid.ADVAPI32(00000000), ref: 00FD0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FD0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FD0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FD0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FD0F6E
HeapFree.KERNEL32(00000000), ref: 00FD0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FD0F7E
HeapFree.KERNEL32(00000000), ref: 00FD0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FD0F8E
HeapFree.KERNEL32(00000000), ref: 00FD0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00FD0FA1
HeapFree.KERNEL32(00000000), ref: 00FD0FA8

Part of subcall function 00FD1193: GetProcessHeap.KERNEL32(00000008,00FD0BB1,?,00000000,?,00FD0BB1,?), ref: 00FD11A1
Part of subcall function 00FD1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FD0BB1,?), ref: 00FD11A8
Part of subcall function 00FD1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FD0BB1,?), ref: 00FD11B7

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: eac67f74abb00232ffa9c12f6a721ec571386b2fcdbf5425f2f227e42c704567
Instruction ID: b129f95321b7e5cd1dbf1d3c9f7afae5ffbccb70088c611bc7456a8508cea52d
Opcode Fuzzy Hash: eac67f74abb00232ffa9c12f6a721ec571386b2fcdbf5425f2f227e42c704567
Instruction Fuzzy Hash: BC718F72D0420AABEF21DFA4DC48FEEBBB9FF05310F184256F955A6280DB359905DB60

Function 00FFC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FFC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0100CC08,00000000,?,00000000,?,?), ref: 00FFC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00FFC5A4
_wcslen.LIBCMT ref: 00FFC5F4
_wcslen.LIBCMT ref: 00FFC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00FFC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00FFC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00FFC84D
RegCloseKey.ADVAPI32(?), ref: 00FFC881
RegCloseKey.ADVAPI32(00000000), ref: 00FFC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00FFC960

Strings

REG_MULTI_SZ, xrefs: 00FFC6F5
REG_SZ, xrefs: 00FFC644
REG_QWORD, xrefs: 00FFC8C3
REG_BINARY, xrefs: 00FFC913
REG_EXPAND_SZ, xrefs: 00FFC5CD
REG_DWORD, xrefs: 00FFC804

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 081b517743a17a0b8b0b88158a6ea10cbf80fc3fed4db3dd73a0746005d7eb4c
Instruction ID: e673ec03041dbdb93c889484f1ef86d7661b17050c840f409e93a751c7a4c315
Opcode Fuzzy Hash: 081b517743a17a0b8b0b88158a6ea10cbf80fc3fed4db3dd73a0746005d7eb4c
Instruction Fuzzy Hash: B2127A316042159FD714DF14C981E2AB7E5FF88724F18889DF98A9B3A2DB35EC41DB82

Function 0100091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010009C6
_wcslen.LIBCMT ref: 01000A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01000A54
_wcslen.LIBCMT ref: 01000A8A
_wcslen.LIBCMT ref: 01000B06
_wcslen.LIBCMT ref: 01000B81

Part of subcall function 00F8F9F2: _wcslen.LIBCMT ref: 00F8F9FD

Part of subcall function 00FD2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FD2BFA

Strings

CHECK, xrefs: 01000A85, 01000AA0
ISCHECKED, xrefs: 01000CE1
EXISTS, xrefs: 01000B7C, 01000B97
EXPAND, xrefs: 01000BF8
GETTOTALCOUNT, xrefs: 010009F2, 01000A17
UNCHECK, xrefs: 01000D3E
GETITEMCOUNT, xrefs: 01000C1E
GETTEXT, xrefs: 01000C97
COLLAPSE, xrefs: 01000B01, 01000B1C
GETSELECTED, xrefs: 01000C4E
SELECT, xrefs: 01000D11

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: a7ccf212f41bbf72852534fbf4997c9339557bd828f966cf06a59bfb7776db3c
Instruction ID: 7d95128c40f8ab9bdcce78d6962ded731f21699ee932cdcfdde0c483280cb30f
Opcode Fuzzy Hash: a7ccf212f41bbf72852534fbf4997c9339557bd828f966cf06a59bfb7776db3c
Instruction Fuzzy Hash: CDE17A312087018FD715EF28C850A2AB7E1BF89354F04899DF8D99B3A6DB35ED45CB92

Function 00FFC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FFB6AE,?,?), ref: 00FFC9B5
_wcslen.LIBCMT ref: 00FFC9F1
_wcslen.LIBCMT ref: 00FFCA68
_wcslen.LIBCMT ref: 00FFCA9E
_wcslen.LIBCMT ref: 00FFCAF9
_wcslen.LIBCMT ref: 00FFCB2F
_wcslen.LIBCMT ref: 00FFCB7F

Strings

HKLM, xrefs: 00FFCA98, 00FFCA9D
HKCC, xrefs: 00FFCBAC
HKCU, xrefs: 00FFCBCE
HKEY_USERS, xrefs: 00FFCBDF
HKEY_CURRENT_CONFIG, xrefs: 00FFCB79, 00FFCB7E
HKU, xrefs: 00FFCBF0
HKEY_CURRENT_USER, xrefs: 00FFCBBD
HKEY_CLASSES_ROOT, xrefs: 00FFCAF3, 00FFCAF8
HKCR, xrefs: 00FFCB29, 00FFCB2E
HKEY_LOCAL_MACHINE, xrefs: 00FFCA62, 00FFCA67

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: d82fb17a7931b435e014b01657bea904ecb1e7a10eb0083176f630772fb9c1b2
Instruction ID: bfdf2df5611468ce7429f3eb1ed2d85172e52f1b3fcb0144fedd9ff897504e13
Opcode Fuzzy Hash: d82fb17a7931b435e014b01657bea904ecb1e7a10eb0083176f630772fb9c1b2
Instruction Fuzzy Hash: DB71E433E0017E8BCB20DE78CE516BA3395AFA0B64B214514FA56972A4E639DD45F3E0

Function 0100833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0100835A
_wcslen.LIBCMT ref: 0100836E
_wcslen.LIBCMT ref: 01008391
_wcslen.LIBCMT ref: 010083B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 010083F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,01005BF2), ref: 0100844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01008487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 010084CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01008501
FreeLibrary.KERNEL32(?), ref: 0100850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0100851D
DestroyIcon.USER32(?,?,?,?,?,01005BF2), ref: 0100852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 01008549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 01008555

Strings

.exe, xrefs: 01008388
.icl, xrefs: 01008368
.dll, xrefs: 010083AB

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 9bd5b601d67a023240763ca076e9c8e52e612cadc099e6b45772a64bb4a04ee1
Instruction ID: a559f8ba8fc736c060d171863d60314bc34e71b161f396dd4c734bd793082c37
Opcode Fuzzy Hash: 9bd5b601d67a023240763ca076e9c8e52e612cadc099e6b45772a64bb4a04ee1
Instruction Fuzzy Hash: BC610271900208BAFB26CF64CC41FBE77A8BB08721F10824AF995D60D1DB79A980D7A0

Function 00F77778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 00F7785F, 00F778B1
#requireadmin, xrefs: 00F777FF
#notrayicon, xrefs: 00F777E7
Unterminated group of comments, xrefs: 00FB528C
#ce, xrefs: 00F778ED
Bad directive syntax error, xrefs: 00FB519A
#OnAutoItStartRegister, xrefs: 00F77817
#comments-end, xrefs: 00F778D9
", xrefs: 00FB5153
#cs, xrefs: 00F77873, 00F778C5
', xrefs: 00FB5169
#include-once, xrefs: 00F7782F
#include, xrefs: 00F77847
#pragma compile, xrefs: 00F777D3
Cannot parse #include, xrefs: 00FB5279

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 622a2bf4a66dbf3ffc425ee7e29433ac054958ced991c21993ebc9ead8161e6c
Instruction ID: deee18ce3b2575aadec45a7db5677ed031f328fbdd0ee1a893cc0b275985314f
Opcode Fuzzy Hash: 622a2bf4a66dbf3ffc425ee7e29433ac054958ced991c21993ebc9ead8161e6c
Instruction Fuzzy Hash: 8E812C71A14305BBEF25BF65CC42FEE3764AF15740F048025F8086A192EB78D912FB92

Function 00FE3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00FE3EF8
_wcslen.LIBCMT ref: 00FE3F03
_wcslen.LIBCMT ref: 00FE3F5A
_wcslen.LIBCMT ref: 00FE3F98
GetDriveTypeW.KERNEL32(?), ref: 00FE3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FE401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FE4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FE4087

Strings

closed, xrefs: 00FE3F08, 00FE3F2D, 00FE3F46, 00FE3F7E, 00FE3F97
close cd wait, xrefs: 00FE4072
open , xrefs: 00FE3FE5
wait, xrefs: 00FE4044
type cdaudio alias cd wait, xrefs: 00FE4001
set cd door , xrefs: 00FE4028
close, xrefs: 00FE3EFE, 00FE3F18
open, xrefs: 00FE3F54, 00FE3F59

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 63b979ece7c47d21d4f01f79e8bf2266066b33a00bf9305c20d479219bcd0505
Instruction ID: f1b450871679a4cc7b8360ff3da6b85afb2464e08671b9b5f281eccf4e701488
Opcode Fuzzy Hash: 63b979ece7c47d21d4f01f79e8bf2266066b33a00bf9305c20d479219bcd0505
Instruction Fuzzy Hash: 29710232A042419FC710EF25C88086AB7F4FF94764F00892DF99A97251EB35EE45EB92

Function 00FD5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00FD5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FD5A40
SetWindowTextW.USER32(?,?), ref: 00FD5A57
GetDlgItem.USER32(?,000003EA), ref: 00FD5A6C
SetWindowTextW.USER32(00000000,?), ref: 00FD5A72
GetDlgItem.USER32(?,000003E9), ref: 00FD5A82
SetWindowTextW.USER32(00000000,?), ref: 00FD5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00FD5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00FD5AC3
GetWindowRect.USER32(?,?), ref: 00FD5ACC
_wcslen.LIBCMT ref: 00FD5B33
SetWindowTextW.USER32(?,?), ref: 00FD5B6F
GetDesktopWindow.USER32 ref: 00FD5B75
GetWindowRect.USER32(00000000), ref: 00FD5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00FD5BD3
GetClientRect.USER32(?,?), ref: 00FD5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00FD5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00FD5C2F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 2893c3da59059d3d838170107846ba2b4136972cab47e031754d1228d8801557
Instruction ID: a82119c07b93bd1a074d856dd13585032107637faf43d0f80a002cf30cbea47b
Opcode Fuzzy Hash: 2893c3da59059d3d838170107846ba2b4136972cab47e031754d1228d8801557
Instruction Fuzzy Hash: A3718031900B05AFDB31DFA8CE85B6EBBF6FF48B14F14461AE182A2690D775E940DB10

Function 00FEFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00FEFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00FEFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00FEFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00FEFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00FEFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00FEFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00FEFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00FEFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00FEFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00FEFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00FEFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00FEFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00FEFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00FEFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00FEFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00FEFECC
GetCursorInfo.USER32(?), ref: 00FEFEDC
GetLastError.KERNEL32 ref: 00FEFF1E

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 9f23101d4cfa4e8e185e18314ffccb0934e41ef44c8cec73862e3e0490041363
Instruction ID: b2ba9178c0f203712a7be4bbcfb1f57686010116f0c69a45e1d0c656e34a05d5
Opcode Fuzzy Hash: 9f23101d4cfa4e8e185e18314ffccb0934e41ef44c8cec73862e3e0490041363
Instruction Fuzzy Hash: A0415570D043596ADB109FB68C85C5EBFE8FF04364B50466AF11DE7281DB789901CF91

Function 00F900C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00F900C6

Part of subcall function 00F900ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0104070C,00000FA0,81D7E4EC,?,?,?,?,00FB23B3,000000FF), ref: 00F9011C
Part of subcall function 00F900ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00FB23B3,000000FF), ref: 00F90127
Part of subcall function 00F900ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00FB23B3,000000FF), ref: 00F90138
Part of subcall function 00F900ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F9014E
Part of subcall function 00F900ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F9015C
Part of subcall function 00F900ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F9016A
Part of subcall function 00F900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F90195
Part of subcall function 00F900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F901A0

___scrt_fastfail.LIBCMT ref: 00F900E7

Part of subcall function 00F900A3: __onexit.LIBCMT ref: 00F900A9

Strings

SleepConditionVariableCS, xrefs: 00F90154
WakeAllConditionVariable, xrefs: 00F90162
kernel32.dll, xrefs: 00F90133
InitializeConditionVariable, xrefs: 00F90148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F90122

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: b9eeea45b3e2d574ad1f6370f265cf6ebdab5d4a1ac3e937eb49d173a4a9b88c
Instruction ID: 167994b1509e2777441de1682cbe9f37fcd5d478066220c1d66d1952d281eefa
Opcode Fuzzy Hash: b9eeea45b3e2d574ad1f6370f265cf6ebdab5d4a1ac3e937eb49d173a4a9b88c
Instruction Fuzzy Hash: FD213E32E457116FFB326BA5AD45BA93394EB05B61F00017FF981E7284DF798C40AB51

Function 00FD30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FD318D
_wcslen.LIBCMT ref: 00FD31F8

Strings

REGEXPCLASS, xrefs: 00FD3255, 00FD3266
TEXT, xrefs: 00FD347C
CLASS, xrefs: 00FD3188, 00FD31A5
CLASSNN, xrefs: 00FD31F3, 00FD3204
INSTANCE, xrefs: 00FD3453
NAME, xrefs: 00FD3335, 00FD3346

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 3e8a369590cc102ccd4dfb247ed3474ea1f199aef191cd87b5440ee5f3bd232f
Instruction ID: cf09654875d3ccf2dbf5884a4b46ba4a95bfbfac3385dda559cd3bb85b1a5af4
Opcode Fuzzy Hash: 3e8a369590cc102ccd4dfb247ed3474ea1f199aef191cd87b5440ee5f3bd232f
Instruction Fuzzy Hash: 21E1F632E001169BCF18DF64C8517EDB7B6BF54720F18821BE656E7340DB34AE45AB91

Function 00FE44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0100CC08), ref: 00FE4527
_wcslen.LIBCMT ref: 00FE453B
_wcslen.LIBCMT ref: 00FE4599
_wcslen.LIBCMT ref: 00FE45F4
_wcslen.LIBCMT ref: 00FE463F
_wcslen.LIBCMT ref: 00FE46A7

Part of subcall function 00F8F9F2: _wcslen.LIBCMT ref: 00F8F9FD

GetDriveTypeW.KERNEL32(?,01036BF0,00000061), ref: 00FE4743

Strings

removable, xrefs: 00FE45EA, 00FE45EF
all, xrefs: 00FE4531, 00FE4536
fixed, xrefs: 00FE4635, 00FE463A
network, xrefs: 00FE469D, 00FE46A2
ramdisk, xrefs: 00FE46F1
cdrom, xrefs: 00FE458F, 00FE4594
unknown, xrefs: 00FE4708

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: d9f49dd2ac860c2c4345350e186dc8939e5c52cf137144bf86e1675c8ee94080
Instruction ID: 82672d5bef72e1d4809868ce836f1479dc74a9b0495b20cab85b754e46ed9ab1
Opcode Fuzzy Hash: d9f49dd2ac860c2c4345350e186dc8939e5c52cf137144bf86e1675c8ee94080
Instruction Fuzzy Hash: D8B10331A083429FC710DF2AC890A6AF7E5BFE5720F50891DF49AC7291D734E945EB92

Function 00FF3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0100CC08), ref: 00FF40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00FF40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0100CC08), ref: 00FF40F2
FreeLibrary.KERNEL32(00000000,?,0100CC08), ref: 00FF413E
StringFromGUID2.OLE32(?,?,00000028,?,0100CC08), ref: 00FF41A8
SysFreeString.OLEAUT32(00000009), ref: 00FF4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00FF42C8
SysFreeString.OLEAUT32(?), ref: 00FF42F2

Strings

GetModuleHandleExW, xrefs: 00FF40C7
kernel32.dll, xrefs: 00FF40B6

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 73993216a36eff8836fd49de68addcf294fedd22633584a6fafaea6a0c70077f
Instruction ID: 54a24883e4411c015b33a39af2b2db9a529effe632593d2698e2283e1a12cd6a
Opcode Fuzzy Hash: 73993216a36eff8836fd49de68addcf294fedd22633584a6fafaea6a0c70077f
Instruction Fuzzy Hash: FF124A75A00109EFDB15DF94C884EBEBBB5FF45314F248098EA05AB261DB31ED42DBA0

Function 00F7326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(01041990), ref: 00FB2F8D
GetMenuItemCount.USER32(01041990), ref: 00FB303D
GetCursorPos.USER32(?), ref: 00FB3081
SetForegroundWindow.USER32(00000000), ref: 00FB308A
TrackPopupMenuEx.USER32(01041990,00000000,?,00000000,00000000,00000000), ref: 00FB309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FB30A9

Strings

0, xrefs: 00F7327D

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 6372e75735a37525c93b721405a862ac8a357c3b4bd28ce1fcc33484ad6f0a4f
Instruction ID: 58a285850b9b8d2104cbda9af7b6131aab209514e1247a0d19f11b29b79e7390
Opcode Fuzzy Hash: 6372e75735a37525c93b721405a862ac8a357c3b4bd28ce1fcc33484ad6f0a4f
Instruction Fuzzy Hash: 7C710471A44205BEFB219F26CC89FEABF65FF04364F204206F5286A1D1C7B6A950EB51

Function 01006CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 01006DEB

Part of subcall function 00F76B57: _wcslen.LIBCMT ref: 00F76B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 01006E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 01006E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01006E94
DestroyWindow.USER32(?), ref: 01006EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F70000,00000000), ref: 01006EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01006EFD
GetDesktopWindow.USER32 ref: 01006F16
GetWindowRect.USER32(00000000), ref: 01006F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 01006F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 01006F4D

Part of subcall function 00F89944: GetWindowLongW.USER32(?,000000EB), ref: 00F89952

Strings

0, xrefs: 01006D98
tooltips_class32, xrefs: 01006E58, 01006EDD

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: d281f541dd8155dbbb605251bbef1a8f000c1204fda9652bbf11ed9fd98bfd8f
Instruction ID: c8a940536c2514f6a887f7de2a6c68e00eb4e364ef990b6f6fe323ff4bbafbd1
Opcode Fuzzy Hash: d281f541dd8155dbbb605251bbef1a8f000c1204fda9652bbf11ed9fd98bfd8f
Instruction Fuzzy Hash: 0B717C74104344AFEB22CF1CC844E7ABBEAFB89304F44055DFAC9872A1C776A955CB12

Function 0100911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

DragQueryPoint.SHELL32(?,?), ref: 01009147

Part of subcall function 01007674: ClientToScreen.USER32(?,?), ref: 0100769A
Part of subcall function 01007674: GetWindowRect.USER32(?,?), ref: 01007710
Part of subcall function 01007674: PtInRect.USER32(?,?,01008B89), ref: 01007720

SendMessageW.USER32(?,000000B0,?,?), ref: 010091B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 010091BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 010091DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 01009225
SendMessageW.USER32(?,000000B0,?,?), ref: 0100923E
SendMessageW.USER32(?,000000B1,?,?), ref: 01009255
SendMessageW.USER32(?,000000B1,?,?), ref: 01009277
DragFinish.SHELL32(?), ref: 0100927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 01009371

Strings

@GUI_DRAGID, xrefs: 010092E9
@GUI_DROPID, xrefs: 0100929E
@GUI_DRAGFILE, xrefs: 01009320

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 80518b425f25ae7f79b9a6f90b8ee1188b02036e8808f102c688f546781f4498
Instruction ID: 266bf5a27e44dfc5b72c9b54b437e0519a119e39f236ebeefb49728c31a44a0e
Opcode Fuzzy Hash: 80518b425f25ae7f79b9a6f90b8ee1188b02036e8808f102c688f546781f4498
Instruction Fuzzy Hash: F8618971108301AFE712DF64DC85DAFBBE8EFC8350F004A1EF599921A1DB75AA49CB52

Function 00FEC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FEC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FEC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FEC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FEC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00FEC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00FEC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FEC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FEC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FEC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FEC5F0
InternetCloseHandle.WININET(00000000), ref: 00FEC5FB

Strings

, xrefs: 00FEC575

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: a9d4dbd9a246ecbaeb4abd10ab7ec37a20e1133f681a3364163da410d88590df
Instruction ID: d257ea8156787afb734d5a6b2b7cf3400a8f729cdbba366c641c25eaca8c908f
Opcode Fuzzy Hash: a9d4dbd9a246ecbaeb4abd10ab7ec37a20e1133f681a3364163da410d88590df
Instruction Fuzzy Hash: DF5160B1500344BFEB229F62C948AAB7BFCFF04754F04451AF986D6240DB35EA45EBA0

Function 0100856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 01008592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010085A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010085AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010085BA
GlobalLock.KERNEL32(00000000), ref: 010085C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010085D7
GlobalUnlock.KERNEL32(00000000), ref: 010085E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010085E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010085F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0100FC38,?), ref: 01008611
GlobalFree.KERNEL32(00000000), ref: 01008621
GetObjectW.GDI32(?,00000018,?), ref: 01008641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 01008671
DeleteObject.GDI32(?), ref: 01008699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 010086AF

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 6d1eeec2bc5fcf6ad185705d0918ef15bc0c28d54cc165c90a52d0fe0d72f808
Instruction ID: 5e9c529a8e605db48a78a9e05393a0daa4a525846907c9cae11137c499cae22a
Opcode Fuzzy Hash: 6d1eeec2bc5fcf6ad185705d0918ef15bc0c28d54cc165c90a52d0fe0d72f808
Instruction Fuzzy Hash: F1412C75600204AFEB229F69CD48EAE7BB8FF89711F108199F949E7290D7759901CB60

Function 00FE14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00FE1502
VariantCopy.OLEAUT32(?,?), ref: 00FE150B
VariantClear.OLEAUT32(?), ref: 00FE1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00FE15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00FE1657
VariantInit.OLEAUT32(?), ref: 00FE1708
SysFreeString.OLEAUT32(?), ref: 00FE178C
VariantClear.OLEAUT32(?), ref: 00FE17D8
VariantClear.OLEAUT32(?), ref: 00FE17E7
VariantInit.OLEAUT32(00000000), ref: 00FE1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00FE1625
Default, xrefs: 00FE16AF

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: f54ddced1a168dae94df0e394a873cb08864f9d4a088aa91aa3ec9e90e21b3cf
Instruction ID: f00f56b06129898830b283076c1e1ce798d379e5d45bf5b65ed4a6ecfe3f43c2
Opcode Fuzzy Hash: f54ddced1a168dae94df0e394a873cb08864f9d4a088aa91aa3ec9e90e21b3cf
Instruction Fuzzy Hash: 6FD12332A00245EBDB10AF67D884BBDB7B5BF45700F18815AF846AB184DB38DC44FB62

Function 00FFB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FFB6AE,?,?), ref: 00FFC9B5
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFC9F1
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFCA68
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FFB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FFB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00FFB80A
RegCloseKey.ADVAPI32(?), ref: 00FFB87E
RegCloseKey.ADVAPI32(?), ref: 00FFB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00FFB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FFB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00FFB922
FreeLibrary.KERNEL32(00000000), ref: 00FFB983
RegCloseKey.ADVAPI32(00000000), ref: 00FFB994

Strings

advapi32.dll, xrefs: 00FFB8ED
RegDeleteKeyExW, xrefs: 00FFB8FE

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 6cd4c6c8d227b7e7ce4386a64d4563257710544024334547ed90af47526a6391
Instruction ID: 4cd84cead33883138351e6a6d27562547cafd6ee34cbc1fa36962e4b025ddee8
Opcode Fuzzy Hash: 6cd4c6c8d227b7e7ce4386a64d4563257710544024334547ed90af47526a6391
Instruction Fuzzy Hash: CDC1B031608205AFD720DF14C894F2ABBE5FF85314F14859CF59A8B2A2CB75EC45DB92

Function 00FF255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FF25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00FF25E8
CreateCompatibleDC.GDI32(?), ref: 00FF25F4
SelectObject.GDI32(00000000,?), ref: 00FF2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00FF266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00FF26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00FF26D0
SelectObject.GDI32(?,?), ref: 00FF26D8
DeleteObject.GDI32(?), ref: 00FF26E1
DeleteDC.GDI32(?), ref: 00FF26E8
ReleaseDC.USER32(00000000,?), ref: 00FF26F3

Strings

(, xrefs: 00FF268D

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: f481425b378b613728de677e22657e64b3dd10058c2a651198631df36116325a
Instruction ID: 64df6314cb0c51b88cb5fa7aeb3ef34da7a0db1131c193bbab45189623907a2b
Opcode Fuzzy Hash: f481425b378b613728de677e22657e64b3dd10058c2a651198631df36116325a
Instruction Fuzzy Hash: 35612276D00209EFDF15CFA8C984AAEBBB5FF48310F208569EA55A7250D335A941DFA0

Function 00FADA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00FADAA1

Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD659
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD66B
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD67D
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD68F
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD6A1
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD6B3
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD6C5
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD6D7
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD6E9
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD6FB
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD70D
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD71F
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD731

_free.LIBCMT ref: 00FADA96

Part of subcall function 00FA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000), ref: 00FA29DE
Part of subcall function 00FA29C8: GetLastError.KERNEL32(00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000,00000000), ref: 00FA29F0

_free.LIBCMT ref: 00FADAB8
_free.LIBCMT ref: 00FADACD
_free.LIBCMT ref: 00FADAD8
_free.LIBCMT ref: 00FADAFA
_free.LIBCMT ref: 00FADB0D
_free.LIBCMT ref: 00FADB1B
_free.LIBCMT ref: 00FADB26
_free.LIBCMT ref: 00FADB5E
_free.LIBCMT ref: 00FADB65
_free.LIBCMT ref: 00FADB82
_free.LIBCMT ref: 00FADB9A

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: dc9655cab850734c0fa3e55d25d0ad9a39ade7b786069801bea8e6393c26ea1b
Instruction ID: 9e910cf871c52b53ee218dc33460c4cd09699403a76eadbe9f58eb965e41f583
Opcode Fuzzy Hash: dc9655cab850734c0fa3e55d25d0ad9a39ade7b786069801bea8e6393c26ea1b
Instruction Fuzzy Hash: 5D316BB1A043049FEBA1AA3CEC45B5B77E8FF46760F114419E48AD7592DF38AC40B721

Function 00FD365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FD369C
_wcslen.LIBCMT ref: 00FD36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FD3797
GetClassNameW.USER32(?,?,00000400), ref: 00FD380C
GetDlgCtrlID.USER32(?), ref: 00FD385D
GetWindowRect.USER32(?,?), ref: 00FD3882
GetParent.USER32(?), ref: 00FD38A0
ScreenToClient.USER32(00000000), ref: 00FD38A7
GetClassNameW.USER32(?,?,00000100), ref: 00FD3921
GetWindowTextW.USER32(?,?,00000400), ref: 00FD395D

Strings

%s%u, xrefs: 00FD3734

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 910dbacd8234b3126bede6f459b7a22af6cd30121e4c41cdc7c077805d57243a
Instruction ID: 490979da574b8504f45267a022fc4b3add9a474da7dcbcbfe5b7eeff3041dc2e
Opcode Fuzzy Hash: 910dbacd8234b3126bede6f459b7a22af6cd30121e4c41cdc7c077805d57243a
Instruction Fuzzy Hash: C3910C71604706AFD715DF24C894FAAF79AFF44350F04462AFA99C2280DB34EA45DB93

Function 00FD4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00FD4994
GetWindowTextW.USER32(?,?,00000400), ref: 00FD49DA
_wcslen.LIBCMT ref: 00FD49EB
CharUpperBuffW.USER32(?,00000000), ref: 00FD49F7
_wcsstr.LIBVCRUNTIME ref: 00FD4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00FD4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00FD4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00FD4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00FD4B20
GetWindowRect.USER32(?,?), ref: 00FD4B8B

Strings

ThumbnailClass, xrefs: 00FD4A6F, 00FD4AF1

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 0ece2344f7063476113bb15f894aa21e1aa5d80a028ba131b6e9cb22a6b1be10
Instruction ID: 6bcd05db707bc4ba7a99fd4b888805f1bb23451075b9026fca368717a1ab397f
Opcode Fuzzy Hash: 0ece2344f7063476113bb15f894aa21e1aa5d80a028ba131b6e9cb22a6b1be10
Instruction Fuzzy Hash: 6291F1314082059FDB15DF10C985FAA77AAFF84324F08806BFD859A286DB34FD45EBA1

Function 01008D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 01008D5A
GetFocus.USER32 ref: 01008D6A
GetDlgCtrlID.USER32(00000000), ref: 01008D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 01008E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 01008ECF
GetMenuItemCount.USER32(?), ref: 01008EEC
GetMenuItemID.USER32(?,00000000), ref: 01008EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 01008F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 01008F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01008FA1

Strings

0, xrefs: 01008E9F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: e290f0dc085bd7a809fc0855c11f5641c7869e82651a827b7e1ff4ae88c94d58
Instruction ID: 1aa2bd9ae65a48a376ec24763e37f236e8b1d6db3fb56273376f1de8285537c1
Opcode Fuzzy Hash: e290f0dc085bd7a809fc0855c11f5641c7869e82651a827b7e1ff4ae88c94d58
Instruction Fuzzy Hash: 3D81A071904341AFF762DF28C884AAB7BE9FB88314F04469EFAC597281D775D940CB61

Function 00FDBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(01041990,000000FF,00000000,00000030), ref: 00FDBFAC
SetMenuItemInfoW.USER32(01041990,00000004,00000000,00000030), ref: 00FDBFE1
Sleep.KERNEL32(000001F4), ref: 00FDBFF3
GetMenuItemCount.USER32(?), ref: 00FDC039
GetMenuItemID.USER32(?,00000000), ref: 00FDC056
GetMenuItemID.USER32(?,-00000001), ref: 00FDC082
GetMenuItemID.USER32(?,?), ref: 00FDC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FDC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FDC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FDC145

Strings

0, xrefs: 00FDBF3D

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: dff6d1e9228599ba395942361c5a380467daa194b91c84a068f7f8b261f93b65
Instruction ID: b9b47edd3db696c1536f7ce83c39a497f922486a1b2d628b3e8b911f84d3e4ec
Opcode Fuzzy Hash: dff6d1e9228599ba395942361c5a380467daa194b91c84a068f7f8b261f93b65
Instruction Fuzzy Hash: C461A3B1900256EFEF21CF64DD88AEE7B7AEB05354F084156E841E3381C736AD44EBA0

Function 00FDDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00FDDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00FDDC46
_wcslen.LIBCMT ref: 00FDDC50
_wcsstr.LIBVCRUNTIME ref: 00FDDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00FDDCBC

Strings

\VarFileInfo\Translation, xrefs: 00FDDCB4
%u.%u.%u.%u, xrefs: 00FDDD9A
04090000, xrefs: 00FDDCF2
DefaultLangCodepage, xrefs: 00FDDD1F
StringFileInfo\, xrefs: 00FDDC8F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 0558a0ee5404d52c80dfef58eb4b096e2c4f0bca4f88714889c345e4a9cb4b22
Instruction ID: 95846f03ab19462b0da0ac2f453ffe90a2cd0702b03f08cf778f61ea6de06f90
Opcode Fuzzy Hash: 0558a0ee5404d52c80dfef58eb4b096e2c4f0bca4f88714889c345e4a9cb4b22
Instruction Fuzzy Hash: FB4134729402017AFF11A7759C07EFF376DEF55720F1401AEF900A6282EB799A01B7A4

Function 00FFCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FFCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00FFCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FFCD48

Part of subcall function 00FFCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00FFCCAA
Part of subcall function 00FFCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00FFCCBD
Part of subcall function 00FFCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FFCCCF
Part of subcall function 00FFCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FFCD05
Part of subcall function 00FFCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FFCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00FFCCF3

Strings

advapi32.dll, xrefs: 00FFCCB8
RegDeleteKeyExW, xrefs: 00FFCCC9

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 9121df90f20457f8369e48def2d81c456f556535fae93bddbbdf0eabbacbed58
Instruction ID: e69dc123baa684c01769ff55d4ca89c938b0cbda5a7b2a6bcc432a0728d3fe53
Opcode Fuzzy Hash: 9121df90f20457f8369e48def2d81c456f556535fae93bddbbdf0eabbacbed58
Instruction Fuzzy Hash: 8A316B7190112CBBEB218B51DD88EFFBB7CEF46750F0001A5BA56E2254DA349A45EBE0

Function 00FE3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FE3D40
_wcslen.LIBCMT ref: 00FE3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FE3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FE3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00FE3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FE3E55
CloseHandle.KERNEL32(00000000), ref: 00FE3E60
CloseHandle.KERNEL32(00000000), ref: 00FE3E6B

Strings

\, xrefs: 00FE3D77
:, xrefs: 00FE3D82
\??\%s, xrefs: 00FE3D5B

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 969fbf678ac135dd7d5f4c341072836d91f4187ba038938b2f8ec8e8aaa575bd
Instruction ID: 4bca641407947885129b961b9dfbaaae5bd83c827384016ba44bb3f259d489ad
Opcode Fuzzy Hash: 969fbf678ac135dd7d5f4c341072836d91f4187ba038938b2f8ec8e8aaa575bd
Instruction Fuzzy Hash: CB31CF72900249ABEB319BA1DC4CFEB37BCEF88710F1041A5F549D6054EB7897449B24

Function 00FDE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FDE6B4

Part of subcall function 00F8E551: timeGetTime.WINMM(?,?,00FDE6D4), ref: 00F8E555

Sleep.KERNEL32(0000000A), ref: 00FDE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00FDE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00FDE727
SetActiveWindow.USER32 ref: 00FDE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FDE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00FDE773
Sleep.KERNEL32(000000FA), ref: 00FDE77E
IsWindow.USER32 ref: 00FDE78A
EndDialog.USER32(00000000), ref: 00FDE79B

Strings

BUTTON, xrefs: 00FDE719

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a0111c843549869495b77b98007955e340b6325857a4e8ddfbb9a6ab99afe8c3
Instruction ID: ea2e45dec02e32767d2f6d179905453a64135d9ea332b6f06ef4bc077d0ad59b
Opcode Fuzzy Hash: a0111c843549869495b77b98007955e340b6325857a4e8ddfbb9a6ab99afe8c3
Instruction Fuzzy Hash: 0521D7F8300204AFFB316F20EEC9A363B6AF758349F080566F49585285DB7FAC10AB11

Function 00FDE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FDEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FDEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FDEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FDEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FDEAA7

Strings

open , xrefs: 00FDEA0C
close PlayMe, xrefs: 00FDEA6E, 00FDEA9B
alias PlayMe, xrefs: 00FDEA36
play PlayMe, xrefs: 00FDEAA2
status PlayMe mode, xrefs: 00FDEA58
play PlayMe wait, xrefs: 00FDEA91

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: de484d3004d9721f47ec8a1bd45a6246590a7784de888e3d8330d8affae9c494
Instruction ID: c94f826adf72bde845f4cff8ff5ce48752eeb04c3d7fc705338eda6e279543bb
Opcode Fuzzy Hash: de484d3004d9721f47ec8a1bd45a6246590a7784de888e3d8330d8affae9c494
Instruction Fuzzy Hash: D411A331A9021A79D720F7A2DC4ADFF7A7CEBD2B10F04042B7455AA0D0EEA51A05D5B1

Function 00FD9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FDA012
SetKeyboardState.USER32(?), ref: 00FDA07D
GetAsyncKeyState.USER32(000000A0), ref: 00FDA09D
GetKeyState.USER32(000000A0), ref: 00FDA0B4
GetAsyncKeyState.USER32(000000A1), ref: 00FDA0E3
GetKeyState.USER32(000000A1), ref: 00FDA0F4
GetAsyncKeyState.USER32(00000011), ref: 00FDA120
GetKeyState.USER32(00000011), ref: 00FDA12E
GetAsyncKeyState.USER32(00000012), ref: 00FDA157
GetKeyState.USER32(00000012), ref: 00FDA165
GetAsyncKeyState.USER32(0000005B), ref: 00FDA18E
GetKeyState.USER32(0000005B), ref: 00FDA19C

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8a381f32d59dec9fd6b1b43baf1f9e15534a75530fc405ba773ae55b8bca0b6b
Instruction ID: c18467f6f99dd2281c3c1e97a637afb46fad0da5a5ac6136ca8677d654b2da66
Opcode Fuzzy Hash: 8a381f32d59dec9fd6b1b43baf1f9e15534a75530fc405ba773ae55b8bca0b6b
Instruction Fuzzy Hash: 0651FC30D0878429FB35EBB048157EABFB65F12350F0C459BD5C1573C2DA94AA4CDB66

Function 00FD5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00FD5CE2
GetWindowRect.USER32(00000000,?), ref: 00FD5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00FD5D59
GetDlgItem.USER32(?,00000002), ref: 00FD5D69
GetWindowRect.USER32(00000000,?), ref: 00FD5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00FD5DCF
GetDlgItem.USER32(?,000003E9), ref: 00FD5DDD
GetWindowRect.USER32(00000000,?), ref: 00FD5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00FD5E31
GetDlgItem.USER32(?,000003EA), ref: 00FD5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FD5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00FD5E67

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: bb428952186a70cf942b435a4c1a74b05a1e492f90addf483508cac92592a09d
Instruction ID: 160090ccc58d3016af40f4444b752ab664a0fc334a7839032b9448f969e47d3b
Opcode Fuzzy Hash: bb428952186a70cf942b435a4c1a74b05a1e492f90addf483508cac92592a09d
Instruction Fuzzy Hash: E0512F71E00605AFDF19DF68CD89AAE7BB6FB48710F148229F515E7294D774AE00CB60

Function 00F88BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F88F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F88BE8,?,00000000,?,?,?,?,00F88BBA,00000000,?), ref: 00F88FC5

DestroyWindow.USER32(?), ref: 00F88C81
KillTimer.USER32(00000000,?,?,?,?,00F88BBA,00000000,?), ref: 00F88D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00FC6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F88BBA,00000000,?), ref: 00FC69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F88BBA,00000000,?), ref: 00FC69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F88BBA,00000000), ref: 00FC69D4
DeleteObject.GDI32(00000000), ref: 00FC69E6

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 5e8466b673aa760c6ec00d21442e4a4ba45fe15792322b405403d9898924b043
Instruction ID: 64901c6d5a3774b3faa8e6a7b8ddcffedb8b3e1ad572b3a72e1ecaf13f0b1d2c
Opcode Fuzzy Hash: 5e8466b673aa760c6ec00d21442e4a4ba45fe15792322b405403d9898924b043
Instruction Fuzzy Hash: 2561BD75901601EFEB36AF14DB89BA577B1FB41362F50451CE08296998CB3ABC82EB50

Function 00F89838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00F89944: GetWindowLongW.USER32(?,000000EB), ref: 00F89952

GetSysColor.USER32(0000000F), ref: 00F89862

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 0d38bc1e92591be96767fab967cb4afde3c61a4c5955b11a9e3a13f6a9656095
Instruction ID: 53717fdb22396c96bdf66b2b7df9e7e694899d6a06b811dcf37d3deba6bb6d1b
Opcode Fuzzy Hash: 0d38bc1e92591be96767fab967cb4afde3c61a4c5955b11a9e3a13f6a9656095
Instruction Fuzzy Hash: 9A41C131508641AFEB316F389988BF93BA5AB06331F5C4649F9E2871D5C7769C42EB10

Function 00FD96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00FBF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00FD9717
LoadStringW.USER32(00000000,?,00FBF7F8,00000001), ref: 00FD9720

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00FBF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00FD9742
LoadStringW.USER32(00000000,?,00FBF7F8,00000001), ref: 00FD9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00FD9866

Strings

Line %d:, xrefs: 00FD97A0
^ ERROR, xrefs: 00FD97FB
%s (%d) : ==> %s: %s %s, xrefs: 00FD984A
Line %d (File "%s"):, xrefs: 00FD978F
Error: , xrefs: 00FD981D

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 1af28d2559143384209d171c9a74b2b01384e345f8825fd84ef9ceca8f6646d6
Instruction ID: e5c85986f37a6ec3baa28e4df0dd0e69f5adb465fa5e7abe8f1b0ab50bb661b4
Opcode Fuzzy Hash: 1af28d2559143384209d171c9a74b2b01384e345f8825fd84ef9ceca8f6646d6
Instruction Fuzzy Hash: 45417072804209BACF15FBE0CE42DEE7379AF55300F544066F20972192EB796F48EB62

Function 00FD06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F76B57: _wcslen.LIBCMT ref: 00F76B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FD07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FD07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FD07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FD0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00FD082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FD0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FD083C

Strings

\IPC$, xrefs: 00FD0784
\CLSID, xrefs: 00FD0724
SOFTWARE\Classes\, xrefs: 00FD070E

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 370d914434e5e9735bcca5cf2996586788d2ac3cea301431bde265fdda767a76
Instruction ID: 075f0a40ff4c38c1895d282c98277d740fd91021edbff621157a3330a89134a7
Opcode Fuzzy Hash: 370d914434e5e9735bcca5cf2996586788d2ac3cea301431bde265fdda767a76
Instruction Fuzzy Hash: E9414972C10228ABDF21EBA4DC85DEDB779FF44350F08816AF905A7161EB349E04EB91

Function 01003F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0100403B
CreateCompatibleDC.GDI32(00000000), ref: 01004042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01004055
SelectObject.GDI32(00000000,00000000), ref: 0100405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 01004068
DeleteDC.GDI32(00000000), ref: 01004072
GetWindowLongW.USER32(?,000000EC), ref: 0100407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 01004092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0100409E

Strings

static, xrefs: 01003FD3

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 038e87d678c2230efb6a7e1f8dc603a4b642d96dd2a3984c5bb7131270fa23fa
Instruction ID: a38d653640f7bbf81a3c61c9375b72cd74bbc09b09ea2c406149d26da49f4fc7
Opcode Fuzzy Hash: 038e87d678c2230efb6a7e1f8dc603a4b642d96dd2a3984c5bb7131270fa23fa
Instruction Fuzzy Hash: 55312A31501215ABEB239F68DD04FDA3BA8EF0D320F110355FA98E61D0C776D8619B54

Function 00FF3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FF3C5C
CoInitialize.OLE32(00000000), ref: 00FF3C8A
CoUninitialize.OLE32 ref: 00FF3C94
_wcslen.LIBCMT ref: 00FF3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00FF3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00FF3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00FF3F0E
CoGetObject.OLE32(?,00000000,0100FB98,?), ref: 00FF3F2D
SetErrorMode.KERNEL32(00000000), ref: 00FF3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FF3FC4
VariantClear.OLEAUT32(?), ref: 00FF3FD8

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: d8a8246f663751d31aaed187af7ea88c69660f1113fcbd7d4a85b6cd1faa1704
Instruction ID: e22b94e7e01a0327829b88b165c54a2bccbd650cea70d48055827c74ba1970ce
Opcode Fuzzy Hash: d8a8246f663751d31aaed187af7ea88c69660f1113fcbd7d4a85b6cd1faa1704
Instruction Fuzzy Hash: A1C178716083099FD700DF28C88492BB7E9FF89758F14495DFA8A9B260DB31EE05DB52

Function 00FE7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FE7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FE7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00FE7BA3
CoCreateInstance.OLE32(0100FD08,00000000,00000001,01036E6C,?), ref: 00FE7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FE7C74
CoTaskMemFree.OLE32(?,?), ref: 00FE7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00FE7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FE7D7A
CoTaskMemFree.OLE32(00000000), ref: 00FE7D81
CoTaskMemFree.OLE32(00000000), ref: 00FE7DD6
CoUninitialize.OLE32 ref: 00FE7DDC

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 5de39e2b4e2f7d4f3a4d47ecf3db3c13201b24fea78cc86938c000495a9a3356
Instruction ID: 4730c19904e0993a70d6ef89da67642d1b4b18330a442ce84943d34e0d122276
Opcode Fuzzy Hash: 5de39e2b4e2f7d4f3a4d47ecf3db3c13201b24fea78cc86938c000495a9a3356
Instruction Fuzzy Hash: C8C16A74A04249AFDB14DFA5C884DAEBBF9FF48314B148199E819DB261CB31EE41DB90

Function 0100541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01005504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01005515
CharNextW.USER32(00000158), ref: 01005544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01005585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0100559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010055AC

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 376eee25492959c27c00bd2b663799e0c590252d8623f92cee7635c37ff42a8b
Instruction ID: ba3b0dc33ed22fa89d5ce26b5b769bc52da95a3e8e4bfdfae0d764c659f2b5ca
Opcode Fuzzy Hash: 376eee25492959c27c00bd2b663799e0c590252d8623f92cee7635c37ff42a8b
Instruction Fuzzy Hash: 41617F75A00209ABFF228F54CC84DFE7BB9EB0A725F004185F6A5A72D0DB759A41CF60

Function 00FCFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00FCFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00FCFB08
VariantInit.OLEAUT32(?), ref: 00FCFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00FCFB3A
VariantCopy.OLEAUT32(?,?), ref: 00FCFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00FCFBA1
VariantClear.OLEAUT32(?), ref: 00FCFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00FCFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FCFBCC
VariantClear.OLEAUT32(?), ref: 00FCFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FCFBE9

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 905977286eff648be361fea5e86e22ca78442b488019de6f1bc146d814e4ed74
Instruction ID: d8dde1c5f78ab6a2fe430ea0a714ee1f88c123d1813a7fc6325efa92465e4e72
Opcode Fuzzy Hash: 905977286eff648be361fea5e86e22ca78442b488019de6f1bc146d814e4ed74
Instruction Fuzzy Hash: 6041C231A0021A9FDB10DF64C945EEDBBB9FF48300F018069F846A7251CB39AD49DFA0

Function 00FD9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FD9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00FD9D22
GetKeyState.USER32(000000A0), ref: 00FD9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00FD9D57
GetKeyState.USER32(000000A1), ref: 00FD9D6C
GetAsyncKeyState.USER32(00000011), ref: 00FD9D84
GetKeyState.USER32(00000011), ref: 00FD9D96
GetAsyncKeyState.USER32(00000012), ref: 00FD9DAE
GetKeyState.USER32(00000012), ref: 00FD9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00FD9DD8
GetKeyState.USER32(0000005B), ref: 00FD9DEA

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a0d9f7776f602643ba383543b0a38026286839427507981f6aaa501278db3b7a
Instruction ID: 9a8d502887ebb6e6fc2cf398793521cbbc8ee3331f962152b22aa3144f3f32dc
Opcode Fuzzy Hash: a0d9f7776f602643ba383543b0a38026286839427507981f6aaa501278db3b7a
Instruction Fuzzy Hash: 0D41B534D087CA69FF3197A084043A5BEA36B11364F0C815BDAC6567C2DBE599C4E7A2

Function 00FF055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FF05BC
inet_addr.WSOCK32(?), ref: 00FF061C
gethostbyname.WSOCK32(?), ref: 00FF0628
IcmpCreateFile.IPHLPAPI ref: 00FF0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FF06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FF06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00FF07B9
WSACleanup.WSOCK32 ref: 00FF07BF

Strings

Ping, xrefs: 00FF0676

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: b37024ec90e8eb52956e5b598a2e7b09a81deea2d2520cbd89ac64d16278fe6b
Instruction ID: 8de95c10fa20c9fd603474b7052906a897ff9794f572150105cd2e916bdc3e66
Opcode Fuzzy Hash: b37024ec90e8eb52956e5b598a2e7b09a81deea2d2520cbd89ac64d16278fe6b
Instruction Fuzzy Hash: EB91C0369082019FD720DF15C588F2ABBE0AF44328F1885A9F5698B6B2CB75EC41DF91

Function 00FF8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00FF8CF3

Part of subcall function 00FD8E54: _wcslen.LIBCMT ref: 00FD8E77

_wcslen.LIBCMT ref: 00FF8D4E
_wcslen.LIBCMT ref: 00FF8D9C
_wcslen.LIBCMT ref: 00FF8DDC
_wcslen.LIBCMT ref: 00FF8E6E

Strings

cdecl, xrefs: 00FF8D48, 00FF8D4D
winapi, xrefs: 00FF8D96, 00FF8D9B
none, xrefs: 00FF8E65, 00FF8E6A
stdcall, xrefs: 00FF8DD6, 00FF8DDB

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 7b7f6d5ecf3f02e6dec432c7f5a362ebd552d4a97c3b8722d1a0d16fe869987f
Instruction ID: 751ce2a1ec0be60f4c707c8200589ae9afe4160e5eb9e12f2c3bfe9b5d4a368d
Opcode Fuzzy Hash: 7b7f6d5ecf3f02e6dec432c7f5a362ebd552d4a97c3b8722d1a0d16fe869987f
Instruction Fuzzy Hash: 7B51D432E0011A9BCF14DFA8CD419BEB7A5BF643A0B204219E656E72D4DB35DD42E790

Function 00FF372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00FF3774
CoUninitialize.OLE32 ref: 00FF377F
CoCreateInstance.OLE32(?,00000000,00000017,0100FB78,?), ref: 00FF37D9
IIDFromString.OLE32(?,?), ref: 00FF384C
VariantInit.OLEAUT32(?), ref: 00FF38E4
VariantClear.OLEAUT32(?), ref: 00FF3936

Strings

Invalid parameter, xrefs: 00FF3865
NULL Pointer assignment, xrefs: 00FF381E
Failed to create object, xrefs: 00FF37E4, 00FF389A

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 3e052fc6f9037fc9142be15a2c9e69d1e522acfa086dd385c6b2126877ac7318
Instruction ID: 3f07b7c695687184b9cd3ea52e8994d78ba3858ff55bc6308fd61cb1528acf03
Opcode Fuzzy Hash: 3e052fc6f9037fc9142be15a2c9e69d1e522acfa086dd385c6b2126877ac7318
Instruction Fuzzy Hash: 1561D472608305AFD311EF54C848F6AB7E8EF44750F10494DF6859B2A1D778EE48EB92

Function 00FE3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00FE33CF

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FE33F0

Strings

Incorrect parameters to object property !, xrefs: 00FE34AB
Line %d (File "%s"):, xrefs: 00FE3443, 00FE345C
"%s" (%d) : ==> %s:, xrefs: 00FE3522
^ ERROR , xrefs: 00FE349E
Error: , xrefs: 00FE34D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00FE3504

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 6858ac5c59234d02147f51bc8a10be36ec9414e4ecef202f2597a6dd184f39a5
Instruction ID: 6485a1d62212a0af0ebc51373dcb3ea06b79f7aa591e6c8ea8be97e5f2833a50
Opcode Fuzzy Hash: 6858ac5c59234d02147f51bc8a10be36ec9414e4ecef202f2597a6dd184f39a5
Instruction Fuzzy Hash: AE518F7180020ABADF15EBA1CD46EEEB379AF14340F148166F50972152EB792F58EB62

Function 00FDB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FDB5FC
_wcslen.LIBCMT ref: 00FDB608
_wcslen.LIBCMT ref: 00FDB64D
_wcslen.LIBCMT ref: 00FDB68C
_wcslen.LIBCMT ref: 00FDB6C7

Strings

EXISTS, xrefs: 00FDB686, 00FDB68B
REMOVE, xrefs: 00FDB602, 00FDB607
KEYS, xrefs: 00FDB647, 00FDB64C
APPEND, xrefs: 00FDB6C1, 00FDB6C6

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 077090573611d4fb4d68a3dd88dd9b69a9cd4e705fc026e85ea36f5700f47b07
Instruction ID: 41531e6afd400501e890162708735096aeef3fd47dba6f5f608fc1db24a86cee
Opcode Fuzzy Hash: 077090573611d4fb4d68a3dd88dd9b69a9cd4e705fc026e85ea36f5700f47b07
Instruction Fuzzy Hash: 9441C632E00026DBCB105F7DCC905BE77A6ABA5764B2A426BE461D7384E735CD81E790

Function 00FE5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FE53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FE5416
GetLastError.KERNEL32 ref: 00FE5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00FE54A7

Strings

UNKNOWN, xrefs: 00FE5444
READY, xrefs: 00FE5460, 00FE5468
INVALID, xrefs: 00FE5459
NOTREADY, xrefs: 00FE544B
READONLY, xrefs: 00FE5452

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 968649f969b294ca7b00c82e2ae909eb0f5d1cc2d0abf5c55d688b6f5203d104
Instruction ID: 4dba11ea384d58a9f86908e46a04f89b3c027743727d2610e0eca143917eac35
Opcode Fuzzy Hash: 968649f969b294ca7b00c82e2ae909eb0f5d1cc2d0abf5c55d688b6f5203d104
Instruction Fuzzy Hash: FC311035E002449FC711DF69C894BAABBF8FF44719F148056E405CB292D776EE82DBA1

Function 01003C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 01003C79
SetMenu.USER32(?,00000000), ref: 01003C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01003D10
IsMenu.USER32(?), ref: 01003D24
CreatePopupMenu.USER32 ref: 01003D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01003D5B
DrawMenuBar.USER32 ref: 01003D63

Strings

F, xrefs: 01003D4E
0, xrefs: 01003C54

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 768b9ca589e66bd0acadbef6268e1ac8a23cb0080a4a71190c16f020cc549316
Instruction ID: 705319423b2b1e1afcc2d0c5d38bf5e1c7e7d1d0e72d42c135835a7221d7f3fc
Opcode Fuzzy Hash: 768b9ca589e66bd0acadbef6268e1ac8a23cb0080a4a71190c16f020cc549316
Instruction Fuzzy Hash: 9C419F79605209EFEB26DF54E984E9A7BF5FF49300F040169FA869B390D735A910CF50

Function 00FD1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FD3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00FD1F64
GetDlgCtrlID.USER32 ref: 00FD1F6F
GetParent.USER32 ref: 00FD1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FD1F8E
GetDlgCtrlID.USER32(?), ref: 00FD1F97
GetParent.USER32(?), ref: 00FD1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FD1FAE

Strings

ComboBox, xrefs: 00FD1EEC
ListBox, xrefs: 00FD1F21

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 39bfabb48522adede1eec8903f8b301a24ed8975148c2a49a63427460efa3f01
Instruction ID: 9bcb438bb3eb9e2ab2dae2d5acc6bf5983da8271b896b40ff6971fddfce0f530
Opcode Fuzzy Hash: 39bfabb48522adede1eec8903f8b301a24ed8975148c2a49a63427460efa3f01
Instruction Fuzzy Hash: 22210771E00114BBDF25AFA0CC45DEEBBB9FF09310F044246F99567291CB795914EB61

Function 00FD1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FD3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00FD2043
GetDlgCtrlID.USER32 ref: 00FD204E
GetParent.USER32 ref: 00FD206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FD206D
GetDlgCtrlID.USER32(?), ref: 00FD2076
GetParent.USER32(?), ref: 00FD208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FD208D

Strings

ComboBox, xrefs: 00FD1FCD
ListBox, xrefs: 00FD2002

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 2eb324d12c417ca7933d05ef53c515327e6398f2d098f3cb06901fe73de08f2f
Instruction ID: 438e823b6ed703cdb7b5aa69b4d8486c0db21c4e220ee0f99345272c3c8b49f5
Opcode Fuzzy Hash: 2eb324d12c417ca7933d05ef53c515327e6398f2d098f3cb06901fe73de08f2f
Instruction Fuzzy Hash: B7213571E00214BBDF21AFA0CC89EFEBBB9EF18300F044046F995A7291CB795914EB61

Function 01003A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01003A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01003AA0
GetWindowLongW.USER32(?,000000F0), ref: 01003AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01003AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01003B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 01003BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 01003BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 01003BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 01003BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 01003C13

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 2c50d15b668bfe2527691c4083e35d2c30ad5d6ec4aefccae57167c42b5d5a6b
Instruction ID: 8e0dc1587eb4acbe25512789cd36aa2553d6cc9747f8facc6b7c72f44672d044
Opcode Fuzzy Hash: 2c50d15b668bfe2527691c4083e35d2c30ad5d6ec4aefccae57167c42b5d5a6b
Instruction Fuzzy Hash: F8617975900208AFEB22DF68CC81EEE77F8BB49304F100199FA55EB291D774A981DB50

Function 00FDB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FDB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FDA1E1,?,00000001), ref: 00FDB165
GetWindowThreadProcessId.USER32(00000000), ref: 00FDB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FDA1E1,?,00000001), ref: 00FDB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FDB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00FDA1E1,?,00000001), ref: 00FDB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FDA1E1,?,00000001), ref: 00FDB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FDA1E1,?,00000001), ref: 00FDB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00FDA1E1,?,00000001), ref: 00FDB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00FDA1E1,?,00000001), ref: 00FDB21D

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 44b1574c7f75fb26e2015f8e082aefc3e07f6f240795185e3c65dab2cd2b34b0
Instruction ID: 53ed481c2615a9dc5f251f180c83b86ef90b0923cb8704f94f56666068d55582
Opcode Fuzzy Hash: 44b1574c7f75fb26e2015f8e082aefc3e07f6f240795185e3c65dab2cd2b34b0
Instruction Fuzzy Hash: 9C31F7B6900204FFEB369F24ED98B6D7B7ABB15366F154206F940CA244C7799C009F20

Function 00FA2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FA2C94

Part of subcall function 00FA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000), ref: 00FA29DE
Part of subcall function 00FA29C8: GetLastError.KERNEL32(00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000,00000000), ref: 00FA29F0

_free.LIBCMT ref: 00FA2CA0
_free.LIBCMT ref: 00FA2CAB
_free.LIBCMT ref: 00FA2CB6
_free.LIBCMT ref: 00FA2CC1
_free.LIBCMT ref: 00FA2CCC
_free.LIBCMT ref: 00FA2CD7
_free.LIBCMT ref: 00FA2CE2
_free.LIBCMT ref: 00FA2CED
_free.LIBCMT ref: 00FA2CFB

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2f7da763b34ac6b090d6df175e90438a07c33d12e00f92d6ac32a6d52c43203c
Instruction ID: 29ca72d9a52389bca7038eaca1d4a6a3c9cb23729255794fae39fb831136d7c1
Opcode Fuzzy Hash: 2f7da763b34ac6b090d6df175e90438a07c33d12e00f92d6ac32a6d52c43203c
Instruction Fuzzy Hash: CF1196B6600108AFCB82EF5CDC42CDE3BB5FF0A750F414495FA485B222D635EA50BB91

Function 00FE7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FE7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00FE7FC1
GetFileAttributesW.KERNEL32(?), ref: 00FE7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FE8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00FE8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00FE8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FE80B0

Strings

*.*, xrefs: 00FE8066

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: fd8a2be14dbb7378c90998b4a5a239a95d3ccd4162fe86f1a2541e66ec02b33f
Instruction ID: f14be8dbd58890e65af17cadfb306117d45957319c3f25c39578bd7e8fb9b84f
Opcode Fuzzy Hash: fd8a2be14dbb7378c90998b4a5a239a95d3ccd4162fe86f1a2541e66ec02b33f
Instruction Fuzzy Hash: F181C2729083819BCB24FF16C840AAEB3D8BF84320F14486EF589D7250EB75DD45AB92

Function 00F75BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F75C7A

Part of subcall function 00F75D0A: GetClientRect.USER32(?,?), ref: 00F75D30
Part of subcall function 00F75D0A: GetWindowRect.USER32(?,?), ref: 00F75D71
Part of subcall function 00F75D0A: ScreenToClient.USER32(?,?), ref: 00F75D99

GetDC.USER32 ref: 00FB46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FB4708
SelectObject.GDI32(00000000,00000000), ref: 00FB4716
SelectObject.GDI32(00000000,00000000), ref: 00FB472B
ReleaseDC.USER32(?,00000000), ref: 00FB4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FB47C4

Strings

U, xrefs: 00FB4693

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: e58e6df69d394c34578f3ee3eef627856f60df1cf72da4ed56f94d23bef50f04
Instruction ID: 72da52f01d60f87e65c4b278a7d20fd6f5c15293a343b6366923028e5a55edeb
Opcode Fuzzy Hash: e58e6df69d394c34578f3ee3eef627856f60df1cf72da4ed56f94d23bef50f04
Instruction Fuzzy Hash: 72712635800205DFDF22CF64CA84AFA7BB6FF4A320F24426AED955A196C735AC41EF51

Function 00FE359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00FE35E4

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

LoadStringW.USER32(01042390,?,00000FFF,?), ref: 00FE360A

Strings

^ ERROR, xrefs: 00FE36C9
Line %d (File "%s"):, xrefs: 00FE366B
"%s" (%d) : ==> %s:, xrefs: 00FE3742
Error: , xrefs: 00FE36EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00FE3724

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: f8810fe469bce1a6c6236f7dc56985142a77afb150894cadfc6543205cbe048b
Instruction ID: 8ac103318ccb3eab7da73861ce375dc9388cf7ddce5e6dce2cc414be2049b0ce
Opcode Fuzzy Hash: f8810fe469bce1a6c6236f7dc56985142a77afb150894cadfc6543205cbe048b
Instruction Fuzzy Hash: 50518071C04259BBDF15EBA1CD46EEDBB79AF14300F048126F10972191EB792B98EF62

Function 01008B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

Part of subcall function 00F8912D: GetCursorPos.USER32(?), ref: 00F89141
Part of subcall function 00F8912D: ScreenToClient.USER32(00000000,?), ref: 00F8915E
Part of subcall function 00F8912D: GetAsyncKeyState.USER32(00000001), ref: 00F89183
Part of subcall function 00F8912D: GetAsyncKeyState.USER32(00000002), ref: 00F8919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 01008B6B
ImageList_EndDrag.COMCTL32 ref: 01008B71
ReleaseCapture.USER32 ref: 01008B77
SetWindowTextW.USER32(?,00000000), ref: 01008C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 01008C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 01008CFF

Strings

@GUI_DROPID, xrefs: 01008C51
@GUI_DRAGFILE, xrefs: 01008C9A

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 4e9ded5203b50109c706e8010c94bff03523aa0b19c19cff2d7a4d00eb9cfba6
Instruction ID: 940875e15ef9159be178d3e3d5d1ae4a6938cee31431827ccc46416463cb5588
Opcode Fuzzy Hash: 4e9ded5203b50109c706e8010c94bff03523aa0b19c19cff2d7a4d00eb9cfba6
Instruction Fuzzy Hash: EC51BC74508304AFE711EF24CD85FAA77E4FB88710F000A6EF996972D1CB75A944CB62

Function 00FEC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FEC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FEC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FEC2CA
GetLastError.KERNEL32 ref: 00FEC322
SetEvent.KERNEL32(?), ref: 00FEC336
InternetCloseHandle.WININET(00000000), ref: 00FEC341

Strings

, xrefs: 00FEC2BB

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: c85e34ffc5952e495529b8857e2e61a92108f59b314f765f06628042d38e6179
Instruction ID: fe65f4618f835cab85486f0b3aeba50bf2f52dfc4ed8c6dbcfe65c801df6426f
Opcode Fuzzy Hash: c85e34ffc5952e495529b8857e2e61a92108f59b314f765f06628042d38e6179
Instruction Fuzzy Hash: 34318271500284AFE7319F668D84A6B7BFCFB49754F14851EF48AD3200DB35DD06ABA1

Function 00FD989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00FB3AAF,?,?,Bad directive syntax error,0100CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00FD98BC
LoadStringW.USER32(00000000,?,00FB3AAF,?), ref: 00FD98C3

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FD9987

Strings

Line %d:, xrefs: 00FD9912
Line %d (File "%s"):, xrefs: 00FD992D
Error: , xrefs: 00FD9955
%s (%d) : ==> %s.: %s %s, xrefs: 00FD98F1
., xrefs: 00FD996D

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: da86493a267b958935013a0f4e5b10ed709cec5e7894042dca83d662ab3501a5
Instruction ID: 825c1260237dbdce7768607e240a50e0050a3a0dfc0a6ee97804dbc4b263e5ba
Opcode Fuzzy Hash: da86493a267b958935013a0f4e5b10ed709cec5e7894042dca83d662ab3501a5
Instruction Fuzzy Hash: B1217431C0421AFBDF26AF90CC16EED7779FF18300F04845AF51966091DB759658EB52

Function 00FD209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00FD20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00FD20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FD214D

Strings

smallicons, xrefs: 00FD2115
list, xrefs: 00FD212F
details, xrefs: 00FD20FB
SHELLDLL_DefView, xrefs: 00FD20CC
largeicons, xrefs: 00FD20E1

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: c6b6beacad8c1bbb99ecc1728e5ca0688f860daf6798d42cc48a1a9a9bc915ed
Instruction ID: c45d3f6a675959100fa4a44128032943f7088b92cfd8acd729e7cdb090dc8831
Opcode Fuzzy Hash: c6b6beacad8c1bbb99ecc1728e5ca0688f860daf6798d42cc48a1a9a9bc915ed
Instruction Fuzzy Hash: 24115C77688306B9FA162621DC07DA6339DCF24734F20425BF744A91E1FE6978037A54

Function 00FA8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb171f071d8c3044b073b5e12bbf0b3194e76c24bf7f1cb751be8d219b055805
Instruction ID: 8e2b9af5e07538e0409309ad6e03a9813cbf9a2a0801e96a1e72a995ad876b61
Opcode Fuzzy Hash: eb171f071d8c3044b073b5e12bbf0b3194e76c24bf7f1cb751be8d219b055805
Instruction Fuzzy Hash: 5CC109F5D082499FDF11DFA8C881BADBFB0AF0A360F0440A5F954A7392C7B59941EB61

Function 00FACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FACEB7
_free.LIBCMT ref: 00FACF22
_free.LIBCMT ref: 00FACF48
_free.LIBCMT ref: 00FACF71
_free.LIBCMT ref: 00FACFA9
_free.LIBCMT ref: 00FACFDA
_free.LIBCMT ref: 00FAD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00FAD09C
_free.LIBCMT ref: 00FAD0B5

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 2f9084b2c38dbbf375c4bb42ecab3d1f416c95d05ae639046e24c7b30b6a6265
Instruction ID: b0d559979e3b34a3c15fcfeb5039990e470fb340746c57130f52f2cdfe9a5b79
Opcode Fuzzy Hash: 2f9084b2c38dbbf375c4bb42ecab3d1f416c95d05ae639046e24c7b30b6a6265
Instruction Fuzzy Hash: 21615BF2E042006FDF21BF789C8166E7BA5AF07720F04416DFA91A7249D73A9D00B7A0

Function 010050D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 01005186
ShowWindow.USER32(?,00000000), ref: 010051C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 010051CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 010051D1

Part of subcall function 01006FBA: DeleteObject.GDI32(00000000), ref: 01006FE6

GetWindowLongW.USER32(?,000000F0), ref: 0100520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0100521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0100524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 01005287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 01005296

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 8b909531e1b2d0b0a3b0fed339d2b17779ffb5db2938c19ff2139de42ea1205a
Instruction ID: 58a889487db2c726137c36c127fc394651ebe571c013e090ad61fa4762a7f75f
Opcode Fuzzy Hash: 8b909531e1b2d0b0a3b0fed339d2b17779ffb5db2938c19ff2139de42ea1205a
Instruction Fuzzy Hash: 4F517D30A50209FFFF329F28CC49BD93BA5AF46321F148151F695962D0D77AA990DF41

Function 00F88B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00FC6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00FC68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FC68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00FC68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FC68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F88874,00000000,00000000,00000000,000000FF,00000000), ref: 00FC6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FC691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F88874,00000000,00000000,00000000,000000FF,00000000), ref: 00FC692D

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 5cc1923285ab587c37c908ced9d13f567ccca2475129650104cf949999f46163
Instruction ID: 3195d82538d749e814f2c91142f1bec962d6813c334d0cbfacd5035d75ddd7ff
Opcode Fuzzy Hash: 5cc1923285ab587c37c908ced9d13f567ccca2475129650104cf949999f46163
Instruction Fuzzy Hash: FC517B74A00206AFEB20DF24CD85FAA7BB5FF88760F104618F946D7290DB75E991EB50

Function 00FEC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FEC182
GetLastError.KERNEL32 ref: 00FEC195
SetEvent.KERNEL32(?), ref: 00FEC1A9

Part of subcall function 00FEC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FEC272
Part of subcall function 00FEC253: GetLastError.KERNEL32 ref: 00FEC322
Part of subcall function 00FEC253: SetEvent.KERNEL32(?), ref: 00FEC336
Part of subcall function 00FEC253: InternetCloseHandle.WININET(00000000), ref: 00FEC341

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: bda2e0dea6446a904bc1005bd8fd980f8b58d4eccce16513ab9cc270b8b0fee4
Instruction ID: 639f6c1ee13e2147848a6cee9f5c3ee0ad830f421633cf75d6142081e586c493
Opcode Fuzzy Hash: bda2e0dea6446a904bc1005bd8fd980f8b58d4eccce16513ab9cc270b8b0fee4
Instruction Fuzzy Hash: 6B31B071600781AFEB219FA6DD04A67BBF8FF58310F00451DFA9A83600D735E812EBA0

Function 00FD25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FD3A57
Part of subcall function 00FD3A3D: GetCurrentThreadId.KERNEL32 ref: 00FD3A5E
Part of subcall function 00FD3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FD25B3), ref: 00FD3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00FD25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00FD25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00FD25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FD25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00FD2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00FD2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FD260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00FD2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00FD2627

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 9e9e209a98781f2e3b2a096ffbcc5b0af6d242433a3a8a53b3255b90db2141b4
Instruction ID: 6aa680cec74c331ed0b92c82e0f5bec288cec7261b6e7e1e594a5004c28b560a
Opcode Fuzzy Hash: 9e9e209a98781f2e3b2a096ffbcc5b0af6d242433a3a8a53b3255b90db2141b4
Instruction Fuzzy Hash: 3801D831394210BBFB2167689C8AF593F59DB5EB11F100142F354AF1C4C9F764449AAA

Function 00FD1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00FD1449,?,?,00000000), ref: 00FD180C
HeapAlloc.KERNEL32(00000000,?,00FD1449,?,?,00000000), ref: 00FD1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FD1449,?,?,00000000), ref: 00FD1828
GetCurrentProcess.KERNEL32(?,00000000,?,00FD1449,?,?,00000000), ref: 00FD1830
DuplicateHandle.KERNEL32(00000000,?,00FD1449,?,?,00000000), ref: 00FD1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FD1449,?,?,00000000), ref: 00FD1843
GetCurrentProcess.KERNEL32(00FD1449,00000000,?,00FD1449,?,?,00000000), ref: 00FD184B
DuplicateHandle.KERNEL32(00000000,?,00FD1449,?,?,00000000), ref: 00FD184E
CreateThread.KERNEL32(00000000,00000000,00FD1874,00000000,00000000,00000000), ref: 00FD1868

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: b70eba85f4a61950bf8f8715da74a0fdbe6093e0bdce4704331872b6e39b09c3
Instruction ID: a15f71d4f45974fb9fb346b5b649b3d132ef8955da17354ab8c553b49def4e71
Opcode Fuzzy Hash: b70eba85f4a61950bf8f8715da74a0fdbe6093e0bdce4704331872b6e39b09c3
Instruction Fuzzy Hash: 8B01BF75240304BFF721AB65DD4DF973B6CEB89B11F004551FA45DB195C6759800CB20

Function 00FFA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00FDD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00FDD501
Part of subcall function 00FDD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00FDD50F
Part of subcall function 00FDD4DC: CloseHandle.KERNELBASE(00000000), ref: 00FDD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FFA16D
GetLastError.KERNEL32 ref: 00FFA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FFA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00FFA268
GetLastError.KERNEL32(00000000), ref: 00FFA273
CloseHandle.KERNEL32(00000000), ref: 00FFA2C4

Strings

SeDebugPrivilege, xrefs: 00FFA18F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 90d9f07b25f27ff30df82fb781cd0929dc088c78367d2a380f738ad49eeae9bc
Instruction ID: 59341f6a230f150cb6d37d029af7226cbf57e358fa3e5d76b05d94365d70309e
Opcode Fuzzy Hash: 90d9f07b25f27ff30df82fb781cd0929dc088c78367d2a380f738ad49eeae9bc
Instruction Fuzzy Hash: 9261C171604242AFD320DF18C894F29BBE1AF44318F18C48DE56A8B7A3C776ED45DB92

Function 01003886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01003925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0100393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01003954
_wcslen.LIBCMT ref: 01003999
SendMessageW.USER32(?,00001057,00000000,?), ref: 010039C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 010039F4

Strings

SysListView32, xrefs: 010038F7

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 0e32352119a972717ab4603bd0dde06fb53aff303240a6b2a272a2ee78c82ad5
Instruction ID: bd189f9c9bdd15fa94278fc7fe8705f60e12777dad6bdb245647602e34646fdb
Opcode Fuzzy Hash: 0e32352119a972717ab4603bd0dde06fb53aff303240a6b2a272a2ee78c82ad5
Instruction Fuzzy Hash: FC416371900219AFFB239F64CC45BEA7BA9FF48350F10056AF594EB1C1D7759990CB90

Function 00FDBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FDBCFD
IsMenu.USER32(00000000), ref: 00FDBD1D
CreatePopupMenu.USER32 ref: 00FDBD53
GetMenuItemCount.USER32(015C52F0), ref: 00FDBDA4
InsertMenuItemW.USER32(015C52F0,?,00000001,00000030), ref: 00FDBDCC

Strings

0, xrefs: 00FDBCA8
2, xrefs: 00FDBD37

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2b32684eb93679f98d6ebafa285eaf0ca57ebb2d0f35e0df6e6a547dfae933f5
Instruction ID: 6106edc22f8e22d8565e86e05dbada07689775f6af2ef2f77987d3e8f89845a4
Opcode Fuzzy Hash: 2b32684eb93679f98d6ebafa285eaf0ca57ebb2d0f35e0df6e6a547dfae933f5
Instruction Fuzzy Hash: E051BC70A00209EBDB21CFA8D888BAEBBF7BF49324F19425AE44197390D7759941DB61

Function 00FDC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00FDC913

Strings

blank, xrefs: 00FDC895
warning, xrefs: 00FDC8FC
question, xrefs: 00FDC8CC
stop, xrefs: 00FDC8E4
info, xrefs: 00FDC8B4

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: a6c28aa042d0981f726e6ef16db48f00d8f622e2821f045aeb738c78592ecf44
Instruction ID: a790446602b451c00c9f46baf56609592332f1e3be9b19b9423e06eda1cae83a
Opcode Fuzzy Hash: a6c28aa042d0981f726e6ef16db48f00d8f622e2821f045aeb738c78592ecf44
Instruction Fuzzy Hash: 24112E33A89307BAFB025B549C83D9E379DDF15730B54002FF500A6381E7796E00B2A5

Function 00FDDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FDDE42
gethostname.WSOCK32(?,00000100), ref: 00FDDE5C
gethostbyname.WSOCK32(?), ref: 00FDDE69
inet_ntoa.WSOCK32(?), ref: 00FDDEAB
_strcat.LIBCMT ref: 00FDDEB9
WSACleanup.WSOCK32 ref: 00FDDEDE

Strings

0.0.0.0, xrefs: 00FDDE87

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 478c4ed7f136cb9b1baed7c4c29ef158e4c9e440d2fa8bbdd3082fc3178124c3
Instruction ID: 019238335231f72bbfbd5cef68e623cd86cd9f05d8f6bff7dcad45784d5f91a3
Opcode Fuzzy Hash: 478c4ed7f136cb9b1baed7c4c29ef158e4c9e440d2fa8bbdd3082fc3178124c3
Instruction Fuzzy Hash: 03113A31800104AFEB347B20DC0AEDE376DDF10320F0402AAF4459A181EF7A9A81A750

Function 01009F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

GetSystemMetrics.USER32(0000000F), ref: 01009FC7
GetSystemMetrics.USER32(0000000F), ref: 01009FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0100A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0100A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0100A263
ShowWindow.USER32(00000003,00000000), ref: 0100A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0100A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0100A2CA

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 94b402548b22ef6958b1520236c6c67d5afef7663ff2ada829f51563457904f6
Instruction ID: 4ac5bdd8fdb6f298c0712ede168d5797163eaabaee630579842490e685faf34c
Opcode Fuzzy Hash: 94b402548b22ef6958b1520236c6c67d5afef7663ff2ada829f51563457904f6
Instruction Fuzzy Hash: 99B18C35600215DBEF16CF6CC9857AE7BF2BF48741F0881A9ED899B289DB35A940CB50

Function 00FDED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00FDED2A
_wcslen.LIBCMT ref: 00FDED3B
_wcslen.LIBCMT ref: 00FDED79
_wcslen.LIBCMT ref: 00FDEDAF
_wcslen.LIBCMT ref: 00FDEDDF
_wcslen.LIBCMT ref: 00FDEDEF
_wcslen.LIBCMT ref: 00FDEE2B
_wcslen.LIBCMT ref: 00FDEE5A

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 9cd6da929521200242b89db2ba63aa8151c528416badddaab0714d77ef0e3763
Instruction ID: c7c1a1c41ecb3994fabf6f0f86766cd94b14ecac55b4d85998fff303440c8b59
Opcode Fuzzy Hash: 9cd6da929521200242b89db2ba63aa8151c528416badddaab0714d77ef0e3763
Instruction Fuzzy Hash: 7441B265C1021875EF11FBF48C8A9CFB7A9AF45710F508466E518E3222FB38E245D3A5

Function 00F8F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00FC682C,00000004,00000000,00000000), ref: 00F8F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00FC682C,00000004,00000000,00000000), ref: 00FCF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00FC682C,00000004,00000000,00000000), ref: 00FCF454

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e3826be9a345dbb059d9c1431b3f79db064f4025fb20e2ffcb327e1df332ddba
Instruction ID: ab807845c0ba1be2792003ebd0448f26a58ee614a13ccf919becea8a861074ad
Opcode Fuzzy Hash: e3826be9a345dbb059d9c1431b3f79db064f4025fb20e2ffcb327e1df332ddba
Instruction Fuzzy Hash: 67412031A18680FFD739AB2DCE89BA67B927B55330F14453CE0C756554C63AA88CF711

Function 01002D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01002D1B
GetDC.USER32(00000000), ref: 01002D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01002D2E
ReleaseDC.USER32(00000000,00000000), ref: 01002D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01002D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01002D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01005A65,?,?,000000FF,00000000,?,000000FF,?), ref: 01002DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01002DE1

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ef8f83d9aca511749607eab8affa78d162681305073c46bfc253f40f14fa521a
Instruction ID: 6a86748a52ff80095c6a8dc3a13a36fc30d45cbd73f726093ab46c97c2aa924d
Opcode Fuzzy Hash: ef8f83d9aca511749607eab8affa78d162681305073c46bfc253f40f14fa521a
Instruction Fuzzy Hash: D2318B72201214BBFB229F548C89FEB3FADEB09711F044195FE889A2C1C67A9C41C7A0

Function 00FD5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00FD5637
_memcmp.LIBVCRUNTIME ref: 00FD5659
_memcmp.LIBVCRUNTIME ref: 00FD5671
_memcmp.LIBVCRUNTIME ref: 00FD5684
_memcmp.LIBVCRUNTIME ref: 00FD569E
_memcmp.LIBVCRUNTIME ref: 00FD56B1
_memcmp.LIBVCRUNTIME ref: 00FD56C9
_memcmp.LIBVCRUNTIME ref: 00FD56E4

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9a1d5e628a70e3ce9221d33ea3299d5c6da75727772a5cd089b3884608d8b59c
Instruction ID: 4a0b68714b775a7e2e73c725da758550dba626f67a705f1b8e88059d610ee529
Opcode Fuzzy Hash: 9a1d5e628a70e3ce9221d33ea3299d5c6da75727772a5cd089b3884608d8b59c
Instruction Fuzzy Hash: A621CC62E44A0AB7F61655114E83FFA336EBF10B94F5C0026FE049E741F764ED10B5A5

Function 00FF4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00FF5007
NULL Pointer assignment, xrefs: 00FF502E, 00FF5383

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 63afb7c3012332047c15446a2bf407d06544f798a4c8d8435228f0a72f56b260
Instruction ID: e5241c087a48f0a7b8aeacf14a06dfb95dc6c1edce845c079e0179768ddb8357
Opcode Fuzzy Hash: 63afb7c3012332047c15446a2bf407d06544f798a4c8d8435228f0a72f56b260
Instruction Fuzzy Hash: 28D1C071A0060EAFDF10CF98C880BBEB7B5BF48754F148169EA15AB291E770ED45DB90

Function 00FB1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00FB17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00FB15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00FB17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00FB1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00FB17FB,?,00FB17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00FB16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00FB17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00FB16FB

Part of subcall function 00FA3820: RtlAllocateHeap.NTDLL(00000000,?,01041444,?,00F8FDF5,?,?,00F7A976,00000010,01041440,00F713FC,?,00F713C6,?,00F71129), ref: 00FA3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00FB17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00FB1777
__freea.LIBCMT ref: 00FB17A2
__freea.LIBCMT ref: 00FB17AE

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 5d81eacd690e6f8449aa970342beae761e16435c62f6d32aad99d9d4ebc6bc03
Instruction ID: cf31b7a1b1ece4ca7f016ed322857d71b2a1a228f1ec52f439dbd0c2f1f1c22f
Opcode Fuzzy Hash: 5d81eacd690e6f8449aa970342beae761e16435c62f6d32aad99d9d4ebc6bc03
Instruction Fuzzy Hash: 6B91C672E102169ADF318E76CCA1AEE7BB5BF49320FA84659E801E7140DB35DD44EF60

Function 00FF4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FF4648
VariantInit.OLEAUT32(?), ref: 00FF4749
VariantClear.OLEAUT32(?), ref: 00FF4753
VariantClear.OLEAUT32(?), ref: 00FF47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00FF472C
Null Object assignment in FOR..IN loop, xrefs: 00FF45D8, 00FF4706, 00FF47BE

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 2243cb74f3902f6e3e09015df4ca4514574d1f86c16ebde6fd5576667b14cdc7
Instruction ID: 870d26d323999478da91a9101b86ed77cea6ec1e2f500cfa43eb39e4e5f209d9
Opcode Fuzzy Hash: 2243cb74f3902f6e3e09015df4ca4514574d1f86c16ebde6fd5576667b14cdc7
Instruction Fuzzy Hash: 2E918272E00219ABDF20DFA5C884FAFB7B8EF45724F108559F605AB290D774A941DFA0

Function 00FE1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00FE125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FE1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00FE12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FE12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FE135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FE13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FE1430

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 20d33c3cdda2fe94a5e1a6248e7a12a1936aa1626068b45676049d99ba74f3dc
Instruction ID: 5aa53fbf52b365a4d6f235f78100bdf3e27b340f01fe0caf6d4e71910f334481
Opcode Fuzzy Hash: 20d33c3cdda2fe94a5e1a6248e7a12a1936aa1626068b45676049d99ba74f3dc
Instruction Fuzzy Hash: 9991F572E002499FEB01DF9AC884BFE77B5FF45324F114129EA40E7291D779A941EB90

Function 00F8948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 93ab3fd5512b15c9691c3894361b907430f93c9ea3894882162b6fea6598e3e0
Instruction ID: 29699c8ee4b113ace4b4068b5ec827483f21869afed8494094e39006c55c66a9
Opcode Fuzzy Hash: 93ab3fd5512b15c9691c3894361b907430f93c9ea3894882162b6fea6598e3e0
Instruction Fuzzy Hash: 4F915671D04209AFCB10DFA9CD84AEEBBB8FF49320F188149E511B7251D378AA41DF60

Function 00FF3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FF396B
CharUpperBuffW.USER32(?,?), ref: 00FF3A7A
_wcslen.LIBCMT ref: 00FF3A8A
VariantClear.OLEAUT32(?), ref: 00FF3C1F

Part of subcall function 00FE0CDF: VariantInit.OLEAUT32(00000000), ref: 00FE0D1F
Part of subcall function 00FE0CDF: VariantCopy.OLEAUT32(?,?), ref: 00FE0D28
Part of subcall function 00FE0CDF: VariantClear.OLEAUT32(?), ref: 00FE0D34

Strings

Incorrect Parameter format, xrefs: 00FF39A6, 00FF3BA1
AUTOIT.ERROR, xrefs: 00FF3A80, 00FF3A85

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 8192e218c65f7c7f3f2ec0c83c1ba88237a2305f58cef0bc7ccb556439b3547e
Instruction ID: 5298f62f1d07e23a73b6d0470fa58cf2e0c240f6b33002d56e8d61e479ec80d0
Opcode Fuzzy Hash: 8192e218c65f7c7f3f2ec0c83c1ba88237a2305f58cef0bc7ccb556439b3547e
Instruction Fuzzy Hash: 2B91AC75A083059FC700EF24C88096AB7E5FF88314F14896EF9899B361DB35EE45DB92

Function 00FF4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00FD000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FCFF41,80070057,?,?,?,00FD035E), ref: 00FD002B
Part of subcall function 00FD000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FCFF41,80070057,?,?), ref: 00FD0046
Part of subcall function 00FD000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FCFF41,80070057,?,?), ref: 00FD0054
Part of subcall function 00FD000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FCFF41,80070057,?), ref: 00FD0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00FF4C51
_wcslen.LIBCMT ref: 00FF4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00FF4DCF
CoTaskMemFree.OLE32(?), ref: 00FF4DDA

Strings

NULL Pointer assignment, xrefs: 00FF4E23, 00FF4E52

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a54500af83607e3714d561dc6ad71112568fe1df6fdb9e8088dbec7fa6564929
Instruction ID: ff417c5d720a7cbfe9768bb0d511fb310146ecd94412b73a8abca09679bdd7cc
Opcode Fuzzy Hash: a54500af83607e3714d561dc6ad71112568fe1df6fdb9e8088dbec7fa6564929
Instruction Fuzzy Hash: E6912871D0021DAFDF14DFA4CC81AEEB7B9BF48310F10816AE519A7251DB746A449F61

Function 010020FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 01002183
GetMenuItemCount.USER32(00000000), ref: 010021B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 010021DD
_wcslen.LIBCMT ref: 01002213
GetMenuItemID.USER32(?,?), ref: 0100224D
GetSubMenu.USER32(?,?), ref: 0100225B

Part of subcall function 00FD3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FD3A57
Part of subcall function 00FD3A3D: GetCurrentThreadId.KERNEL32 ref: 00FD3A5E
Part of subcall function 00FD3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FD25B3), ref: 00FD3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 010022E3

Part of subcall function 00FDE97B: Sleep.KERNEL32 ref: 00FDE9F3

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: f75bd8410e14c9a68849abcfa987ae7bb1e81ec5dea752b5726867c207e9bc4e
Instruction ID: e5e16b28e838de5bde83f4f62e42c14d60c50a9e0bfa8c8b23b1faae1eb6e4e3
Opcode Fuzzy Hash: f75bd8410e14c9a68849abcfa987ae7bb1e81ec5dea752b5726867c207e9bc4e
Instruction Fuzzy Hash: A671C535E00205AFDB12EFA8C844AAEB7F1FF48310F148499E956EB381D739E9418F90

Function 01007E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(015C52C8), ref: 01007F37
IsWindowEnabled.USER32(015C52C8), ref: 01007F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0100801E
SendMessageW.USER32(015C52C8,000000B0,?,?), ref: 01008051
IsDlgButtonChecked.USER32(?,?), ref: 01008089
GetWindowLongW.USER32(015C52C8,000000EC), ref: 010080AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 010080C3

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 5134a0f96e78c0108e614a99b410f21bd3a8e707b5254e74a0c60e9947be0d35
Instruction ID: 6d32ffa945af8c3b80d170ea91cdc41e17201eb9ea6c2a138a2550893251d2f7
Opcode Fuzzy Hash: 5134a0f96e78c0108e614a99b410f21bd3a8e707b5254e74a0c60e9947be0d35
Instruction Fuzzy Hash: 99713E74504204AFFB62DF58C884FBA7BF5EF09300F14449AE9C597291C739B841CB10

Function 00FDAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00FDAEF9
GetKeyboardState.USER32(?), ref: 00FDAF0E
SetKeyboardState.USER32(?), ref: 00FDAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00FDAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00FDAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00FDAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FDB020

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: eccce7d7f153125936a0b824399f7f978b2d6a2be9249c7fdf3de6a03e0476ae
Instruction ID: ef24d8ac99688cc27d8bab492643f7809ef34dc8dfe97ca58122ea7ee6622184
Opcode Fuzzy Hash: eccce7d7f153125936a0b824399f7f978b2d6a2be9249c7fdf3de6a03e0476ae
Instruction Fuzzy Hash: 835101A1A043D17DFB3347348C09BBBBFAA5B06314F0C858AE1D9459C2C3D9A8C8E351

Function 00FDACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00FDAD19
GetKeyboardState.USER32(?), ref: 00FDAD2E
SetKeyboardState.USER32(?), ref: 00FDAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FDADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FDADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FDAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FDAE38

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c8cd29ef439ccc51c7f9c09bee7680362c2717b5e83126b94b6cd042da0d4848
Instruction ID: 83abe9f230fceb9798fe33bcb9e4ff6caf69fa7ae96520894efabf4df3f75871
Opcode Fuzzy Hash: c8cd29ef439ccc51c7f9c09bee7680362c2717b5e83126b94b6cd042da0d4848
Instruction Fuzzy Hash: 1C5115A19047D13DFB3383348C45B7A7FAB5B06311F0C858AE0D546AC2D298EC98F36A

Function 00FA542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00FB3CD6,?,?,?,?,?,?,?,?,00FA5BA3,?,?,00FB3CD6,?,?), ref: 00FA5470
__fassign.LIBCMT ref: 00FA54EB
__fassign.LIBCMT ref: 00FA5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00FB3CD6,00000005,00000000,00000000), ref: 00FA552C
WriteFile.KERNEL32(?,00FB3CD6,00000000,00FA5BA3,00000000,?,?,?,?,?,?,?,?,?,00FA5BA3,?), ref: 00FA554B
WriteFile.KERNEL32(?,?,00000001,00FA5BA3,00000000,?,?,?,?,?,?,?,?,?,00FA5BA3,?), ref: 00FA5584

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: be71d07ee7ea4997fa6895f6782e86546370998d2802300e2a6875209ced20fe
Instruction ID: 42af1ab16781ec3058c0cd1451106f54625d1b8a23c7c6193c4af600f048dd58
Opcode Fuzzy Hash: be71d07ee7ea4997fa6895f6782e86546370998d2802300e2a6875209ced20fe
Instruction Fuzzy Hash: 0251D3F1E006489FDB11CFA8D885AEEBBF9EF0A710F18415AF955E7281D7309A41CB60

Function 00F92D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F92D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00F92D53
_ValidateLocalCookies.LIBCMT ref: 00F92DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00F92E0C
_ValidateLocalCookies.LIBCMT ref: 00F92E61

Strings

csm, xrefs: 00F92DF6

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 560f9ee7f4b9c2f1ff615afd606bcfd85608b94fd09ab1651ab43ed579cf03d5
Instruction ID: ee8e7073b90ee3b4044de8232879ee428f52dc52e1c45202be8d90c1138cc5f2
Opcode Fuzzy Hash: 560f9ee7f4b9c2f1ff615afd606bcfd85608b94fd09ab1651ab43ed579cf03d5
Instruction Fuzzy Hash: 3F41EE34E00208ABEF10EF68CC85A9EBBB4BF44324F148156F814AB392D7359E05EBD0

Function 00FF10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FF307A
Part of subcall function 00FF304E: _wcslen.LIBCMT ref: 00FF309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00FF1112
WSAGetLastError.WSOCK32 ref: 00FF1121
WSAGetLastError.WSOCK32 ref: 00FF11C9
closesocket.WSOCK32(00000000), ref: 00FF11F9

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 4f8cba3d0fbc31666b1688da72e644b4689b42214cf6117b94f4fa26851159f5
Instruction ID: b7d0f9bb63d0969505410820fa49631619e077cd36566c34cad0da9a965acfc0
Opcode Fuzzy Hash: 4f8cba3d0fbc31666b1688da72e644b4689b42214cf6117b94f4fa26851159f5
Instruction Fuzzy Hash: F441F431600208EFEB209F24C884BBAB7E9FF45324F148159FA499B295C775AE41DBE1

Function 00FDCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FDCF22,?), ref: 00FDDDFD

Part of subcall function 00FDDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FDCF22,?), ref: 00FDDE16

lstrcmpiW.KERNEL32(?,?), ref: 00FDCF45
MoveFileW.KERNEL32(?,?), ref: 00FDCF7F
_wcslen.LIBCMT ref: 00FDD005
_wcslen.LIBCMT ref: 00FDD01B
SHFileOperationW.SHELL32(?), ref: 00FDD061

Strings

\*.*, xrefs: 00FDCFF3

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: a54f0ec467c0d5faba008e3b4c769dba311d938a65093bf11c23574348061fe4
Instruction ID: 0dfb43124197488ef2f45b332e8b6e5e16636bc8b165a77f78793c96c24483c0
Opcode Fuzzy Hash: a54f0ec467c0d5faba008e3b4c769dba311d938a65093bf11c23574348061fe4
Instruction Fuzzy Hash: EA417471D452195FDF12EBA4CD81EDEB7BAAF08380F0400E7E549EB241EA35A748DB50

Function 01002DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 01002E1C
GetWindowLongW.USER32(?,000000F0), ref: 01002E4F
GetWindowLongW.USER32(?,000000F0), ref: 01002E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 01002EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 01002EE0
GetWindowLongW.USER32(?,000000F0), ref: 01002EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01002F0B

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 0f90d5bf89350f575b62727e915e341987cefb0cda05dc36e10a6ceb2fa4a4a4
Instruction ID: 17dea173d853bbd1ff8825af84bb14f4970afd6894bd7bb4891516829d31a955
Opcode Fuzzy Hash: 0f90d5bf89350f575b62727e915e341987cefb0cda05dc36e10a6ceb2fa4a4a4
Instruction Fuzzy Hash: F0310934644190AFEB32CF58DD88F6537E5EB59750F1501A4FA848B2E6CB76BC80DB41

Function 00FD7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FD7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FD778F
SysAllocString.OLEAUT32(00000000), ref: 00FD7792
SysAllocString.OLEAUT32(?), ref: 00FD77B0
SysFreeString.OLEAUT32(?), ref: 00FD77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00FD77DE
SysAllocString.OLEAUT32(?), ref: 00FD77EC

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d74de4eb78c990963bfd69554c72dc4caf566d83bebe8bcd697a2b03ee114678
Instruction ID: ce953d752ef1278d72e55716178997975f20c32692896cc66b37390e39536f1d
Opcode Fuzzy Hash: d74de4eb78c990963bfd69554c72dc4caf566d83bebe8bcd697a2b03ee114678
Instruction Fuzzy Hash: 9621C776604219AFDF10EFA8CC84DBB73ADFB09364B048566F904DF290E674DC459760

Function 00FD77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FD7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FD7868
SysAllocString.OLEAUT32(00000000), ref: 00FD786B
SysAllocString.OLEAUT32 ref: 00FD788C
SysFreeString.OLEAUT32 ref: 00FD7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00FD78AF
SysAllocString.OLEAUT32(?), ref: 00FD78BD

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 922ff8acbabc61dfa626c61f766e90c81aa64c49de55f76a4dd3490d37d5d2b5
Instruction ID: dc7f400e627318513f417243f1d98f69d6fa732f27382ff30e420bd069cf6450
Opcode Fuzzy Hash: 922ff8acbabc61dfa626c61f766e90c81aa64c49de55f76a4dd3490d37d5d2b5
Instruction Fuzzy Hash: 5A217931A04204AFDB10AFA8DC89DAA77EDFB09760B148125F915CF295EA74DC41EB64

Function 00FE04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FE04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FE052E

Strings

nul, xrefs: 00FE0567

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: dcb0c5b5fdea74dc84cbc8255caee90d2e703a16dd1fa75e881e55e04d1268e6
Instruction ID: 1dfa1a26e78eafbffde50ded7d40f4258f150c7c98583fac4b46337d4fd2e428
Opcode Fuzzy Hash: dcb0c5b5fdea74dc84cbc8255caee90d2e703a16dd1fa75e881e55e04d1268e6
Instruction Fuzzy Hash: 1F217F75900345AFDB209F2AD844A9A77B4AF45734F684A19F8E1D72E0DBB1D980EF20

Function 00FE05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FE05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FE0601

Strings

nul, xrefs: 00FE0639

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 87f1bdc670141ac253fba4ca9b7267cc0113b3544053089d064b3b4e9b25c3b6
Instruction ID: 93a3e9c9c25978ec4d437f196a98bc6806d40aa54797f663e755f73825b0bbb6
Opcode Fuzzy Hash: 87f1bdc670141ac253fba4ca9b7267cc0113b3544053089d064b3b4e9b25c3b6
Instruction Fuzzy Hash: 55217F75900345ABDB209F6A9804B9A77A8AF95730F240B19F8A1E72D0DBB199A0DB10

Function 010040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F7604C
Part of subcall function 00F7600E: GetStockObject.GDI32(00000011), ref: 00F76060
Part of subcall function 00F7600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F7606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01004112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0100411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0100412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01004139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01004145

Strings

Msctls_Progress32, xrefs: 010040E3

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 24bb0f733d86cccb0fea96637661f19471d49541486779d9f7c057873dfd57f0
Instruction ID: 22fa392db801fb3e31aa2b948ce5dfbf24684fdabe754b534e288ab22cb7239d
Opcode Fuzzy Hash: 24bb0f733d86cccb0fea96637661f19471d49541486779d9f7c057873dfd57f0
Instruction Fuzzy Hash: 401163B215011DBEFF219E64CC85EE77F9DEF08798F014111B758E6190C6769C21DBA4

Function 00FAD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FAD7A3: _free.LIBCMT ref: 00FAD7CC

_free.LIBCMT ref: 00FAD82D

Part of subcall function 00FA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000), ref: 00FA29DE
Part of subcall function 00FA29C8: GetLastError.KERNEL32(00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000,00000000), ref: 00FA29F0

_free.LIBCMT ref: 00FAD838
_free.LIBCMT ref: 00FAD843
_free.LIBCMT ref: 00FAD897
_free.LIBCMT ref: 00FAD8A2
_free.LIBCMT ref: 00FAD8AD
_free.LIBCMT ref: 00FAD8B8

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: face4f0b9c2a7331b0bc2139d5726cdae5f7e6d3148ac01587aa06b6b15a2ad6
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 251181B1650B04AAD569BFB4CC07FCB7BEC6F06700F400825B29AA68A2DA2CB5057651

Function 00FDDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FDDA74
LoadStringW.USER32(00000000), ref: 00FDDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FDDA91
LoadStringW.USER32(00000000), ref: 00FDDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FDDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FDDAB9

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: c19ef07ed528b9f486d305a55d0d633cdca0807eef1ee821e9431bc54a0e577a
Instruction ID: 950fa0b0d05637f7a7e56c91cf8b4b605a1f8b879fff37a01d449a23fe602cf3
Opcode Fuzzy Hash: c19ef07ed528b9f486d305a55d0d633cdca0807eef1ee821e9431bc54a0e577a
Instruction Fuzzy Hash: 7F0167F69002087FF72197A4DE89EE7326CE708301F444596B746E6041E6799E844B74

Function 00FE096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(015CE518,015CE518), ref: 00FE097B
EnterCriticalSection.KERNEL32(015CE4F8,00000000), ref: 00FE098D
TerminateThread.KERNEL32(?,000001F6), ref: 00FE099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00FE09A9
CloseHandle.KERNEL32(?), ref: 00FE09B8
InterlockedExchange.KERNEL32(015CE518,000001F6), ref: 00FE09C8
LeaveCriticalSection.KERNEL32(015CE4F8), ref: 00FE09CF

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 76a4ca00a1d2ea3db5ca538204f4d63f468130460fb198cbcfa920bcbcc89c5d
Instruction ID: 2cfe3fcd5dd98faeced790f0244c9cd9712807f89f8f218289ee931e80f8291a
Opcode Fuzzy Hash: 76a4ca00a1d2ea3db5ca538204f4d63f468130460fb198cbcfa920bcbcc89c5d
Instruction Fuzzy Hash: F2F03131446502BBE7625F94EF8CBDA7B35FF01712F401255F14150C95CB7A9465DF90

Function 00FF1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00FF1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00FF1DE1
WSAGetLastError.WSOCK32 ref: 00FF1DF2
htons.WSOCK32(?,?,?,?,?), ref: 00FF1EDB
inet_ntoa.WSOCK32(?), ref: 00FF1E8C

Part of subcall function 00FD39E8: _strlen.LIBCMT ref: 00FD39F2

Part of subcall function 00FF3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00FEEC0C), ref: 00FF3240

_strlen.LIBCMT ref: 00FF1F35

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 487b419a3e6371d38309be023f942b6348af9816c6f2114554a630b6d5fd88f0
Instruction ID: 69d2db3a39f5d7709ff675c7c52dbd097d68adbf98bfdb6bc5d2afe29d3d3912
Opcode Fuzzy Hash: 487b419a3e6371d38309be023f942b6348af9816c6f2114554a630b6d5fd88f0
Instruction Fuzzy Hash: 5BB1EF31604304AFD324DF24C881E3A77A5BF84328F54854CF55A5B2E2DB75ED46DB92

Function 00F75D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00F75D30
GetWindowRect.USER32(?,?), ref: 00F75D71
ScreenToClient.USER32(?,?), ref: 00F75D99
GetClientRect.USER32(?,?), ref: 00F75ED7
GetWindowRect.USER32(?,?), ref: 00F75EF8

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 3080e7ba8c444949fd7ca1c1f241e5297e51b3224c63125705980edd5f51fd15
Instruction ID: f5b810dd65c00a520567ec039d4a98b4284ed59a00684961ca35b94bb01802e4
Opcode Fuzzy Hash: 3080e7ba8c444949fd7ca1c1f241e5297e51b3224c63125705980edd5f51fd15
Instruction Fuzzy Hash: 20B17735A00A4ADBDB24CFA9C5807EEB7F1FF48310F14851AE8A9D7240DB34EA50EB51

Function 00FA01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00FA00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA00D6
__allrem.LIBCMT ref: 00FA00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA010B
__allrem.LIBCMT ref: 00FA0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA0140

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 875f00bd53fbac653162221a050f72e10fb6e9d5395a3fbb0fc2787f8dbe9ead
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 1381F8B2E007069BEB249F69DC41BAB73E9AF42334F24463AF551D7281EB74D904AB50

Function 00FA61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F982D9,00F982D9,?,?,?,00FA644F,00000001,00000001,8BE85006), ref: 00FA6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00FA644F,00000001,00000001,8BE85006,?,?,?), ref: 00FA62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00FA63D8
__freea.LIBCMT ref: 00FA63E5

Part of subcall function 00FA3820: RtlAllocateHeap.NTDLL(00000000,?,01041444,?,00F8FDF5,?,?,00F7A976,00000010,01041440,00F713FC,?,00F713C6,?,00F71129), ref: 00FA3852

__freea.LIBCMT ref: 00FA63EE
__freea.LIBCMT ref: 00FA6413

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 0cab3d5464e35ccd64e8e1dca7f8dfa069193a21fb623a40e9f1da16efca66f9
Instruction ID: 9d39bf5a3580d015dced1cf6f531a1bb74506b00e5dab236e3a1b6f9a74b6dc4
Opcode Fuzzy Hash: 0cab3d5464e35ccd64e8e1dca7f8dfa069193a21fb623a40e9f1da16efca66f9
Instruction Fuzzy Hash: F151B1F2A10216AFEF258E64CC81FAF77A9EF46760F194629FC05D6240DB39DC41E660

Function 00FFBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FFB6AE,?,?), ref: 00FFC9B5
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFC9F1
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFCA68
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FFBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FFBD25
RegCloseKey.ADVAPI32(00000000), ref: 00FFBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FFBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FFBDF3
RegCloseKey.ADVAPI32(?), ref: 00FFBDFF

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 82e1e3c7df44794529d825e428ee0052f4c48658ec0b2ebfe2c5d3f19dc1ba35
Instruction ID: 1013f33e08e34651d00a65867f5cf4b7d3f38ada482d82e1f3843768f6c73ebd
Opcode Fuzzy Hash: 82e1e3c7df44794529d825e428ee0052f4c48658ec0b2ebfe2c5d3f19dc1ba35
Instruction Fuzzy Hash: C381DF30208245EFD714DF24C881E2ABBE5FF84318F14895DF6994B2A2CB36ED05DB92

Function 00FCF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00FCF7B9
SysAllocString.OLEAUT32(00000001), ref: 00FCF860
VariantCopy.OLEAUT32(00FCFA64,00000000), ref: 00FCF889
VariantClear.OLEAUT32(00FCFA64), ref: 00FCF8AD
VariantCopy.OLEAUT32(00FCFA64,00000000), ref: 00FCF8B1
VariantClear.OLEAUT32(?), ref: 00FCF8BB

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 918309126233ed5811ce2761f16859a6aad2a550711e6390120ed0c7f265ad2a
Instruction ID: 6f1255263067b942af0263bce9715e5308feb94b41400dadef26a24f0e0e2eef
Opcode Fuzzy Hash: 918309126233ed5811ce2761f16859a6aad2a550711e6390120ed0c7f265ad2a
Instruction Fuzzy Hash: E251E732600302ABDF24AB65DD86F29F3A6EF45310F24846BE905DF295DB788C48E757

Function 00FE910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00F77620: _wcslen.LIBCMT ref: 00F77625

Part of subcall function 00F76B57: _wcslen.LIBCMT ref: 00F76B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00FE94E5
_wcslen.LIBCMT ref: 00FE9506
_wcslen.LIBCMT ref: 00FE952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00FE9585

Strings

X, xrefs: 00FE9412

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 5180a742889dfac6b4de5842c5904abe6ed6ff5c652aa8913a7be0daccc9bdc5
Instruction ID: 27b96c5239ff3ca6dd397ff0d04e835a3e9e8dde0bd34dce7ebd6bb527551260
Opcode Fuzzy Hash: 5180a742889dfac6b4de5842c5904abe6ed6ff5c652aa8913a7be0daccc9bdc5
Instruction Fuzzy Hash: 3FE1E231908340DFD724EF25C881A6EB7E4BF85314F04896DF8899B2A2DB75DD05DBA2

Function 00F8920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

BeginPaint.USER32(?,?,?), ref: 00F89241
GetWindowRect.USER32(?,?), ref: 00F892A5
ScreenToClient.USER32(?,?), ref: 00F892C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F892D3
EndPaint.USER32(?,?,?,?,?), ref: 00F89321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00FC71EA

Part of subcall function 00F89339: BeginPath.GDI32(00000000), ref: 00F89357

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 291e3c42142696a6a7537c3fc3ae52ca19c5a4e7d794d450ab423c4727861299
Instruction ID: 6b9e1cb9acb2ed05129c335a91bd06b22aecf8f27f8235276b455b4be3e013f5
Opcode Fuzzy Hash: 291e3c42142696a6a7537c3fc3ae52ca19c5a4e7d794d450ab423c4727861299
Instruction Fuzzy Hash: 3341D275508301AFE721EF24C9C5FBA7BA8EB45320F18026DF9A4871E1C775A845EB61

Function 00FE07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FE080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00FE0847
EnterCriticalSection.KERNEL32(?), ref: 00FE0863
LeaveCriticalSection.KERNEL32(?), ref: 00FE08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00FE08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FE0921

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 69a4b667a250d1d47fab254c5016b0bf2955913c974c036fea74e0edf36ece09
Instruction ID: b657968f03bf87b4faaa0aefc96d61578f0e560e3c50451c452a698bd5b3166d
Opcode Fuzzy Hash: 69a4b667a250d1d47fab254c5016b0bf2955913c974c036fea74e0edf36ece09
Instruction Fuzzy Hash: 2141AB31900205EFEF15AF54DC85AAA77B8FF44310F1080A5ED049E28BDB75DEA4EBA0

Function 010081DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00FCF3AB,00000000,?,?,00000000,?,00FC682C,00000004,00000000,00000000), ref: 0100824C
EnableWindow.USER32(?,00000000), ref: 01008272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 010082D1
ShowWindow.USER32(?,00000004), ref: 010082E5
EnableWindow.USER32(?,00000001), ref: 0100830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0100832F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f7bc8c589ce81397dd8e9f318079809843394b1e51b0ec4fa62a87ea84878c31
Instruction ID: 15f46d218684dde439395d7b9e1590d81b735dc62b62cd3ba532b8475fccb400
Opcode Fuzzy Hash: f7bc8c589ce81397dd8e9f318079809843394b1e51b0ec4fa62a87ea84878c31
Instruction Fuzzy Hash: B0417874A01644AFFF63CF19C989BE47BE1BB49714F1482E6E6984B1E2C7366441CB50

Function 00FD4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00FD4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FD4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FD4CEA
_wcslen.LIBCMT ref: 00FD4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FD4D10
_wcsstr.LIBVCRUNTIME ref: 00FD4D1A

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 7376720168483da15971b07b02618599ce1e48a9917738d9e723e9a712a103e4
Instruction ID: 6567a3c8132b8b310c1dc613fdb66cffbb7c40e49e3b8bb9c6b787dd6816dd20
Opcode Fuzzy Hash: 7376720168483da15971b07b02618599ce1e48a9917738d9e723e9a712a103e4
Instruction Fuzzy Hash: 66212932604200BBFB255B39EC49E7B7B9EDF49760F14406AF805CA291DE75EC41A7A0

Function 00FE581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F73A97,?,?,00F72E7F,?,?,?,00000000), ref: 00F73AC2

_wcslen.LIBCMT ref: 00FE587B
CoInitialize.OLE32(00000000), ref: 00FE5995
CoCreateInstance.OLE32(0100FCF8,00000000,00000001,0100FB68,?), ref: 00FE59AE
CoUninitialize.OLE32 ref: 00FE59CC

Strings

.lnk, xrefs: 00FE5876, 00FE58C1, 00FE5985

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: adbf36234dd88e0c6e9e61ee9c57757441ce90e1cfa75a3423725de01c0f8f17
Instruction ID: e8265d7001a978237f3f62a8b3af83113432d21ca76925dba1e0031a8221de91
Opcode Fuzzy Hash: adbf36234dd88e0c6e9e61ee9c57757441ce90e1cfa75a3423725de01c0f8f17
Instruction Fuzzy Hash: C8D16671A047019FC714DF26C880A6EBBE1EF89B28F14885DF8899B361D735ED05DB92

Function 00FD175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FD0FCA
Part of subcall function 00FD0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FD0FD6
Part of subcall function 00FD0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FD0FE5
Part of subcall function 00FD0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FD0FEC
Part of subcall function 00FD0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FD1002

GetLengthSid.ADVAPI32(?,00000000,00FD1335), ref: 00FD17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FD17BA
HeapAlloc.KERNEL32(00000000), ref: 00FD17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00FD17DA
GetProcessHeap.KERNEL32(00000000,00000000,00FD1335), ref: 00FD17EE
HeapFree.KERNEL32(00000000), ref: 00FD17F5

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 8ed9546e7745cc46cb4d3bc2d063e90b057f259cd5d36e340a2c7b1616c250a0
Instruction ID: 0aec23af78cf032b1899dce6e6e8e7b79ca7202041b66032662f1686ce62fdaf
Opcode Fuzzy Hash: 8ed9546e7745cc46cb4d3bc2d063e90b057f259cd5d36e340a2c7b1616c250a0
Instruction Fuzzy Hash: 0E11B131904205FFEB219FA4CD49BAF7BBAFB46365F184259F48197210C73A9940DB60

Function 00FD14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FD14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00FD1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FD1515
CloseHandle.KERNEL32(00000004), ref: 00FD1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FD154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00FD1563

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: ead7f58096509ca616de8cb8f422039374500e253fd91189e2838e663fe7de9d
Instruction ID: 59fb18adcd4c8f95362f78dcb9af948e9275e8526352d1d1d3caadb3e098e792
Opcode Fuzzy Hash: ead7f58096509ca616de8cb8f422039374500e253fd91189e2838e663fe7de9d
Instruction Fuzzy Hash: AB112E72500209BBEF12CF94DE49BDE7BAAFF45754F084155FA45A2150C3768E60EB60

Function 00F93382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F93379,00F92FE5), ref: 00F93390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F9339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F933B7
SetLastError.KERNEL32(00000000,?,00F93379,00F92FE5), ref: 00F93409

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 055a04d9adf5b2ff5510432957bb520e7a4d42177497237d0a550bd57087bdc4
Instruction ID: f9e774cacd6e9e0a7c83e75b5981941be0037001fe851c121973d7dcc95b824c
Opcode Fuzzy Hash: 055a04d9adf5b2ff5510432957bb520e7a4d42177497237d0a550bd57087bdc4
Instruction Fuzzy Hash: D701D433A4D3117EFF3526797E89E677A98EB16779720032AF410D11E4EF1A4E017644

Function 00FA2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FA5686,00FB3CD6,?,00000000,?,00FA5B6A,?,?,?,?,?,00F9E6D1,?,01038A48), ref: 00FA2D78
_free.LIBCMT ref: 00FA2DAB
_free.LIBCMT ref: 00FA2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00F9E6D1,?,01038A48,00000010,00F74F4A,?,?,00000000,00FB3CD6), ref: 00FA2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00F9E6D1,?,01038A48,00000010,00F74F4A,?,?,00000000,00FB3CD6), ref: 00FA2DEC
_abort.LIBCMT ref: 00FA2DF2

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2059b86a23c0b06681fd1d78a4b059819fd4b606a8a936f9591a0fc30b0d6170
Instruction ID: da1b6d8fac54bfc62405de4a0e98281147d1ab7448819801c113d090a29280c3
Opcode Fuzzy Hash: 2059b86a23c0b06681fd1d78a4b059819fd4b606a8a936f9591a0fc30b0d6170
Instruction Fuzzy Hash: 4AF0A9F6B0550027D2B2273DBD06B5F3669AFC37B1F250519F564D2186EE2D89017261

Function 01008A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00F89639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F89693
Part of subcall function 00F89639: SelectObject.GDI32(?,00000000), ref: 00F896A2
Part of subcall function 00F89639: BeginPath.GDI32(?), ref: 00F896B9
Part of subcall function 00F89639: SelectObject.GDI32(?,00000000), ref: 00F896E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 01008A4E
LineTo.GDI32(?,00000003,00000000), ref: 01008A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 01008A70
LineTo.GDI32(?,00000000,00000003), ref: 01008A80
EndPath.GDI32(?), ref: 01008A90
StrokePath.GDI32(?), ref: 01008AA0

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5328cb981fa3007a482c21710aeac79fab5be840671fbc08e7802085f6ccd4d2
Instruction ID: 785f7bdee3c03923f8301d044d1672bf4f00ab1e9fca52b83fa8f3e6c082b58d
Opcode Fuzzy Hash: 5328cb981fa3007a482c21710aeac79fab5be840671fbc08e7802085f6ccd4d2
Instruction Fuzzy Hash: B5110C76000108BFFB129F94DD88EAA7F6CEB05350F048151FA55951A4C7769D95DBA0

Function 00FD51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FD5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00FD5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FD5230
ReleaseDC.USER32(00000000,00000000), ref: 00FD5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FD524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00FD5261

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: eb55254bc24553139b041549014c0ac1a39dd73b6469a88d39b72f37c4fb7da9
Instruction ID: cdb0ebd0e1a59a47bc785edf8e878d0c6e659deb3b58591c10beaa74dabf97e8
Opcode Fuzzy Hash: eb55254bc24553139b041549014c0ac1a39dd73b6469a88d39b72f37c4fb7da9
Instruction Fuzzy Hash: A401DF71E00708BBEB209BA58D49F4EBFB8EB48711F0441A6FA04A7280DA309804CBA0

Function 00F71BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F71BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F71BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F71C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F71C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F71C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F71C22

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 44dc974655a418a357fba09ed8523d66d38ba368d7523fa81f88f61f7b7b9156
Instruction ID: 0f00d610485aa39952ad29d63bc61a67e0eedbe187f2364b5261fc2687962739
Opcode Fuzzy Hash: 44dc974655a418a357fba09ed8523d66d38ba368d7523fa81f88f61f7b7b9156
Instruction Fuzzy Hash: AF016CB09027597DE3008F5A8C85B52FFA8FF19354F00415B915C47941C7F5A864CBE5

Function 00FDEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FDEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FDEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00FDEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FDEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FDEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FDEB75

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 64da21794c95c72087e831dd8fb354f69afe297be3302da42b070f6ff873853c
Instruction ID: eca31499da074591c5142e1f983178de999fe4633dae929ad4f556055d711980
Opcode Fuzzy Hash: 64da21794c95c72087e831dd8fb354f69afe297be3302da42b070f6ff873853c
Instruction Fuzzy Hash: A4F06D72140118BBE63257529D0DEEB3A7CEBCAB11F000299F641D108096A52A0187B4

Function 00FC7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00FC7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00FC7469
GetWindowDC.USER32(?), ref: 00FC7475
GetPixel.GDI32(00000000,?,?), ref: 00FC7484
ReleaseDC.USER32(?,00000000), ref: 00FC7496
GetSysColor.USER32(00000005), ref: 00FC74B0

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 328a9120461832e2da7a8da8f037b059e25a410510ff7f684b7a9502654c934b
Instruction ID: beacb0c784e7fe70a02d2a2fcf01ff969f89a697f4a966b39f28b0941b8cc5f4
Opcode Fuzzy Hash: 328a9120461832e2da7a8da8f037b059e25a410510ff7f684b7a9502654c934b
Instruction Fuzzy Hash: 8401A231400205EFEB22AF64DE09FE97BB5FF08322F5402A4F955A2090CB361E41EF10

Function 00FD1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FD187F
UnloadUserProfile.USERENV(?,?), ref: 00FD188B
CloseHandle.KERNEL32(?), ref: 00FD1894
CloseHandle.KERNEL32(?), ref: 00FD189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00FD18A5
HeapFree.KERNEL32(00000000), ref: 00FD18AC

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9f113b4a1108a3b178b8fa6a247f339e2894e6358eeaa1abd0d3202f7581da31
Instruction ID: 16ccf76d72c1008f6a39655d43eaf39f68dc81fe0a4a823ce80bba11c4784f7f
Opcode Fuzzy Hash: 9f113b4a1108a3b178b8fa6a247f339e2894e6358eeaa1abd0d3202f7581da31
Instruction Fuzzy Hash: 83E0E536004501BBEB125FA1EE0C94ABF39FF4AB22F108360F2A5810A8CB379420DB90

Function 00FDC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F77620: _wcslen.LIBCMT ref: 00F77625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FDC6EE
_wcslen.LIBCMT ref: 00FDC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FDC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FDC7CA

Strings

0, xrefs: 00FDC6AF

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 96710ddf63a7f92c2bc446905982bee2bbacb30e95aa2a0ac8d53e009bcd93be
Instruction ID: 346751c48a697b5b6d53c306e9bfda94af187c991600f56da8be1a196949fadf
Opcode Fuzzy Hash: 96710ddf63a7f92c2bc446905982bee2bbacb30e95aa2a0ac8d53e009bcd93be
Instruction Fuzzy Hash: CD51D171A043029BD715AF28C885B6B77E5AF89320F080A2EF995D33D1DB74DD44EB92

Function 00FFAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00FFAEA3

Part of subcall function 00F77620: _wcslen.LIBCMT ref: 00F77625

GetProcessId.KERNEL32(00000000), ref: 00FFAF38
CloseHandle.KERNEL32(00000000), ref: 00FFAF67

Strings

<, xrefs: 00FFAE6B
@, xrefs: 00FFAE72

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 6846ac49a2b02651b7f0ce7f021b136234510eab55651378eb62d64a16e53292
Instruction ID: 5d667503ee84ccda88359161d2dfa06a3debe136c4b0b00398beb72e4fb15146
Opcode Fuzzy Hash: 6846ac49a2b02651b7f0ce7f021b136234510eab55651378eb62d64a16e53292
Instruction Fuzzy Hash: 4D719171A00619DFCB14EF54C884AAEBBF4FF08310F048499E81AAB3A1C774ED41DB91

Function 00FD719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FD7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FD723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FD724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FD72CF

Strings

DllGetClassObject, xrefs: 00FD7242

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 93d940f8c17bbda69ea0023af19256c141a7326300ac554c8ca40493b1c32904
Instruction ID: c4f651ed7029844875a57ea84cb76ff22c1d9d55f65986c8d7485fc3d3359fb5
Opcode Fuzzy Hash: 93d940f8c17bbda69ea0023af19256c141a7326300ac554c8ca40493b1c32904
Instruction Fuzzy Hash: EF418271A04304EFDB15DF54C884A9A7BAAEF45321F18809EBD059F349E7B5D940EFA0

Function 01003D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01003E35
IsMenu.USER32(?), ref: 01003E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01003E92
DrawMenuBar.USER32 ref: 01003EA5

Strings

0, xrefs: 01003D89

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 48152ffa1f61bf193d4b049a0bf176707a04d55d2f54c3d84d6e163f3e41f836
Instruction ID: 0dfec17e23ab5291b8d21c0efdc2cc363269dcf58fd0cabbe560a3a4dc10fc05
Opcode Fuzzy Hash: 48152ffa1f61bf193d4b049a0bf176707a04d55d2f54c3d84d6e163f3e41f836
Instruction Fuzzy Hash: 21416A79A00249EFEB22DF54D884EAABBF5FF48350F0442A9E9859B2C0D735AD40CF51

Function 00FD1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FD3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FD1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FD1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00FD1EA9

Part of subcall function 00F76B57: _wcslen.LIBCMT ref: 00F76B6A

Strings

ComboBox, xrefs: 00FD1DF0
ListBox, xrefs: 00FD1E25

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: a02a7fdb69ee667536fd58743ac1ffd8943fa0735d014b64a76fcff331e6374e
Instruction ID: 1726533a7fcfef8eeb7e262d6ea8bdeeb0b0d4992162ca7ba3d58fe2d3858b05
Opcode Fuzzy Hash: a02a7fdb69ee667536fd58743ac1ffd8943fa0735d014b64a76fcff331e6374e
Instruction Fuzzy Hash: 32212971A00108BEEB15AB64DC46CFFB7BEEF45360F18411AF815A72D1DB78590AA720

Function 01002F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01002F8D
LoadLibraryW.KERNEL32(?), ref: 01002F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01002FA9
DestroyWindow.USER32(?), ref: 01002FB1

Strings

SysAnimate32, xrefs: 01002F68

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 144635c41d18fe54172a1f9ea79ae90556aedbff63716c0ffc37cbcb6857b4f9
Instruction ID: 6c65d5bc78d5bd9c721d61b682757be1d144fa84bc06d9b511b631f48d2fd430
Opcode Fuzzy Hash: 144635c41d18fe54172a1f9ea79ae90556aedbff63716c0ffc37cbcb6857b4f9
Instruction Fuzzy Hash: 5E219A71200209ABFB235F68DC88EBB77ADEB893A4F10426CFA90D61D5D771DC919760

Function 00F94D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F94D1E,00FA28E9,?,00F94CBE,00FA28E9,010388B8,0000000C,00F94E15,00FA28E9,00000002), ref: 00F94D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F94DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00F94D1E,00FA28E9,?,00F94CBE,00FA28E9,010388B8,0000000C,00F94E15,00FA28E9,00000002,00000000), ref: 00F94DC3

Strings

CorExitProcess, xrefs: 00F94D98
mscoree.dll, xrefs: 00F94D86

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5142de51ebc26cb50c5a203db350c3c1677f363e8ffa3b3c82e2137a3d6202d2
Instruction ID: 5760b7d646245f2fdfde217eccf199daadb970bbbb8d2739a68825012f4c4675
Opcode Fuzzy Hash: 5142de51ebc26cb50c5a203db350c3c1677f363e8ffa3b3c82e2137a3d6202d2
Instruction Fuzzy Hash: AFF0A434900208BBFB219F90D909FEDBBB4EF05711F040199F845A2144DB395A41DB90

Function 00FCD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00FCD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00FCD3BF
FreeLibrary.KERNEL32(00000000), ref: 00FCD3E5

Strings

X64, xrefs: 00FCD2A8
GetSystemWow64DirectoryW, xrefs: 00FCD3B9

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 3189b83c3905572d2f1a2de5d900d36ff9e3a7c9ce7364b1d1fc1a7c0cdb59d5
Instruction ID: 9e629583555510deb76f65dbc07922f025d93d4fa2240fdcf1a6a8fff2f8eba6
Opcode Fuzzy Hash: 3189b83c3905572d2f1a2de5d900d36ff9e3a7c9ce7364b1d1fc1a7c0cdb59d5
Instruction Fuzzy Hash: F6F05C72C066139BE73213108F65FDE7714AF52711F6482ADF486E1088D730CD44B782

Function 00F74E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F74EDD,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F74EAE
FreeLibrary.KERNEL32(00000000,?,?,00F74EDD,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00F74EA8
kernel32.dll, xrefs: 00F74E94

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 0f03aaab8be4ffd0851d85251e001ac44bdbcae557ad28fed6ae892011def0b8
Instruction ID: 8d55afc07fd65f03b95b9297cbc8baf1a688d10d28ee6b4aae71c4dfcd040f94
Opcode Fuzzy Hash: 0f03aaab8be4ffd0851d85251e001ac44bdbcae557ad28fed6ae892011def0b8
Instruction Fuzzy Hash: F2E08636E025225BE23317256818AAB6558AF82B72F054256FC44D6144DB68DC0191A2

Function 00F74E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FB3CDE,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F74E74
FreeLibrary.KERNEL32(00000000,?,?,00FB3CDE,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00F74E6E
kernel32.dll, xrefs: 00F74E5B

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 7ef386abdb9ce6082eeccb1831ff25552bc1e78a67f0859260947cafb9009d2a
Instruction ID: 63fb50b8ed130bb886fcc428902f6c3177d559823339765a023f8b38b7c58f7a
Opcode Fuzzy Hash: 7ef386abdb9ce6082eeccb1831ff25552bc1e78a67f0859260947cafb9009d2a
Instruction Fuzzy Hash: 96D0C232902A215766331B256818ECB2A1CEF86B317054356B848E6108CF79CD1193D1

Function 00FE2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FE2C05
DeleteFileW.KERNEL32(?), ref: 00FE2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FE2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FE2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FE2CC0

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: ff4a431c44c74a07ebf1d81c129b7ce75ddbc6e8708953cb4ce9c9a8ade54129
Instruction ID: c22d77f191d9bf6f190edce2fecdb3a6b1b4fd22be0951d15f4c67a94851ac26
Opcode Fuzzy Hash: ff4a431c44c74a07ebf1d81c129b7ce75ddbc6e8708953cb4ce9c9a8ade54129
Instruction Fuzzy Hash: A1B17D72D00129ABDF21EFA5CC85EDEB7BDEF48310F1040A6F609E6141EB799A449F61

Function 00FFA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00FFA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FFA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FFA468
CloseHandle.KERNEL32(?), ref: 00FFA63D

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: eb92c8dc44825f116a5622d902f9558af9eb0b11c174ddbe77122e129a66135b
Instruction ID: d8b0bd46985a0bafd76069df1eb9993e77f6b3f19ddbd81e03b8af2617b9329d
Opcode Fuzzy Hash: eb92c8dc44825f116a5622d902f9558af9eb0b11c174ddbe77122e129a66135b
Instruction Fuzzy Hash: DAA192B16043009FD720DF24C886F2AB7E5AF44714F14885DF599DB392DBB5EC419B92

Function 00FABB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01013700), ref: 00FABB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0104121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00FABC09
WideCharToMultiByte.KERNEL32(00000000,00000000,01041270,000000FF,?,0000003F,00000000,?), ref: 00FABC36
_free.LIBCMT ref: 00FABB7F

Part of subcall function 00FA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000), ref: 00FA29DE
Part of subcall function 00FA29C8: GetLastError.KERNEL32(00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000,00000000), ref: 00FA29F0

_free.LIBCMT ref: 00FABD4B

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 871242678393f10658927c1da720cc756a999d996b222ccad55aacb1f3ae7fbb
Instruction ID: 0ee69ff96f2a5c7282025fa0b1c05ec8dca676d5e5ed285ca1e24441aa6bf6fb
Opcode Fuzzy Hash: 871242678393f10658927c1da720cc756a999d996b222ccad55aacb1f3ae7fbb
Instruction Fuzzy Hash: 95510BF1D00209AFDB20DF65DD819AEB7BCEF46370F10026AE450D7196EB355E40AB50

Function 00FDE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FDCF22,?), ref: 00FDDDFD

Part of subcall function 00FDDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FDCF22,?), ref: 00FDDE16

Part of subcall function 00FDE199: GetFileAttributesW.KERNEL32(?,00FDCF95), ref: 00FDE19A

lstrcmpiW.KERNEL32(?,?), ref: 00FDE473
MoveFileW.KERNEL32(?,?), ref: 00FDE4AC
_wcslen.LIBCMT ref: 00FDE5EB
_wcslen.LIBCMT ref: 00FDE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00FDE650

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 94c699a6597018d3e269ee007bb93a9fae8d8e6240c28e3bfea554ed061b4016
Instruction ID: 819c68b4c5538ce4ede4a14cc4a31c067833a785b7bc92aa3f55788ed3ebadfc
Opcode Fuzzy Hash: 94c699a6597018d3e269ee007bb93a9fae8d8e6240c28e3bfea554ed061b4016
Instruction Fuzzy Hash: DC51C3B24083455BDB24EBA0CC819DF73EDAF85350F04491FF589C7281EF78A2889766

Function 00FFB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FFB6AE,?,?), ref: 00FFC9B5
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFC9F1
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFCA68
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FFBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FFBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FFBB63
RegCloseKey.ADVAPI32(?,?), ref: 00FFBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00FFBBB3

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 51f00933ca8494390fbefbed88af9b660f80c81cc0b32a0d3b052b6525be6551
Instruction ID: 9e67faf64a2240072b90b1fc7e22429298573acfc4f438d2613062764dedd4ea
Opcode Fuzzy Hash: 51f00933ca8494390fbefbed88af9b660f80c81cc0b32a0d3b052b6525be6551
Instruction Fuzzy Hash: 9061D131208205AFD314DF14C890E3ABBE5FF84318F14899DF6998B2A2DB35ED45DB92

Function 00FD8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FD8BCD
VariantClear.OLEAUT32 ref: 00FD8C3E
VariantClear.OLEAUT32 ref: 00FD8C9D
VariantClear.OLEAUT32(?), ref: 00FD8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FD8D3B

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: ace8d101f8475d68ad4874fadc0f4a94948f83ff5a105e878a5bda041d03ae5c
Instruction ID: 8756dc8c2f114f5a0e31a83ed2eca672bde1a767ba5011977ea44a75143357e8
Opcode Fuzzy Hash: ace8d101f8475d68ad4874fadc0f4a94948f83ff5a105e878a5bda041d03ae5c
Instruction Fuzzy Hash: A7518CB1A00219EFDB14CF18C884AAAB7F5FF89310F15855AE905DB354EB34E912CF90

Function 00FE8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FE8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00FE8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FE8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FE8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FE8C5F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: d4e6793dd5d190d41b628fab47f028e4e206fd76d0ad795d6d05ce57cf73aa5f
Instruction ID: 10cd4b5f52936add5e66d85492f325ce95bf11df653d5ee3380c52c3b4007c45
Opcode Fuzzy Hash: d4e6793dd5d190d41b628fab47f028e4e206fd76d0ad795d6d05ce57cf73aa5f
Instruction Fuzzy Hash: 7B515935A002149FCB11EF65C881AA9BBF1FF49314F18C099E84DAB362CB35ED51DB91

Function 00FF8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00FF8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00FF8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00FF8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00FF9032
FreeLibrary.KERNEL32(00000000), ref: 00FF9052

Part of subcall function 00F8F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00FE1043,?,75C0E610), ref: 00F8F6E6
Part of subcall function 00F8F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00FCFA64,00000000,00000000,?,?,00FE1043,?,75C0E610,?,00FCFA64), ref: 00F8F70D

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 87c8d574fbb089c2adca7abea3b27f98f5fd16bfc8f53d4afe083fc8fddeb569
Instruction ID: 480ea236194b6d225a1abb7fd93d38f87217ca36efce291ae7b22535f0d113d7
Opcode Fuzzy Hash: 87c8d574fbb089c2adca7abea3b27f98f5fd16bfc8f53d4afe083fc8fddeb569
Instruction Fuzzy Hash: 4D516D35A04209DFC711DF64C4849ADBBF1FF49324F0881A9E90A9B362DB35ED86DB81

Function 01006B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 01006C33
SetWindowLongW.USER32(?,000000EC,?), ref: 01006C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 01006C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00FEAB79,00000000,00000000), ref: 01006C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 01006CC7

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 114656c0fa900c8b04bfd07f15ccd690d8b0db91fb51a99e60e47f999aaf6d8d
Instruction ID: a730fcab719cb3277bc3aa733bf02a0e2f96df9f78dfbf203de31c7ca4a2a115
Opcode Fuzzy Hash: 114656c0fa900c8b04bfd07f15ccd690d8b0db91fb51a99e60e47f999aaf6d8d
Instruction Fuzzy Hash: 1841A175A04108AFF7268F6CCD54FB97FE6EB09350F0502A8E999A72D0C773AD61CA40

Function 00FA2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FA20C3
_free.LIBCMT ref: 00FA20E3

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0a53be6e3f17bab4be6e4d41622121f756c301a2faf1d4b4f67d08b1576d2e6e
Instruction ID: abb810ea5a626a259721faf8d6d7cc9ffb03d8e61f641f0846364081773b9223
Opcode Fuzzy Hash: 0a53be6e3f17bab4be6e4d41622121f756c301a2faf1d4b4f67d08b1576d2e6e
Instruction Fuzzy Hash: 7841D1B2F002009FDB24DF7CC880A5EB7B5EF8A324B158569E615EB351DB31AD01EB80

Function 00F8912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F89141
ScreenToClient.USER32(00000000,?), ref: 00F8915E
GetAsyncKeyState.USER32(00000001), ref: 00F89183
GetAsyncKeyState.USER32(00000002), ref: 00F8919D

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: ad9736e6c471fe5c97b5dcc8fb0acf53566ca1280db7400d2cca25a96edf3253
Instruction ID: 578a40af35938d357fd00968ee5f3877192fd5218f12fc12eb5c51d9ef752ada
Opcode Fuzzy Hash: ad9736e6c471fe5c97b5dcc8fb0acf53566ca1280db7400d2cca25a96edf3253
Instruction Fuzzy Hash: AF416C31A0C60BBBDF15AF64C848BFEB774FB05324F248259E469A22D0C7756990EF91

Function 00FE3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00FE38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00FE3922
TranslateMessage.USER32(?), ref: 00FE394B
DispatchMessageW.USER32(?), ref: 00FE3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FE3966

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: da9af2a497077070327769a4086e2d7a3e14b1ddf27ec37797d774879eb16b4c
Instruction ID: fa5576550b5182cb136be8cae316efe348824c0dd2f081b5e620e3af19a64eb1
Opcode Fuzzy Hash: da9af2a497077070327769a4086e2d7a3e14b1ddf27ec37797d774879eb16b4c
Instruction Fuzzy Hash: F331D9B5D043C5AFFB35CB36D54CBBA37A9AB05310F04055DE49283085D7BAAAC4EB21

Function 00FECF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00FEC21E,00000000), ref: 00FECF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00FECF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00FEC21E,00000000), ref: 00FECFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FEC21E,00000000), ref: 00FECFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FEC21E,00000000), ref: 00FECFF2

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: ce6acfafd40bd5e06b546306d9853f6b9efa97c2110a62bd545d85acb02e10b1
Instruction ID: d0ac822bb0b8a410e3c24ed59747134bf603bd1670289c92561b5eb40b1563b1
Opcode Fuzzy Hash: ce6acfafd40bd5e06b546306d9853f6b9efa97c2110a62bd545d85acb02e10b1
Instruction Fuzzy Hash: AC314171900285EFDB20DFA6C984AABBBF9EF14351B10446EF556D2140D734AE42ABA0

Function 00FD1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FD1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00FD19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00FD19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00FD19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00FD19E2

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a0f09ca1cee4af09b90c260a5946213894b9544ab26d4d2254c5246a906895c4
Instruction ID: 04c69e8cf1f5153da6ef342f1b733fdc492b33a5e86f3b33609893e8fbc81f98
Opcode Fuzzy Hash: a0f09ca1cee4af09b90c260a5946213894b9544ab26d4d2254c5246a906895c4
Instruction Fuzzy Hash: 0231B172900219EFDB10CFA8C9A9ADE3BB6FB05325F144366F961A72C0C770AD54DB91

Function 01005706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 01005745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0100579D
_wcslen.LIBCMT ref: 010057AF
_wcslen.LIBCMT ref: 010057BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 01005816

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 9f7acd3a03c1bf2dedc13ee0ccf58b3417bea1eefc5cde4b441a1a04ffdbcfa1
Instruction ID: aeb87e4781478c1c60aada179fa18995999934ac2ed2fe869456cf120f81be52
Opcode Fuzzy Hash: 9f7acd3a03c1bf2dedc13ee0ccf58b3417bea1eefc5cde4b441a1a04ffdbcfa1
Instruction Fuzzy Hash: 1921A775900218AAFF228F64DC84EEE7BBCFF44324F004256EA99EA1C4D7749585CF50

Function 00FF0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FF0951
GetForegroundWindow.USER32 ref: 00FF0968
GetDC.USER32(00000000), ref: 00FF09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00FF09B0
ReleaseDC.USER32(00000000,00000003), ref: 00FF09E8

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: fb116aea55f270c6ea0a51ec3610d1f11b19f5c9f596e5c4d8265ed0c8895ec2
Instruction ID: b6602bb597ba6c1f10930401e80ad5ef8b02ff77976ff63b6202f202e2315074
Opcode Fuzzy Hash: fb116aea55f270c6ea0a51ec3610d1f11b19f5c9f596e5c4d8265ed0c8895ec2
Instruction Fuzzy Hash: 6A21A135600204AFE724EF65CD85EAEBBE5FF49700F048169F98A97352DB74AC04DB50

Function 00FACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00FACDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FACDE9

Part of subcall function 00FA3820: RtlAllocateHeap.NTDLL(00000000,?,01041444,?,00F8FDF5,?,?,00F7A976,00000010,01041440,00F713FC,?,00F713C6,?,00F71129), ref: 00FA3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00FACE0F
_free.LIBCMT ref: 00FACE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00FACE31

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: efa26ace971df03afdf0cc234ca61284b61307ae58458c8bf3b479a4e61e02e0
Instruction ID: 57ccc0b4b48e5235751ce993ce2eb181dbb60796395ec964da338378f45934b9
Opcode Fuzzy Hash: efa26ace971df03afdf0cc234ca61284b61307ae58458c8bf3b479a4e61e02e0
Instruction Fuzzy Hash: F501D4F2A022157F372217BA6CC8D7B7A6DDEC7FA17150229F905D7200EA658D01A2F0

Function 00F89639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F89693
SelectObject.GDI32(?,00000000), ref: 00F896A2
BeginPath.GDI32(?), ref: 00F896B9
SelectObject.GDI32(?,00000000), ref: 00F896E2

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ebfe6c86b04d8b990a987496287d87ddbed308456ba31ff16907484e18a30fd5
Instruction ID: 7d3bcdf7276fcdf07d41149335b6068ce6cb021af80d4ca1eb276e0e1bd356df
Opcode Fuzzy Hash: ebfe6c86b04d8b990a987496287d87ddbed308456ba31ff16907484e18a30fd5
Instruction Fuzzy Hash: AE2183B9815305EFDB21AF64DA447F93B64BB01325F140216F4A0A61D8E3BA6CD1DF90

Function 00FD5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00FD5726
_memcmp.LIBVCRUNTIME ref: 00FD5744
_memcmp.LIBVCRUNTIME ref: 00FD5757
_memcmp.LIBVCRUNTIME ref: 00FD576F
_memcmp.LIBVCRUNTIME ref: 00FD5787

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: aac60b59deba3aafaeb201e41a867cb4a37dbf3569d6010d10e0c109b81ed89d
Instruction ID: d9f401148042b637385c846895a502dfbe6513aa2d16459bf2cfa6f3c8a131de
Opcode Fuzzy Hash: aac60b59deba3aafaeb201e41a867cb4a37dbf3569d6010d10e0c109b81ed89d
Instruction Fuzzy Hash: 8101D662641A0EFBB71961115E42FBA735EAB21BA4F280026FE049E341F660ED10B6A0

Function 00FA2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00F9F2DE,00FA3863,01041444,?,00F8FDF5,?,?,00F7A976,00000010,01041440,00F713FC,?,00F713C6), ref: 00FA2DFD
_free.LIBCMT ref: 00FA2E32
_free.LIBCMT ref: 00FA2E59
SetLastError.KERNEL32(00000000,00F71129), ref: 00FA2E66
SetLastError.KERNEL32(00000000,00F71129), ref: 00FA2E6F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9c3e3c26ea454c4fc6fce032d260a259b15e50c0d162dc3a200a1ed9f294e988
Instruction ID: 9289e7cfdece77d2096e12155da0048788492d570bc826ffd1a49e7fd5e49e18
Opcode Fuzzy Hash: 9c3e3c26ea454c4fc6fce032d260a259b15e50c0d162dc3a200a1ed9f294e988
Instruction Fuzzy Hash: 000144F27046002BE663223D6CC6E2B366DABC33B0B240128F460E2186EB2DCC407220

Function 00FD000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FCFF41,80070057,?,?,?,00FD035E), ref: 00FD002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FCFF41,80070057,?,?), ref: 00FD0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FCFF41,80070057,?,?), ref: 00FD0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FCFF41,80070057,?), ref: 00FD0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FCFF41,80070057,?,?), ref: 00FD0070

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 62f8c398666820fb165e46b0b27b46deb5d6219056dbcd95c39c0312066fd5f0
Instruction ID: be21078af6a8cf38f4a05942ceafa9718f81b686653ac35795dc66238873d5f5
Opcode Fuzzy Hash: 62f8c398666820fb165e46b0b27b46deb5d6219056dbcd95c39c0312066fd5f0
Instruction Fuzzy Hash: 6D01A772600205BFEB214F64DD08BAA7BEEEF44762F184155F945D2304DB75DE409760

Function 00FDE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00FDE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00FDE9A5
Sleep.KERNEL32(00000000), ref: 00FDE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00FDE9B7
Sleep.KERNEL32 ref: 00FDE9F3

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: aa66c6e022126bca4fc1e97970cd5db5de9af348ed8c077f38794f700b885a7d
Instruction ID: f94e0d8a58c69d93dffef7dfb9c5b1026e6ced71e27737e4e1cd2defe6ab7ddc
Opcode Fuzzy Hash: aa66c6e022126bca4fc1e97970cd5db5de9af348ed8c077f38794f700b885a7d
Instruction Fuzzy Hash: EE01C031C0252DDBDF10AFE4D9686DDBB79FF09300F040686E442B2244CB388540DBA2

Function 00FD10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FD1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00FD0B9B,?,?,?), ref: 00FD1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FD0B9B,?,?,?), ref: 00FD112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FD0B9B,?,?,?), ref: 00FD1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FD114D

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 6c56f8f8e2a68aeed4958d578cce54bdb8f45f3fb24ba489d878a194f97c1c65
Instruction ID: d48a4474b947c9fb004f1c229a2c5d355f737a1f06f4b2f2ba99464d9d882276
Opcode Fuzzy Hash: 6c56f8f8e2a68aeed4958d578cce54bdb8f45f3fb24ba489d878a194f97c1c65
Instruction Fuzzy Hash: EB016D75500205BFEB224F64DD49A6A3B7EFF89360F240555FA85C3350DA36DD009B60

Function 00FD0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FD0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FD0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FD0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FD0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FD1002

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e9d5aaa0aed2c39a044c00c5de77be117eccaf78e1081e44b84ec546fd10060c
Instruction ID: a2c98fd7e6a98cb8bc559c161e96ab8624390fcefad9a6c2d719a859fa558140
Opcode Fuzzy Hash: e9d5aaa0aed2c39a044c00c5de77be117eccaf78e1081e44b84ec546fd10060c
Instruction Fuzzy Hash: 7AF0A935200301BBEB225FA4AD4DF963BAEFF8A762F100555FA85C6284CA36DC409B60

Function 00FD1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FD102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FD1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FD1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FD104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FD1062

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c18fa4a00e5540720f3fb2e2c91be919606a15b6bb61898ad9ac6bc00f3998c2
Instruction ID: 4d5793ddbf8f8cbf23b6a1c420095c89c4e4bc225410be014c3179047e2a5c69
Opcode Fuzzy Hash: c18fa4a00e5540720f3fb2e2c91be919606a15b6bb61898ad9ac6bc00f3998c2
Instruction Fuzzy Hash: 2EF06D35200301BBEB226FA4ED4DF963BAEFF8A761F140555FA85C7240CA76D950CB60

Function 00FE030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00FE017D,?,00FE32FC,?,00000001,00FB2592,?), ref: 00FE0324
CloseHandle.KERNEL32(?,?,?,?,00FE017D,?,00FE32FC,?,00000001,00FB2592,?), ref: 00FE0331
CloseHandle.KERNEL32(?,?,?,?,00FE017D,?,00FE32FC,?,00000001,00FB2592,?), ref: 00FE033E
CloseHandle.KERNEL32(?,?,?,?,00FE017D,?,00FE32FC,?,00000001,00FB2592,?), ref: 00FE034B
CloseHandle.KERNEL32(?,?,?,?,00FE017D,?,00FE32FC,?,00000001,00FB2592,?), ref: 00FE0358
CloseHandle.KERNEL32(?,?,?,?,00FE017D,?,00FE32FC,?,00000001,00FB2592,?), ref: 00FE0365

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 97a2b4c54bbe0de1772615a62b572e54c1dc20e6799e3b760cd8a78078904c6e
Instruction ID: 6b035ac674c66866fea60d133ed2ad4c38e085d3a36d7c178bfd8b8cd60f16a6
Opcode Fuzzy Hash: 97a2b4c54bbe0de1772615a62b572e54c1dc20e6799e3b760cd8a78078904c6e
Instruction Fuzzy Hash: 7101A272800B559FC7309F66D880412F7F5BF503253158A3FD19652931C7B1A994DF80

Function 00FAD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FAD752

Part of subcall function 00FA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000), ref: 00FA29DE
Part of subcall function 00FA29C8: GetLastError.KERNEL32(00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000,00000000), ref: 00FA29F0

_free.LIBCMT ref: 00FAD764
_free.LIBCMT ref: 00FAD776
_free.LIBCMT ref: 00FAD788
_free.LIBCMT ref: 00FAD79A

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98658c967f0d1d8cbfcf64643ad29bb9faed1dffa6a9a459ce17ea4a56c962e7
Instruction ID: ea6a1a60340a4781085dcf1aa51d994fa8e3b8beb23a3a5ff8a91e9e1dd236f7
Opcode Fuzzy Hash: 98658c967f0d1d8cbfcf64643ad29bb9faed1dffa6a9a459ce17ea4a56c962e7
Instruction Fuzzy Hash: CCF068B2A04208AF86A9EB5CF9C5C1777EDBB0A7307950C0AF045E7905C739FC806761

Function 00FD5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00FD5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00FD5C6F
MessageBeep.USER32(00000000), ref: 00FD5C87
KillTimer.USER32(?,0000040A), ref: 00FD5CA3
EndDialog.USER32(?,00000001), ref: 00FD5CBD

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 76d35c84711cb792f1618d148083a6abb2fafd9d279fc45fb47ab349510b2c2d
Instruction ID: 86f2e48ca7073fcac537571b454bbcf1bc40ac1c3fb2990928a1783ade93aca4
Opcode Fuzzy Hash: 76d35c84711cb792f1618d148083a6abb2fafd9d279fc45fb47ab349510b2c2d
Instruction Fuzzy Hash: 7D01D630500B04ABFB315B20DE4EFA67BB9BB04B05F08029AA583A11D1DBF5A9849B90

Function 00FA22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FA22BE

Part of subcall function 00FA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000), ref: 00FA29DE
Part of subcall function 00FA29C8: GetLastError.KERNEL32(00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000,00000000), ref: 00FA29F0

_free.LIBCMT ref: 00FA22D0
_free.LIBCMT ref: 00FA22E3
_free.LIBCMT ref: 00FA22F4
_free.LIBCMT ref: 00FA2305

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a804bdbc041a07db44c8504927db21d2376b9822d263b3f175a6f8e9a0534186
Instruction ID: f68ff30760bfe0341dd3c0b53a449ebbfb7064e8177acfac7421f53fd99bb1ec
Opcode Fuzzy Hash: a804bdbc041a07db44c8504927db21d2376b9822d263b3f175a6f8e9a0534186
Instruction Fuzzy Hash: F5F030F89002108F97A2AF6CFB818493BB8B71DB617000517F590E226DC73E1551BBE5

Function 00F895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F895D4
StrokeAndFillPath.GDI32(?,?,00FC71F7,00000000,?,?,?), ref: 00F895F0
SelectObject.GDI32(?,00000000), ref: 00F89603
DeleteObject.GDI32 ref: 00F89616
StrokePath.GDI32(?), ref: 00F89631

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 3a527d19fbcad74ec723138f736b64c6beb37e81d43405d603f1c54d1e91e1d9
Instruction ID: 409f4298a4c5d5ef15f4887288fd97fb143b66307e2cc43d0dc2c282b1dc3638
Opcode Fuzzy Hash: 3a527d19fbcad74ec723138f736b64c6beb37e81d43405d603f1c54d1e91e1d9
Instruction Fuzzy Hash: 9AF03179409204DBD7369F55EA8C7B43B61A701332F088354F4A5550E8D77A5991DF20

Function 00FA0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00FA10F9
__freea.LIBCMT ref: 00FA1117

Part of subcall function 00FA1537: _free.LIBCMT ref: 00FA154F

Strings

am/pm, xrefs: 00FA117A
a/p, xrefs: 00FA11DE

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 2ceb16fbce89444fe00da1d7f64b4bbe6f4a5648c5524373e8d2b4e70cc219ce
Instruction ID: 0e94a7fba2d51745b47ab6fcc3945a3395bebc7225e8c060936e6979abef67b3
Opcode Fuzzy Hash: 2ceb16fbce89444fe00da1d7f64b4bbe6f4a5648c5524373e8d2b4e70cc219ce
Instruction Fuzzy Hash: 51D103B6D00306DADF249F68C855BFAB7B5FF07320F2A4159E901AB650D3359D80EBA1

Function 00FF7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00F90242: EnterCriticalSection.KERNEL32(0104070C,01041884,?,?,00F8198B,01042518,?,?,?,00F712F9,00000000), ref: 00F9024D
Part of subcall function 00F90242: LeaveCriticalSection.KERNEL32(0104070C,?,00F8198B,01042518,?,?,?,00F712F9,00000000), ref: 00F9028A

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00F900A3: __onexit.LIBCMT ref: 00F900A9

__Init_thread_footer.LIBCMT ref: 00FF7BFB

Part of subcall function 00F901F8: EnterCriticalSection.KERNEL32(0104070C,?,?,00F88747,01042514), ref: 00F90202
Part of subcall function 00F901F8: LeaveCriticalSection.KERNEL32(0104070C,?,00F88747,01042514), ref: 00F90235

Strings

Variable must be of type 'Object'., xrefs: 00FF7C3A
G, xrefs: 00FF7C7F
5, xrefs: 00FF7C78

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 6494bc421b3383b0407bb40ce1ce6e7519ca45ab47832e12305bfce908513857
Instruction ID: 0b98bba330d4e16885ed71f64e2115da8e2e9e1244bd8a693beba60eaab8b289
Opcode Fuzzy Hash: 6494bc421b3383b0407bb40ce1ce6e7519ca45ab47832e12305bfce908513857
Instruction Fuzzy Hash: BA919971A04209EFCB04EF54D891DBDB7B1FF48310F548099FA46AB2A2DB35AE41EB51

Function 00FD2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FD21D0,?,?,00000034,00000800,?,00000034), ref: 00FDB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FD2760

Part of subcall function 00FDB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FD21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00FDB3F8

Part of subcall function 00FDB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00FDB355
Part of subcall function 00FDB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FD2194,00000034,?,?,00001004,00000000,00000000), ref: 00FDB365
Part of subcall function 00FDB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FD2194,00000034,?,?,00001004,00000000,00000000), ref: 00FDB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FD27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FD281A

Strings

@, xrefs: 00FD2832

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: a0e303100630ead9f1042d03c338d9eaabe2dfc77581d69af472e813d7df963c
Instruction ID: b29a60b84002531a418d933098b958f8c3318a1dc2f5f3e5794c679a71824e14
Opcode Fuzzy Hash: a0e303100630ead9f1042d03c338d9eaabe2dfc77581d69af472e813d7df963c
Instruction Fuzzy Hash: 7E414D72D00218AFDB21DFA4CD45ADEBBB9EF09300F044096FA55B7281DB746E45EBA1

Function 00FA172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00FA1769
_free.LIBCMT ref: 00FA1834
_free.LIBCMT ref: 00FA183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00FA1760, 00FA1767, 00FA1796, 00FA17CE

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: 6a5873d51385ae64d45f50bc5972e35f1425d8ccfa9b5757acd861fef193188f
Instruction ID: e990fc65fdabeba8272a572ac98ba61b28293e00eedf3bf07b36a5dedcba1812
Opcode Fuzzy Hash: 6a5873d51385ae64d45f50bc5972e35f1425d8ccfa9b5757acd861fef193188f
Instruction Fuzzy Hash: CC3181F5E00218AFDB21DB99D981D9EBBBCFB86320F154166F404D7201D6749A40EB90

Function 00FDC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00FDC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00FDC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01041990,015C52F0), ref: 00FDC395

Strings

0, xrefs: 00FDC2DF

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: c224ba3dd41f34d1cb69664de53a5b0d092a5fd51e53d621cff3bf54c47df992
Instruction ID: 9b7c37c5cededcf53078d46c1329360702125211243da1fd43f5cf55008faaf7
Opcode Fuzzy Hash: c224ba3dd41f34d1cb69664de53a5b0d092a5fd51e53d621cff3bf54c47df992
Instruction Fuzzy Hash: 4841C3316043429FDB20DF29DC84B1ABBE5AF85320F08865EF9A5973C1C774E904DB92

Function 01004416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0100CC08,00000000,?,?,?,?), ref: 010044AA
GetWindowLongW.USER32 ref: 010044C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 010044D7

Strings

SysTreeView32, xrefs: 0100447C

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 56e4f76d36b78ad8e6858296577335389d0d7594ea61c4d468940b3fb3d74816
Instruction ID: 8c0330e0328891f9e68f579a6c77c17fcbb9fadee2de2bef7f804d6a26a314da
Opcode Fuzzy Hash: 56e4f76d36b78ad8e6858296577335389d0d7594ea61c4d468940b3fb3d74816
Instruction Fuzzy Hash: E931DE31200205AFEB629E38DC45BEA7BA9EB08334F214315FAB5D21D1DB75E8509750

Function 00FF304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00FF3077,?,?), ref: 00FF3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FF307A
_wcslen.LIBCMT ref: 00FF309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00FF3106

Strings

255.255.255.255, xrefs: 00FF3095, 00FF309A

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: fa837f3ae910f7329771ba9920da8a77fc7b7f4e6e309c4a35fc4fe2f87057a6
Instruction ID: eb76a87a586cee724f3727b6059a042498fa01795992b3873e7aa7125fca98bf
Opcode Fuzzy Hash: fa837f3ae910f7329771ba9920da8a77fc7b7f4e6e309c4a35fc4fe2f87057a6
Instruction Fuzzy Hash: 82310735A042099FDB20CF28C585E7A77E0EF14328F24805AEA158B3A2DB76EF45D761

Function 01003EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 01003F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 01003F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 01003F78

Strings

SysMonthCal32, xrefs: 01003F0B

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 847faafba3bddafa8d3352d6a446e422d73533c250687a556d2548efb5ab52ad
Instruction ID: 3a61e5c5cb1c7ccc7d5dad732a6e7e7a274c6aece2049d0856f529ae004bcbc1
Opcode Fuzzy Hash: 847faafba3bddafa8d3352d6a446e422d73533c250687a556d2548efb5ab52ad
Instruction Fuzzy Hash: A0218032600219BFEF239F54CC46FEA3BB9FB48714F110259FA95AB1C0D6B5A8508B90

Function 01004653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01004705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01004713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0100471A

Strings

msctls_updown32, xrefs: 01004684

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 728a2678d7c35ec9bb4b60921516aa36582bc25bd92545d05978928fbe117480
Instruction ID: 44a9bcc7e2efd8d74344bffef564d1c2d5cf18305014a6e6cd8e8b48715fa6e6
Opcode Fuzzy Hash: 728a2678d7c35ec9bb4b60921516aa36582bc25bd92545d05978928fbe117480
Instruction Fuzzy Hash: 05217FB5600209AFEB12DF68DCC1DA637EDEB4A394F000099F644DB291CA75EC51DB60

Function 00FD95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FD961D

Strings

#requireadmin, xrefs: 00FD95D9
#notrayicon, xrefs: 00FD95B7
#OnAutoItStartRegister, xrefs: 00FD95F3

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 31ba0904b41a987760b654914b4359aa0229b1820f86d786a6eaf5ee280b0913
Instruction ID: 4bd62043e99e375feeed7ce4bf39c4d11414823092d90ab1ceb2e669cc088c06
Opcode Fuzzy Hash: 31ba0904b41a987760b654914b4359aa0229b1820f86d786a6eaf5ee280b0913
Instruction Fuzzy Hash: 4E21493250C61166D732BAA4DC02FAB73D99F51320F08402BF94997241EBD8ED52F391

Function 010037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01003840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01003850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01003876

Strings

Listbox, xrefs: 0100380F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 0c4e6dc41a2e8067314e674677b6248af417b8833f60bd106582fd735da181a2
Instruction ID: f5a4cb5976d6f49e95bc1568e12104c55a70202e567cc3217b59274c211b718c
Opcode Fuzzy Hash: 0c4e6dc41a2e8067314e674677b6248af417b8833f60bd106582fd735da181a2
Instruction Fuzzy Hash: 38218372610218BFFB238F58CC45EAB37AEFF89750F108154F9849B190C675DC5187A0

Function 00FE49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FE4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FE4A5C
SetErrorMode.KERNEL32(00000000,?,?,0100CC08), ref: 00FE4AD0

Strings

%lu, xrefs: 00FE4A6F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: aefd9950770a92c873ecaf1a9cc270a4c2feeaf52c613107eb3d1ac2b8450c8e
Instruction ID: 3fe8953729b0c0a5d170f0c17760e0b2b37390e1193f9a37c0aa83945d81ab81
Opcode Fuzzy Hash: aefd9950770a92c873ecaf1a9cc270a4c2feeaf52c613107eb3d1ac2b8450c8e
Instruction Fuzzy Hash: BB317171A00109AFDB11DF54C985EAA7BF8EF08318F1480A9F809DB252D775EE45DB62

Function 010041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0100424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01004264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01004271

Strings

msctls_trackbar32, xrefs: 01004226

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 293e05be90c267669ac031e78a449b1c6c02117bba22564c3b3c31b118b133b1
Instruction ID: f1cdfcf4a943d8e4b2aaa8f2a71152753095c1bacaad92aaab08748b86947aea
Opcode Fuzzy Hash: 293e05be90c267669ac031e78a449b1c6c02117bba22564c3b3c31b118b133b1
Instruction Fuzzy Hash: CC11E371340208BEFF225E29CC05FAB3BACEF85B54F010128FA95E60D0D671E8619B24

Function 00FD2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F76B57: _wcslen.LIBCMT ref: 00F76B6A

Part of subcall function 00FD2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FD2DC5
Part of subcall function 00FD2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FD2DD6
Part of subcall function 00FD2DA7: GetCurrentThreadId.KERNEL32 ref: 00FD2DDD
Part of subcall function 00FD2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FD2DE4

GetFocus.USER32 ref: 00FD2F78

Part of subcall function 00FD2DEE: GetParent.USER32(00000000), ref: 00FD2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00FD2FC3
EnumChildWindows.USER32(?,00FD303B), ref: 00FD2FEB

Strings

%s%d, xrefs: 00FD2FFF

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 52de9aa77d74ccba596a245d5d3286db10b98ca7be9d97a077be484c59546e35
Instruction ID: fa2b98aae2dafbeddc2a00a751d14e6a44b5bb5f8e974fe9b29e3e74a3e02e07
Opcode Fuzzy Hash: 52de9aa77d74ccba596a245d5d3286db10b98ca7be9d97a077be484c59546e35
Instruction Fuzzy Hash: E011E7716002056BDF517F748C85EED376BAF94308F088076F909DB243DE359A09AB61

Function 01005882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010058C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010058EE
DrawMenuBar.USER32(?), ref: 010058FD

Strings

0, xrefs: 0100588F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 45447ae6ca821a053321ef3eb0295f85a0c0beeeb1e4355207c3ed2211def2f5
Instruction ID: d5928c9ff00e0560823c49cd71a438f434933f593d1e68adf82660b9343923c1
Opcode Fuzzy Hash: 45447ae6ca821a053321ef3eb0295f85a0c0beeeb1e4355207c3ed2211def2f5
Instruction Fuzzy Hash: 11016D35500218EFEB629F15DC44BEFBBB4FB45361F0080D9E889D6191DB358A94DF21

Function 00FD007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d9c4f4e415cc846f00f14af734764dffb996f1c262b41f655f9897ebb8b52c
Instruction ID: c5af688bcba64f7ef1eb0b7bc9972f5bd618f558256252d08f3160c0a72b9df2
Opcode Fuzzy Hash: 06d9c4f4e415cc846f00f14af734764dffb996f1c262b41f655f9897ebb8b52c
Instruction Fuzzy Hash: D4C13975A00206EFDB14CFA4C894BAEB7B6FF48314F248599E505EB251DB31EE41DB90

Function 00FA3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00FA3F0B
__alldvrm.LIBCMT ref: 00FA410C
__alldvrm.LIBCMT ref: 00FA412E

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 98ebe8f85e1d9ea59570bce0ea2e2202dfb843ddbb982c6fb6bb8fa37d3311f6
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: EEA18AB2D103869FDB16CF18CC917AEBBE4EFA3360F14416DE5858B281C2B8A941E750

Function 00FF342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FF3459
CoUninitialize.OLE32 ref: 00FF3463
VariantInit.OLEAUT32(?), ref: 00FF346E
VariantClear.OLEAUT32(?), ref: 00FF371B

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 6c715f62ee1f89a69e4d90b9d5f645afcdbc00db107f2dde368cb85755062e10
Instruction ID: 57457477db76bbd7f928f5a1c8f4fe86b8feaba0a7762c8bb11def222dc8e589
Opcode Fuzzy Hash: 6c715f62ee1f89a69e4d90b9d5f645afcdbc00db107f2dde368cb85755062e10
Instruction Fuzzy Hash: 1EA15D756043049FC710EF24C985A2AB7E5FF88724F18885DF9899B366DB34EE01DB52

Function 00FD0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0100FC08,?), ref: 00FD05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0100FC08,?), ref: 00FD0608
CLSIDFromProgID.OLE32(?,?,00000000,0100CC40,000000FF,?,00000000,00000800,00000000,?,0100FC08,?), ref: 00FD062D
_memcmp.LIBVCRUNTIME ref: 00FD064E

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 950b514737d1284f03a982ffefdaa0741ee5673a6fa98fe1af5a7e4ebf5af083
Instruction ID: c1f1aed8d442fb59b1c646fcf24574d4c295a9353bf99e0a5b0353a3408d52cd
Opcode Fuzzy Hash: 950b514737d1284f03a982ffefdaa0741ee5673a6fa98fe1af5a7e4ebf5af083
Instruction Fuzzy Hash: B1812971A00109EFCB04DF94C984EEEB7BAFF89315F244599E506AB250DB71AE06DF60

Function 00FFA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FFA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00FFA6BA

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Process32NextW.KERNEL32(00000000,?), ref: 00FFA79C
CloseHandle.KERNEL32(00000000), ref: 00FFA7AB

Part of subcall function 00F8CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00FB3303,?), ref: 00F8CE8A

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: e3dc46989a92d3e11f56e0e9b6e8fd926d6bf663105f311424e36e30a5bb454d
Instruction ID: d81f62be1e8776cec2ecd923ab132ec7aa8b250028d20fc296ecdbd2a835f033
Opcode Fuzzy Hash: e3dc46989a92d3e11f56e0e9b6e8fd926d6bf663105f311424e36e30a5bb454d
Instruction Fuzzy Hash: F5512AB1508300AFD710EF24C886E6BBBE8FF89754F40891EF58997252EB75D904DB92

Function 00FB1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FB14C0

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ab3a74a5a0ade93087449daf24ba1432d198c107036bd3913c4fdee4de0b1ffb
Instruction ID: 55241c1c6c82e594617560cc8eb1cfe64c4c81cb318100f3303f8afb718637c5
Opcode Fuzzy Hash: ab3a74a5a0ade93087449daf24ba1432d198c107036bd3913c4fdee4de0b1ffb
Instruction Fuzzy Hash: D6415C71A00100EBEF21EBBE8C557EE3AA4FF47370F644225F418D2181E67849457A71

Function 01006278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 010062E2
ScreenToClient.USER32(?,?), ref: 01006315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 01006382

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 99c08954493be958d2cff3672a224b657bbd9124e8b53d40df7b9b7c85675225
Instruction ID: 837a10455253fc9db243038a6336216d64555a8c0a0d28691245640179749689
Opcode Fuzzy Hash: 99c08954493be958d2cff3672a224b657bbd9124e8b53d40df7b9b7c85675225
Instruction Fuzzy Hash: 93515F74900209EFEB22CF58D9809AE7BF6FB45360F1081A9F995972D1D732E991CB90

Function 00FF1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00FF1AFD
WSAGetLastError.WSOCK32 ref: 00FF1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00FF1B8A
WSAGetLastError.WSOCK32 ref: 00FF1B94

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: f187f7a41644a07e2aed15e05d4ee989f8e435f0a0f6a0862a5e2b1d9de1412c
Instruction ID: d5196cb3d761ae491a880cde0afe18a176ee51e38e965bd9a9f868c6ab1a9bec
Opcode Fuzzy Hash: f187f7a41644a07e2aed15e05d4ee989f8e435f0a0f6a0862a5e2b1d9de1412c
Instruction Fuzzy Hash: B241CE34640200AFE720AF20C886F6A77E5AF84718F54C488FA1A9F3D3D676ED419B91

Function 00FAB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82533b6c89854f6dc4c21b6722df8c4558eead9e0184b49739dc85c9138ed7fe
Instruction ID: 83eeedbd10384f0e6dc8c1b680114377032b6bb7e3a0e4739d58f632a13fa9ff
Opcode Fuzzy Hash: 82533b6c89854f6dc4c21b6722df8c4558eead9e0184b49739dc85c9138ed7fe
Instruction Fuzzy Hash: A741EAB5E00704AFD724DF78CC41BAA7BA9EB89720F10452EF551DB282D775A901A790

Function 00FE56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FE5783
GetLastError.KERNEL32(?,00000000), ref: 00FE57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FE57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FE57FA

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 91084d7e46bcdbba9982cd26c4778b39f96946df4dee5de8146d7c6b1c77559b
Instruction ID: 03da5c9d78cbf9a3fd4633d61a2b2eaa3d22e60e39903e3d913bee9005ed6234
Opcode Fuzzy Hash: 91084d7e46bcdbba9982cd26c4778b39f96946df4dee5de8146d7c6b1c77559b
Instruction Fuzzy Hash: B0412F35600610DFCB11EF15C544A5DBBE2EF89724B19C489E84E9B366CB39FD40EB91

Function 00FAD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00F96D71,00000000,00000000,00F982D9,?,00F982D9,?,00000001,00F96D71,8BE85006,00000001,00F982D9,00F982D9), ref: 00FAD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FAD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00FAD9AB
__freea.LIBCMT ref: 00FAD9B4

Part of subcall function 00FA3820: RtlAllocateHeap.NTDLL(00000000,?,01041444,?,00F8FDF5,?,?,00F7A976,00000010,01041440,00F713FC,?,00F713C6,?,00F71129), ref: 00FA3852

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: bf127f76d38bb785635b1b04abcf2a443d994ef997dc532ee958a5446a7c8553
Instruction ID: 5786e6125cf59fc789c9caa0ddb18875e718b03e516f270aeeb0cdb929614f3c
Opcode Fuzzy Hash: bf127f76d38bb785635b1b04abcf2a443d994ef997dc532ee958a5446a7c8553
Instruction Fuzzy Hash: EC31D2B2A0020AABDF259F64DC45EEF7BA9EB46320F050168FC05D7150EB39CD54DB90

Function 010052C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 01005352
GetWindowLongW.USER32(?,000000F0), ref: 01005375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01005382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010053A8

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 3e52c0b58980e4c56a13b0000ce0c3acd0120f4a72e6fd5910f389740c8af392
Instruction ID: c8b1e3979cd9276bcfdf224e8ea077bffe6ba146dde3643f30e3068cd6df9904
Opcode Fuzzy Hash: 3e52c0b58980e4c56a13b0000ce0c3acd0120f4a72e6fd5910f389740c8af392
Instruction Fuzzy Hash: D331C334A55608FFFB768E18CC46BE87BA5AB04310F48C181FBD0961D1C7B5A980DF42

Function 00FDAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00FDABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00FDAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00FDAC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00FDACC6

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ac5ba6898cdbe61769adbe401483ff2c998abdd1727639acf9703012b50dde95
Instruction ID: bba5e143b7aa8278764f6ba24374253002cee6fe98d360df11a0952949e5ac31
Opcode Fuzzy Hash: ac5ba6898cdbe61769adbe401483ff2c998abdd1727639acf9703012b50dde95
Instruction Fuzzy Hash: 6131F331E246186FEB358B648C047BA7AA7AB89330F0C431BE481523D0C379D981A75A

Function 01007674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0100769A
GetWindowRect.USER32(?,?), ref: 01007710
PtInRect.USER32(?,?,01008B89), ref: 01007720
MessageBeep.USER32(00000000), ref: 0100778C

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 024b50b7d09f3ba3ba24d8f352fed5fc19289b5c250ad92adf9371f4ffd1a026
Instruction ID: 5d7fcc78e712724448a0bb89ff7621c583859e15dbe8e5b0c85ce8a49cc996bb
Opcode Fuzzy Hash: 024b50b7d09f3ba3ba24d8f352fed5fc19289b5c250ad92adf9371f4ffd1a026
Instruction Fuzzy Hash: A9419F78601215EFEB53CF58C984EA97BF4BB48340F0441E8E9D89B295C779B981CF90

Function 010016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 010016EB

Part of subcall function 00FD3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FD3A57
Part of subcall function 00FD3A3D: GetCurrentThreadId.KERNEL32 ref: 00FD3A5E
Part of subcall function 00FD3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FD25B3), ref: 00FD3A65

GetCaretPos.USER32(?), ref: 010016FF
ClientToScreen.USER32(00000000,?), ref: 0100174C
GetForegroundWindow.USER32 ref: 01001752

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 14a7eaa7a50f47bdb7653cd4abee933a18024137e48b83ed99cade7ef3ed4c37
Instruction ID: ff958430acfc41ccc2ae1879cf11766e7b8aa1010fb17ed34926957e14c33d3c
Opcode Fuzzy Hash: 14a7eaa7a50f47bdb7653cd4abee933a18024137e48b83ed99cade7ef3ed4c37
Instruction Fuzzy Hash: A7318175D00208AFD700EFA9C881CAEBBF9FF48304B5080AAE459E7251D735DE41CBA1

Function 00FDDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00F77620: _wcslen.LIBCMT ref: 00F77625

_wcslen.LIBCMT ref: 00FDDFCB
_wcslen.LIBCMT ref: 00FDDFE2
_wcslen.LIBCMT ref: 00FDE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00FDE018

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: d9394034c1775282f0ec5d06e486f37c47ee9bb2050b9c89410f274aa028cca8
Instruction ID: 55e4ca4ddc42533fc085040560995a6ab72eb44db6fc8beb759951675c02e271
Opcode Fuzzy Hash: d9394034c1775282f0ec5d06e486f37c47ee9bb2050b9c89410f274aa028cca8
Instruction Fuzzy Hash: 7621D171D00214AFDB21EFA8DD81BAEB7F8EF45720F144066E804BB345D6749E41DBA1

Function 01008FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

GetCursorPos.USER32(?), ref: 01009001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FC7711,?,?,?,?,?), ref: 01009016
GetCursorPos.USER32(?), ref: 0100905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FC7711,?,?,?), ref: 01009094

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 616e663027f1ed6d243483f767c122c8b40f3d573bbd0b0a6f9f934d3120a656
Instruction ID: 23e1fe7b5b7694c7f9db65177b5daf2e3d5c679cd9e54d8b0ca6fc628781a01c
Opcode Fuzzy Hash: 616e663027f1ed6d243483f767c122c8b40f3d573bbd0b0a6f9f934d3120a656
Instruction Fuzzy Hash: 24219435600114FFEB26CF58C898EFB7BF5EB49354F044195F58947192C7369990DB60

Function 00FDD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0100CB68), ref: 00FDD2FB
GetLastError.KERNEL32 ref: 00FDD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FDD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0100CB68), ref: 00FDD376

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 4a07b6798d9917ba1a123b1bcd7f252657aa07cbb001688a97515ef0d8dcdd8a
Instruction ID: f6f60a8b6a4abf378c65ef38760f2e1b5919f9665b12a25ba054a567bc361992
Opcode Fuzzy Hash: 4a07b6798d9917ba1a123b1bcd7f252657aa07cbb001688a97515ef0d8dcdd8a
Instruction Fuzzy Hash: 1621A1709083019FC310DF28C98186E77E8EE56368F544A5EF499C7391D735D946EB93

Function 00FD1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FD102A
Part of subcall function 00FD1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FD1036
Part of subcall function 00FD1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FD1045
Part of subcall function 00FD1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FD104C
Part of subcall function 00FD1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FD1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00FD15BE
_memcmp.LIBVCRUNTIME ref: 00FD15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FD1617
HeapFree.KERNEL32(00000000), ref: 00FD161E

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: a5b9b774010b3986d5fe92f7f738e1c7050b12dfcd745c74add591baad4883d4
Instruction ID: a469cb964033ce85e662f27a0d4832116fc4faad5e9413e2524a5e232cb799bd
Opcode Fuzzy Hash: a5b9b774010b3986d5fe92f7f738e1c7050b12dfcd745c74add591baad4883d4
Instruction Fuzzy Hash: C2219C32E00108BFEF10DFA4C944BEEB7B9FF40354F08445AE441A7240D735AA44EB50

Function 01002782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0100280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01002824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01002832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01002840

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 1288b00e4b5064cc19596510916b51d452d3c036dfb8eb877a01c35d396bf8a5
Instruction ID: 36809456e6dc492ef13ad7a3a664b20fc8e804a6806a52a205259f06a9c60f87
Opcode Fuzzy Hash: 1288b00e4b5064cc19596510916b51d452d3c036dfb8eb877a01c35d396bf8a5
Instruction Fuzzy Hash: D1213635205111AFF712DB24C848FAA7B95BF46324F148298F45A8B6D2CB76ED82C7D0

Function 00FD78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00FD790A,?,000000FF,?,00FD8754,00000000,?,0000001C,?,?), ref: 00FD8D8C
Part of subcall function 00FD8D7D: lstrcpyW.KERNEL32(00000000,?,?,00FD790A,?,000000FF,?,00FD8754,00000000,?,0000001C,?,?,00000000), ref: 00FD8DB2
Part of subcall function 00FD8D7D: lstrcmpiW.KERNEL32(00000000,?,00FD790A,?,000000FF,?,00FD8754,00000000,?,0000001C,?,?), ref: 00FD8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00FD8754,00000000,?,0000001C,?,?,00000000), ref: 00FD7923
lstrcpyW.KERNEL32(00000000,?,?,00FD8754,00000000,?,0000001C,?,?,00000000), ref: 00FD7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00FD8754,00000000,?,0000001C,?,?,00000000), ref: 00FD7984

Strings

cdecl, xrefs: 00FD797B

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 3794b5f70937e3fd23ee0fba744fc1383a365b7d948d813f6c550aaa26c603c0
Instruction ID: 3601cacaea3486d43c2fecb7192c6125aebc5ebeff82b79e407e24fe0a06e92d
Opcode Fuzzy Hash: 3794b5f70937e3fd23ee0fba744fc1383a365b7d948d813f6c550aaa26c603c0
Instruction Fuzzy Hash: 1411D23A200301ABDB256F35C855D7A77AAEF853A0B04402BE942CB394EB369811A761

Function 01007CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 01007D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 01007D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 01007D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00FEB7AD,00000000), ref: 01007D6B

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 4af714d00c00019011eab8835c453a9fe878a91b7d25f8b3d7a118a7d025bcf2
Instruction ID: cc79852d6b620e634029bff21955efb4860e7068b76ed665d7f512792192e9d3
Opcode Fuzzy Hash: 4af714d00c00019011eab8835c453a9fe878a91b7d25f8b3d7a118a7d025bcf2
Instruction Fuzzy Hash: 0511D536205615AFFB229F2CCC04E663BE4AB45360F154365F9B5C71E0E739E950CB50

Function 01005660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 010056BB
_wcslen.LIBCMT ref: 010056CD
_wcslen.LIBCMT ref: 010056D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 01005816

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 995e3d9081d52e0459344d57ea2b193531d2f0a8d2dd8cfdeabe445309b2d1c0
Instruction ID: 356c442e9b0bbe74d1da2a13a955f870a2f808aa9b9df96d44c31294234b1980
Opcode Fuzzy Hash: 995e3d9081d52e0459344d57ea2b193531d2f0a8d2dd8cfdeabe445309b2d1c0
Instruction Fuzzy Hash: 1B11E175A00208A6FF229F65DC84EEE3BACEF15364F00406AFA85D60C1EB749641CF60

Function 00FA1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07817875500aecd3d34826362d76bc831f6d768159341b275b71887c0a4fec8
Instruction ID: 144b8ef107e0a4d735a664bf62e0e65a152c1f3885afa69abb51c830b929dbe2
Opcode Fuzzy Hash: f07817875500aecd3d34826362d76bc831f6d768159341b275b71887c0a4fec8
Instruction Fuzzy Hash: FE01ADF260A6163EF66126786CC0F67762CEF837B8F320329F521A11C5DB659C047260

Function 00FD1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00FD1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FD1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FD1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FD1A8A

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 684e6bf6b66134fbad88c262fca9995d6e2f9c9ac5e8e0694fc64fa82a209c23
Instruction ID: f79ac57be67116058ebffbd0a7fe92c07feac0d6e0b10df3bb09e749dbd416ab
Opcode Fuzzy Hash: 684e6bf6b66134fbad88c262fca9995d6e2f9c9ac5e8e0694fc64fa82a209c23
Instruction Fuzzy Hash: CA11393AD01219FFEB11DBA4CD85FADBB79FB08750F240092EA00B7290D6716E50EB94

Function 00FDE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FDE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00FDE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FDE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FDE24D

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: c5e0ab1a7beb025939680b2b9125979cdc7d34336d3c8f19c6203bd155af1d63
Instruction ID: 22c9394bb3425885ec973f97faffd93af2dc37d7cc1794c1c7a2f3658492a235
Opcode Fuzzy Hash: c5e0ab1a7beb025939680b2b9125979cdc7d34336d3c8f19c6203bd155af1d63
Instruction Fuzzy Hash: A2116BB6D04204BBD712AFA89D05A9F3FADAB45321F04835AF854D3380C2BADE0487A0

Function 00F9D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00F9CFF9,00000000,00000004,00000000), ref: 00F9D218
GetLastError.KERNEL32 ref: 00F9D224
__dosmaperr.LIBCMT ref: 00F9D22B
ResumeThread.KERNEL32(00000000), ref: 00F9D249

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 04815d6c401db8e7b5eb483478efa46f60a074a9b04947785445098355bcbc3d
Instruction ID: 7333ec6f982fca2ec8c4b4d2b1a9dd512fd9dd72fbbc10481817f0b7fb21f48f
Opcode Fuzzy Hash: 04815d6c401db8e7b5eb483478efa46f60a074a9b04947785445098355bcbc3d
Instruction Fuzzy Hash: F201F536805204BBFF215BA5DC09BAE7B69DF82730F300359F925921D0CB75C945E7A1

Function 01009EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

GetClientRect.USER32(?,?), ref: 01009F31
GetCursorPos.USER32(?), ref: 01009F3B
ScreenToClient.USER32(?,?), ref: 01009F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 01009F7A

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 7015cdc1eb7b739ab0b934cf0b9dbcbe71efe5fb4a870701a6d24b15278fce42
Instruction ID: fed28c481b256daa6fe755133120424fa0877914f36a16bcec145b5f53e66195
Opcode Fuzzy Hash: 7015cdc1eb7b739ab0b934cf0b9dbcbe71efe5fb4a870701a6d24b15278fce42
Instruction Fuzzy Hash: FF115E3550011AFBEB12DF58D9859FE77B8FB45315F000599F981E3181D735BA81CBA1

Function 00F7600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F7604C
GetStockObject.GDI32(00000011), ref: 00F76060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F7606A

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 5a6199dacb8879fb5511180890a32abd7da22d29ac5af64380875826e0827f13
Instruction ID: 93e3c6934efc896630f2503ae1e08e14d33c82b2fbd9116cacb57b7777d01975
Opcode Fuzzy Hash: 5a6199dacb8879fb5511180890a32abd7da22d29ac5af64380875826e0827f13
Instruction Fuzzy Hash: 44116172501949BFEF224F94DD44EEA7B69FF0D364F044216FA1892150D736AC60EB91

Function 00F93B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00F93B56

Part of subcall function 00F93AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00F93AD2
Part of subcall function 00F93AA3: ___AdjustPointer.LIBCMT ref: 00F93AED

_UnwindNestedFrames.LIBCMT ref: 00F93B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00F93B7C
CallCatchBlock.LIBVCRUNTIME ref: 00F93BA4

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 7a068b8dc46bbdc34f6765c8a91d45bf0d80dd1a63a528ec6ec9d8c4b55ebf4c
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 3501ED32500149BBEF115E95CC46DEB7B69FF98768F044014FE4896121C736E962EBA0

Function 00FA3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00F713C6,00000000,00000000,?,00FA301A,00F713C6,00000000,00000000,00000000,?,00FA328B,00000006,FlsSetValue), ref: 00FA30A5
GetLastError.KERNEL32(?,00FA301A,00F713C6,00000000,00000000,00000000,?,00FA328B,00000006,FlsSetValue,01012290,FlsSetValue,00000000,00000364,?,00FA2E46), ref: 00FA30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00FA301A,00F713C6,00000000,00000000,00000000,?,00FA328B,00000006,FlsSetValue,01012290,FlsSetValue,00000000), ref: 00FA30BF

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 734ca7b06d919d802ee0fde86585e3b21e253742e84601b15f749e8338ab6f55
Instruction ID: 6e9277ac172a03c24cc240cbbc462c71e8dc95929522c709e1a96d63aa4e2bb3
Opcode Fuzzy Hash: 734ca7b06d919d802ee0fde86585e3b21e253742e84601b15f749e8338ab6f55
Instruction Fuzzy Hash: C5012BB6705222ABDB314A799C44A577B98AF07BB5F208720F945E3184C736DA01D7E0

Function 00FD7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00FD747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FD7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FD74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00FD74CA

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 73df0c53292355c01b5f9d9fa7b637645191ed2d753cf4ad1abc8cb5ec8c24ce
Instruction ID: ae9b0619df6e2bd10679f0cfd209437e3fa85657667c6fb5377f0db622e91cdc
Opcode Fuzzy Hash: 73df0c53292355c01b5f9d9fa7b637645191ed2d753cf4ad1abc8cb5ec8c24ce
Instruction Fuzzy Hash: 9C11A1B1205310DBF732DF14DD08B92BBFDEB01B00F1486AAA656DA281E775E904EB50

Function 00FDB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FDACD3,?,00008000), ref: 00FDB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FDACD3,?,00008000), ref: 00FDB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FDACD3,?,00008000), ref: 00FDB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FDACD3,?,00008000), ref: 00FDB126

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: ca85e6e6a270b12b2f955ae8a9c33af62bc35985a7b8ae3658adf1aa521afb4e
Instruction ID: 4dfd7ead927cff8416b545fc664ead0e2c811019a4aba90f37dc9a5238d21a4b
Opcode Fuzzy Hash: ca85e6e6a270b12b2f955ae8a9c33af62bc35985a7b8ae3658adf1aa521afb4e
Instruction Fuzzy Hash: CE11AD31C0062CE7DF10AFE4E9597EEBF78FF0A310F064186D981B2284CB348A509B91

Function 01007E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01007E33
ScreenToClient.USER32(?,?), ref: 01007E4B
ScreenToClient.USER32(?,?), ref: 01007E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 01007E8A

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 3a134869db1c556c63852ccfaf3bb0f7af4705ca480d945e01723243ce07eafe
Instruction ID: e0b36260ec79960292280ab3de4fa6a0d5607fb9b8fe647f43dfaac301ec99c1
Opcode Fuzzy Hash: 3a134869db1c556c63852ccfaf3bb0f7af4705ca480d945e01723243ce07eafe
Instruction Fuzzy Hash: 8111B6B9D0020AAFDB51CF98C5849EEBBF5FF08310F004196E955E3210D735AA54CF50

Function 00FD2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FD2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FD2DD6
GetCurrentThreadId.KERNEL32 ref: 00FD2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FD2DE4

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d995480d56506c075a8f1aaa37ce418d47a111821e8c9980e033f4e28d186943
Instruction ID: 40bcbda87d14c176003c92092e3c7d22bb5f64d146d4bdb3c077c237bab4445e
Opcode Fuzzy Hash: d995480d56506c075a8f1aaa37ce418d47a111821e8c9980e033f4e28d186943
Instruction Fuzzy Hash: 15E06D725052247AE7311B629D0DFEB3E6EEB5ABA1F040256B145D21809AAA9840D7F0

Function 01008863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F89639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F89693
Part of subcall function 00F89639: SelectObject.GDI32(?,00000000), ref: 00F896A2
Part of subcall function 00F89639: BeginPath.GDI32(?), ref: 00F896B9
Part of subcall function 00F89639: SelectObject.GDI32(?,00000000), ref: 00F896E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 01008887
LineTo.GDI32(?,?,?), ref: 01008894
EndPath.GDI32(?), ref: 010088A4
StrokePath.GDI32(?), ref: 010088B2

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9895f60754fb9945d838db639f0a3afe117400de1b1e4008e8d04394df6430eb
Instruction ID: 7fce6ae9dbada65ceee151458a5c694590e7c517a8aa639cd289b00e2b7b3755
Opcode Fuzzy Hash: 9895f60754fb9945d838db639f0a3afe117400de1b1e4008e8d04394df6430eb
Instruction Fuzzy Hash: FFF09A3A001218BBFB236F94AD09FCA3E59AF06310F048280FB81610C1C3BA1650DBE5

Function 00F898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F898CC
SetTextColor.GDI32(?,?), ref: 00F898D6
SetBkMode.GDI32(?,00000001), ref: 00F898E9
GetStockObject.GDI32(00000005), ref: 00F898F1

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 55941c6eaaba642c2f2e3e4bb2739f0a54ce5e0d27a7e31d479ed843427f6cd5
Instruction ID: 1522ea4e8a278f09fa29a1568a3845ed7f3bcdcea8eb9d6452d7d179e34fab6a
Opcode Fuzzy Hash: 55941c6eaaba642c2f2e3e4bb2739f0a54ce5e0d27a7e31d479ed843427f6cd5
Instruction Fuzzy Hash: A9E06531644280AEEB325B74A909BE83F10AB12336F088359F6F5540D4C37646509F10

Function 00FD162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00FD1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00FD11D9), ref: 00FD163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FD11D9), ref: 00FD1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00FD11D9), ref: 00FD164F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 047fd42617c051aa0b35c24bc640b44959268dd6811867121cd14401e733af7c
Instruction ID: 3085d6c5fc2d487ea1ab859d40186b8068b2f89e5b69f157148e92cb7c035455
Opcode Fuzzy Hash: 047fd42617c051aa0b35c24bc640b44959268dd6811867121cd14401e733af7c
Instruction Fuzzy Hash: FFE08C32A02211ABF7311FA0AF0DB863B7DBF457A2F188989F285C9084E6398540CB60

Function 00FCD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00FCD858
GetDC.USER32(00000000), ref: 00FCD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FCD882
ReleaseDC.USER32(?), ref: 00FCD8A3

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: cf6c862dc43348d6e22d70d99213306cfecb7666b253490d94382c09449c13b2
Instruction ID: 32dbc81a70fd6738a576e71c734d6a847f84e96c4c834af09ef8127a3b57a4d2
Opcode Fuzzy Hash: cf6c862dc43348d6e22d70d99213306cfecb7666b253490d94382c09449c13b2
Instruction Fuzzy Hash: E2E09275800205DFDF629FA0DA08B6DBBB5FB08311F148559F886E7244C73D5541AF51

Function 00FCD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00FCD86C
GetDC.USER32(00000000), ref: 00FCD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FCD882
ReleaseDC.USER32(?), ref: 00FCD8A3

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 241a1c9e2f3e2aeaa609da5c01cff23986af955c5bdb4cc1b9f46e632b530290
Instruction ID: 004e28b050793e08ac782b2f3d486b2217b29662681f8ef28eebad4e1bcbff73
Opcode Fuzzy Hash: 241a1c9e2f3e2aeaa609da5c01cff23986af955c5bdb4cc1b9f46e632b530290
Instruction Fuzzy Hash: 02E09A75800204DFDF62AFA0D90866DBBB5BB08311F148589F98AE7244CB3D6A01AF50

Function 00FE4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F77620: _wcslen.LIBCMT ref: 00F77625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00FE4ED4

Strings

*, xrefs: 00FE4E10
LPT, xrefs: 00FE4DFB

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 0d8315c959fe0fb6712a17873ad267fd5f3f42317a78e90e01f32d9d8ad33c02
Instruction ID: 37ca9394c35ee3a49d71bf99c3adcde7138054c6a96fa5dd44f7a4a1b521db47
Opcode Fuzzy Hash: 0d8315c959fe0fb6712a17873ad267fd5f3f42317a78e90e01f32d9d8ad33c02
Instruction Fuzzy Hash: 95917F75A002849FCB14DF59C884EAABBF1BF44714F19809DE80A9F3A2C735ED85DB91

Function 00F9E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F9E30D

Strings

pow, xrefs: 00F9E2E5, 00F9E302

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 4cddd74adbaae2c8aab69524e10063396ee8fe6f9c893f7a0de00b69d5f9305f
Instruction ID: 9cc57756f13a55ba9ebf622364ace94362c54d28e362074fcd9d038f931e6ffb
Opcode Fuzzy Hash: 4cddd74adbaae2c8aab69524e10063396ee8fe6f9c893f7a0de00b69d5f9305f
Instruction Fuzzy Hash: 1A5139B1E0C30296EF25B718CD41BBA7B94AB41760F344D68E0D582299EB398C95BB46

Function 00F8E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00F8E1B1

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e7d31c27b224976123559724dfc5da2e38c7b89f7af49a1e60a1e96e5e1ebc21
Instruction ID: d35b55f4f72c4fb5e1801389593f03cde2840500c1adf0193a5b7fa85ae4bd89
Opcode Fuzzy Hash: e7d31c27b224976123559724dfc5da2e38c7b89f7af49a1e60a1e96e5e1ebc21
Instruction Fuzzy Hash: 4351F375D04247DFDB25EF24C446BFA7BA4EF15320F248059ECA19B2C0D6349D52EB51

Function 00F8F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F8F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F8F2BB

Strings

@, xrefs: 00F8F2AF

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 9cc8581f29783b200567a483a2bf99c6e3182e7f9b0fe6f1a5ed239f3985047a
Instruction ID: 8b7a9860776bcf7d913258c8149015e431d0698e787abf0cd170cd7fb5405532
Opcode Fuzzy Hash: 9cc8581f29783b200567a483a2bf99c6e3182e7f9b0fe6f1a5ed239f3985047a
Instruction Fuzzy Hash: 1D5145715187449BD320AF20DC86BAFBBF8FB85300F81885EF1D942195EB798529CB67

Function 00FF5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00FF57E0
_wcslen.LIBCMT ref: 00FF57EC

Strings

CALLARGARRAY, xrefs: 00FF57E6, 00FF57EB

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 23c6bbe8dc99bf855aaaafa5081e37c7410c8184b253fa5cd20ea7ddd1c89320
Instruction ID: a5c9a82d193a62156fae1cad128ac9bf6a7ad548e603ec2bbf1d985e77a6ae38
Opcode Fuzzy Hash: 23c6bbe8dc99bf855aaaafa5081e37c7410c8184b253fa5cd20ea7ddd1c89320
Instruction Fuzzy Hash: 6E41A231E002099FCF14EFA9C8819FEBBB5FF59760F14416AE605A72A1E7349D81DB90

Function 00FED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FED130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00FED13A

Strings

|, xrefs: 00FED10B

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 8bec652e2dac4d2ebdf4966c40fe7e4ed0b1673977bd8945a469faac35649ba5
Instruction ID: 4bcad5d0c73298461f5b47a6aa1709dff056dd02b05e81367fe6593b2beaf85c
Opcode Fuzzy Hash: 8bec652e2dac4d2ebdf4966c40fe7e4ed0b1673977bd8945a469faac35649ba5
Instruction Fuzzy Hash: 38317071D00209ABDF15EFA5CC85EEE7FB9FF04310F00401AF819A6161D739AA16EB65

Function 0100356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 01003621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0100365C

Strings

static, xrefs: 010035BC

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: df85d051637a3f655831997e653e5c8afec9a7f64fd8c7cfa895d517d1b73fe9
Instruction ID: 4fa93f4a6fa2588d788751673be21985f192f61787dd6c30223c7ac07e5fb2c3
Opcode Fuzzy Hash: df85d051637a3f655831997e653e5c8afec9a7f64fd8c7cfa895d517d1b73fe9
Instruction Fuzzy Hash: A3319071100604AEEB229F78DC80EFB73A9FF88720F10D61DF9A597290DB35A891D760

Function 01004537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0100461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01004634

Strings

', xrefs: 0100458E

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 637b98f32974a0916e8c550854363fe5f05e33914c06e43d7181d300e4f0a86e
Instruction ID: 819d687c4680a67521301343a05ed718b9bec3a96635e39dc266006e4ba490f7
Opcode Fuzzy Hash: 637b98f32974a0916e8c550854363fe5f05e33914c06e43d7181d300e4f0a86e
Instruction Fuzzy Hash: 0E312A74A012099FEB15CFA9C980BDA7BF5FF49300F104169EA44EB382E771A941CF94

Function 010031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0100327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01003287

Strings

Combobox, xrefs: 01003249

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 3fa443c59bc3ba231a191af8661823d15e2c4c1ccccf8125b4598ec2bdec90a4
Instruction ID: f50bbf0986af1491a5eb3cc42246d798c76be8b78578934d88bc4e13bc7dfe1c
Opcode Fuzzy Hash: 3fa443c59bc3ba231a191af8661823d15e2c4c1ccccf8125b4598ec2bdec90a4
Instruction Fuzzy Hash: BA1190712002087FFF679E58DC81EBB3BAAFB88364F104129F9989B2D1D635AC51C760

Function 01003710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F7600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F7604C
Part of subcall function 00F7600E: GetStockObject.GDI32(00000011), ref: 00F76060
Part of subcall function 00F7600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F7606A

GetWindowRect.USER32(00000000,?), ref: 0100377A
GetSysColor.USER32(00000012), ref: 01003794

Strings

static, xrefs: 01003757

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d9e97f8e4c6a6a5a173e7962add87e3b21ca7656c508abad699cef4f1d4944ec
Instruction ID: ebab4d635577515a207d2608fa05f173b37bcdaa0c55dbde543f1da25a422bb9
Opcode Fuzzy Hash: d9e97f8e4c6a6a5a173e7962add87e3b21ca7656c508abad699cef4f1d4944ec
Instruction Fuzzy Hash: 43112972610209AFEB12DFA8CD45AEA7BF8FB08314F004A59F995E6280D735E8519B50

Function 00FECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FECD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FECDA6

Strings

<local>, xrefs: 00FECD66

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1fba5bcd88a4c715fd672d0762899b5e9074333634294f4495bb0933a69837ad
Instruction ID: 8d5ff31322bca2fd147a7fe9ab31caa66c88de265cd8ee67cd445c9fcf466dae
Opcode Fuzzy Hash: 1fba5bcd88a4c715fd672d0762899b5e9074333634294f4495bb0933a69837ad
Instruction Fuzzy Hash: 7511C672605671BAD7344B678C45FE7BEACEF127B4F00422AB16983180D7769942E6F0

Function 01003429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 010034AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010034BA

Strings

edit, xrefs: 0100348F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 771254573e772cc2c5f68f862a1f7d2307ded306ae5bc51f1a5f07e7728e4f13
Instruction ID: 08e488d4f4859879fe62c8a51847769adc11af26f2462b1a8e3f7fce7b0ffbab
Opcode Fuzzy Hash: 771254573e772cc2c5f68f862a1f7d2307ded306ae5bc51f1a5f07e7728e4f13
Instruction Fuzzy Hash: C1119D75100108AFFB634E68DC84AEA37AAFB05374F514364F9A09B1D4CB76EC919751

Function 00FD6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

CharUpperBuffW.USER32(?,?,?), ref: 00FD6CB6
_wcslen.LIBCMT ref: 00FD6CC2

Strings

STOP, xrefs: 00FD6CBC, 00FD6CC1

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: f2ae4e1000e92087b950ac01d315761531d7e53c53dc0281659f59578fca1de0
Instruction ID: 9d7b422d072c4b757796834f3efea73feae0679439418307615efa1539df18d2
Opcode Fuzzy Hash: f2ae4e1000e92087b950ac01d315761531d7e53c53dc0281659f59578fca1de0
Instruction Fuzzy Hash: F6010432A145278ACB219FBDDC809BF33A6EB607207040526E852D3291EA35D800E750

Function 00FD1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FD3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FD1D4C

Strings

ComboBox, xrefs: 00FD1CEB
ListBox, xrefs: 00FD1D16

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6c45ed8380546986b79672626cb988e8ef8b793762e382c4055bf9b659bc65b2
Instruction ID: 32b921ade12281ecdbcfddf23ebef3da3b407847d67376c65cf3cef0dad792e5
Opcode Fuzzy Hash: 6c45ed8380546986b79672626cb988e8ef8b793762e382c4055bf9b659bc65b2
Instruction Fuzzy Hash: D3014C31A00218BBCB18EBA0CC11DFE73AAFF56360B08060BF876573C1EB745908A761

Function 00FD1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FD3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00FD1C46

Strings

ComboBox, xrefs: 00FD1BE5
ListBox, xrefs: 00FD1C10

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 57329b6da3525ce72f125774ec36afaab5196f409596a0cfb8c4174c13258041
Instruction ID: 5773a5e149bdb4a50068d058281b14abbe00297073d3d18c21767afefb412232
Opcode Fuzzy Hash: 57329b6da3525ce72f125774ec36afaab5196f409596a0cfb8c4174c13258041
Instruction Fuzzy Hash: 8801F771B9010476DF19EB90CE52EFF73ADAB11340F18001BA40667382EA649E08A6B2

Function 00FD1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FD3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00FD1CC8

Strings

ComboBox, xrefs: 00FD1C69
ListBox, xrefs: 00FD1C94

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 311a6c3f93135a8fa50e3b88ed7e75c71d8c260fb232b974e586620664d4b880
Instruction ID: b543826255a3f20289527fcdce72c4f12afc6d1e8800fdf5cdbbb9655f9dd260
Opcode Fuzzy Hash: 311a6c3f93135a8fa50e3b88ed7e75c71d8c260fb232b974e586620664d4b880
Instruction Fuzzy Hash: AC01A271B9011876CB15EBA0CE02EFE73ADAB11340F58001BB84677381EA659F18A672

Function 00FD1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FD3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00FD1DD3

Strings

ComboBox, xrefs: 00FD1D75
ListBox, xrefs: 00FD1DA0

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2e34f57a46e538ca2de9fafa9d9422da372cb838b8c17b617a213f822ee48ee6
Instruction ID: b4fe6598b57381ef51f3e81484a529064e990df9092568f11bfcb10485df1fe5
Opcode Fuzzy Hash: 2e34f57a46e538ca2de9fafa9d9422da372cb838b8c17b617a213f822ee48ee6
Instruction Fuzzy Hash: A4F0F471B5421876DB18E7A4CC52FFF73AEBB11350F08091BB866673C1DBB85908A662

Function 00FF747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FF7493
_wcslen.LIBCMT ref: 00FF74B9

Strings

3, 3, 16, 1, xrefs: 00FF7483

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 79cd15365bcacfb37c6cfc4ace4b53505d4e38d98a909c30d5a1b4f03ac6ab55
Instruction ID: 812c056f9b3d3673e251427164915d17d972511780d9e56904d3dcae215d10b2
Opcode Fuzzy Hash: 79cd15365bcacfb37c6cfc4ace4b53505d4e38d98a909c30d5a1b4f03ac6ab55
Instruction Fuzzy Hash: 0FE02B02A0432450A331327A9CC2D7FA689CFD9760710182FFA81C2276EA989D92B3A0

Function 00FD0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00FD0B23

Strings

Error allocating memory., xrefs: 00FD0B1C
AutoIt, xrefs: 00FD0B17

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 3a43ead7bb4e1d658fd733d2d3daf5b610889f48f1f45689db1410c32e6e70e2
Instruction ID: b1c7439045fdbaa3b894385452913a5594b09103065ecb16a0fcfee4c9047e1b
Opcode Fuzzy Hash: 3a43ead7bb4e1d658fd733d2d3daf5b610889f48f1f45689db1410c32e6e70e2
Instruction Fuzzy Hash: 51E0D8322443083AF2253755BD07FC97B848F05B61F10446BF7D8995C3CED6249027A9

Function 00F90D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F8F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F90D71,?,?,?,00F7100A), ref: 00F8F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00F7100A), ref: 00F90D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F7100A), ref: 00F90D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F90D7F

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 67b3c62c7e0025ae3644f98d44680216cb54a677f9be923f46f03241b2d5fa4e
Instruction ID: ff8a14f2192c2fd5350c26510ae17c29b62b3381a03c5f3f39af66ce979d3735
Opcode Fuzzy Hash: 67b3c62c7e0025ae3644f98d44680216cb54a677f9be923f46f03241b2d5fa4e
Instruction Fuzzy Hash: 0BE06D742007418FF7319FB8D5087467BE4AF00B44F008A6EE8D6C6686DFB9E444AB91

Function 00FE3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00FE302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00FE3044

Strings

aut, xrefs: 00FE3038

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: c00af5eeaa97bfe73b85c2c3c2fd28b6d26af8807a5333518f6f6db1ced89526
Instruction ID: 728e77f4f0db5f2ad6922830030272358d9f1039a01460832370744303aadb1d
Opcode Fuzzy Hash: c00af5eeaa97bfe73b85c2c3c2fd28b6d26af8807a5333518f6f6db1ced89526
Instruction Fuzzy Hash: 96D05E7250032877EA30A7A5AD0EFCB3A6CDB05650F0002A1B699D6085DAB59A84CBD0

Function 00FCD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FCD220

Strings

X64, xrefs: 00FCD2A8
%.3d, xrefs: 00FCD22B

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: d1e98a4a7ba648848373851a64605c4305c1a4d1bd0d336f49a9cc2999db3197
Instruction ID: 21c792540a449d4b11f08d8348c879fa92408045d5a4255ff4f9d9cf04a5900a
Opcode Fuzzy Hash: d1e98a4a7ba648848373851a64605c4305c1a4d1bd0d336f49a9cc2999db3197
Instruction Fuzzy Hash: 05D012B2C0410AE9CB50A6D0CE47FFEB3BCEB49301F50847AF94AD2040D638C5487B61

Function 01002322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0100232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0100233F

Part of subcall function 00FDE97B: Sleep.KERNEL32 ref: 00FDE9F3

Strings

Shell_TrayWnd, xrefs: 01002325

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f269587e8e791cf540861c7ad4fb7449500b3192d9a257980c4501e80fbed986
Instruction ID: 8e8bbb5822f6de4255a9335bde037d51e18a81a92610a4b6310e1534aeaf9280
Opcode Fuzzy Hash: f269587e8e791cf540861c7ad4fb7449500b3192d9a257980c4501e80fbed986
Instruction Fuzzy Hash: C0D0223A380300B7F278B330DC0FFC67A08AB00B00F000A067385AE2C4C8FAA800CB50

Function 01002356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0100236C
PostMessageW.USER32(00000000), ref: 01002373

Part of subcall function 00FDE97B: Sleep.KERNEL32 ref: 00FDE9F3

Strings

Shell_TrayWnd, xrefs: 01002365

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c9c7b78dc93ca3295cc35975aca82031848116a06e9e55b08c41ceee63d54ea5
Instruction ID: 210f5e3acdf102fbdbd4099b84841834dec11f606f7a7bc5cc654a439fe1c473
Opcode Fuzzy Hash: c9c7b78dc93ca3295cc35975aca82031848116a06e9e55b08c41ceee63d54ea5
Instruction Fuzzy Hash: 5CD0A9363813007AF279B3309C0FFC67608AB04B00F000A067281AA2C4C8BAA8008B54

Function 00FABDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00FABE93
GetLastError.KERNEL32 ref: 00FABEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FABEFC

Memory Dump Source

Source File: 00000000.00000002.1263959829.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.1263946347.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264017349.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264061286.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1264088018.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: f3310d70cc0a0eb98fca4f0a06bd86c9d2391cb2428a8937d20033104a20f37e
Instruction ID: 6c35050720114d488dec422ed55270311144d9573ce33b65f4bae85f1c6c0d65
Opcode Fuzzy Hash: f3310d70cc0a0eb98fca4f0a06bd86c9d2391cb2428a8937d20033104a20f37e
Instruction Fuzzy Hash: AD412D75A05246AFDF218FE4CC54BBA7BA9DF43330F184169F95997192DB318D00EB60

Analysis Process: firefox.exePID: 7256, Parent PID: 3840COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00000179C8457577 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00000179C845759C

Memory Dump Source

Source File: 0000000A.00000002.2516879557.00000179C8453000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000179C8453000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_179c8453000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: 9720b1d98adb2fc2408175598e4ef51d9e596abdef558887c33dd827b96c35d6
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: 00A3D431618A588FDB2EDF28DC856E977E5FB55310F04422ED94BCB291DF30EA468B81

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 52.222.236.23 52.222.236.23
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 00000004.00000003.1424237944.00000272ED213000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1424701104.00000272ED215000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000004.00000003.1431906974.00000272F4381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000004.00000003.1487465395.00000272F74C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1434447288.00000272F74C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1439913734.00000272F74C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000004.00000003.1310351805.00000272F4A2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000004.00000003.1310351805.00000272F4A2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000004.00000003.1487465395.00000272F74C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1434447288.00000272F74C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1439913734.00000272F74C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000004.00000003.1458282179.00000272F433F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1488997872.00000272F433F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1431906974.00000272F433D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000004.00000003.1458282179.00000272F433F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1488997872.00000272F433F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1431906974.00000272F433D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000004.00000003.1310351805.00000272F4A2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000004.00000003.1310351805.00000272F4A2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000004.00000003.1436192640.00000272EFCC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2513252215.00000179C8303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2513438180.000002F3B1C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000004.00000003.1436192640.00000272EFCC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2513252215.00000179C8303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2513438180.000002F3B1C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000004.00000003.1436192640.00000272EFCC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2513252215.00000179C8303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2513438180.000002F3B1C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000004.00000003.1431906974.00000272F4381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://2a8a4ba3-32a0-495a-bbc2-63871e7b7005/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 00000004.00000003.1487465395.00000272F74C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1434447288.00000272F74C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.1431906974.00000272F4392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000004.00000003.1439468571.00000272F7F40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 00000004.00000003.1416981382.00000272F5AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49888 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.222.236.23:443 -> 192.168.2.7:49890 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49897 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49899 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49900 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49901 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50029 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50030 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50032 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50028 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:50034 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8bc7c5a3-f070-47e0-8b7b-d9fdd475f173.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8bc7c5a3-f070-47e0-8b7b-d9fdd475f173.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre