Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1528661
MD5:	a285f5909b06ca67637548eef1ebf393
SHA1:	df7cbe7b48a92972efac417a4c047b4d990256f6
SHA256:	288f31b4bd5cf651e3317023de536d58162f9e94088118d67a5759f75291614e
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 3884 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A285F5909B06CA67637548EEF1EBF393)

firefox.exe (PID: 2332 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 712 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4592 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7072 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2204 -prefMapHandle 2196 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb25bf00-0e92-4224-8617-766308d235c1} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 26970770310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 672 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3608 -parentBuildID 20230927232528 -prefsHandle 3532 -prefMapHandle 3528 -prefsLen 26099 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c82f38b1-d4a1-4ab0-a36f-7b88e5e27983} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 2697077f610 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7208 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4996 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5048 -prefMapHandle 5044 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95ecbc6d-5389-4c38-a915-fc420e42cf97} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 269880d3710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 3884	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00F3EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00F3EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F3ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F3ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00F3EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F2AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00F2AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F59576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00F59576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b9a96f03-e
Source: file.exe, 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_837ea7ce-7
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e449df4d-3
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2631f842-3

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 8_2_000001AC23C92377 NtQuerySystemInformation,		8_2_000001AC23C92377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 8_2_000001AC23CBB7F2 NtQuerySystemInformation,		8_2_000001AC23CBB7F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F2D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00F2D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F21201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00F21201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F2E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00F2E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC8060	0_2_00EC8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F32046	0_2_00F32046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F28298	0_2_00F28298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFE4FF	0_2_00EFE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF676B	0_2_00EF676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F54873	0_2_00F54873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ECCAF0	0_2_00ECCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EECAA0	0_2_00EECAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EDCC39	0_2_00EDCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF6DD9	0_2_00EF6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC91C0	0_2_00EC91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EDB119	0_2_00EDB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE1394	0_2_00EE1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE781B	0_2_00EE781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED997D	0_2_00ED997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC7920	0_2_00EC7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE7A4A	0_2_00EE7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE7CA7	0_2_00EE7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF9EEE	0_2_00EF9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F4BE44	0_2_00F4BE44
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 8_2_000001AC23C92377	8_2_000001AC23C92377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 8_2_000001AC23CBB7F2	8_2_000001AC23CBB7F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 8_2_000001AC23CBB832	8_2_000001AC23CBB832
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 8_2_000001AC23CBBF1C	8_2_000001AC23CBBF1C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00EC9CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00EDF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00EE0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@19/34@70/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F337B5 GetLastError,FormatMessageW,

0_2_00F337B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F210BF AdjustTokenPrivileges,CloseHandle,		0_2_00F210BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00F216C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00F351CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F2D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00F2D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F3648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00F3648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EC42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00EC42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 00000004.00000003.2223278644.0000026983850000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2259138996.000002698386F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2222649840.0000026988061000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2258691618.0000026988061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 00000004.00000003.2222649840.0000026988061000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2258691618.0000026988061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 00000004.00000003.2222649840.0000026988061000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2258691618.0000026988061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 00000004.00000003.2222649840.0000026988061000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2258691618.0000026988061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 00000004.00000003.2314097152.000002698055A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 00000004.00000003.2222649840.0000026988061000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2258691618.0000026988061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 00000004.00000003.2222649840.0000026988061000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2258691618.0000026988061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 00000004.00000003.2222649840.0000026988061000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2258691618.0000026988061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 00000004.00000003.2222649840.0000026988061000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2258691618.0000026988061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 00000004.00000003.2222649840.0000026988061000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2258691618.0000026988061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2204 -prefMapHandle 2196 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb25bf00-0e92-4224-8617-766308d235c1} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 26970770310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3608 -parentBuildID 20230927232528 -prefsHandle 3532 -prefMapHandle 3528 -prefsLen 26099 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c82f38b1-d4a1-4ab0-a36f-7b88e5e27983} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 2697077f610 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4996 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5048 -prefMapHandle 5044 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95ecbc6d-5389-4c38-a915-fc420e42cf97} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 269880d3710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2204 -prefMapHandle 2196 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb25bf00-0e92-4224-8617-766308d235c1} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 26970770310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3608 -parentBuildID 20230927232528 -prefsHandle 3532 -prefMapHandle 3528 -prefsLen 26099 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c82f38b1-d4a1-4ab0-a36f-7b88e5e27983} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 2697077f610 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4996 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5048 -prefMapHandle 5044 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95ecbc6d-5389-4c38-a915-fc420e42cf97} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 269880d3710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: UxTheme.pdb source: firefox.exe, 00000004.00000003.2278853893.000002698385F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: firefox.exe, 00000004.00000003.2274137862.000002698807D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 00000004.00000003.2274137862.000002698807D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 00000004.00000003.2274137862.000002698807D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: firefox.exe, 00000004.00000003.2275483905.00000269839B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: firefox.exe, 00000004.00000003.2278853893.000002698385F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 00000004.00000003.2280262036.000002697E1BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb source: firefox.exe, 00000004.00000003.2278853893.000002698385F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: firefox.exe, 00000004.00000003.2274349565.0000026988070000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mswsock.pdb source: firefox.exe, 00000004.00000003.2275483905.00000269839B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 00000004.00000003.2274349565.0000026988070000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 00000004.00000003.2280262036.000002697E1BC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2275483905.00000269839B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 00000004.00000003.2280262036.000002697E1BC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2275483905.00000269839B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 00000004.00000003.2278199907.000002697E1B5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2275483905.00000269839B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.4.dr
Source:	Binary string: winmm.pdb source: firefox.exe, 00000004.00000003.2275483905.00000269839B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdb source: firefox.exe, 00000004.00000003.2274137862.000002698807D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: firefox.exe, 00000004.00000003.2278853893.000002698385F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: firefox.exe, 00000004.00000003.2274448890.0000026987D6C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb source: firefox.exe, 00000004.00000003.2274448890.0000026987D5B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 00000004.00000003.2274349565.0000026988070000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: firefox.exe, 00000004.00000003.2278853893.000002698385F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 00000004.00000003.2274349565.0000026988070000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: firefox.exe, 00000004.00000003.2278853893.000002698385F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 00000004.00000003.2274137862.000002698807D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: firefox.exe, 00000004.00000003.2278853893.000002698385F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: firefox.exe, 00000004.00000003.2274448890.0000026987D6C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb source: firefox.exe, 00000004.00000003.2275483905.00000269839B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 00000004.00000003.2274349565.0000026988070000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.4.dr
Source:	Binary string: CLBCatQ.pdbP4 source: firefox.exe, 00000004.00000003.2275483905.00000269839B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 00000004.00000003.2278199907.000002697E1B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnsapi.pdb source: firefox.exe, 00000004.00000003.2275483905.00000269839B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 00000004.00000003.2274349565.0000026988070000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: firefox.exe, 00000004.00000003.2278853893.000002698385F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nlaapi.pdb source: firefox.exe, 00000004.00000003.2275483905.00000269839B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: firefox.exe, 00000004.00000003.2274137862.000002698807D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 00000004.00000003.2274349565.0000026988070000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 00000004.00000003.2280262036.000002697E1BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: firefox.exe, 00000004.00000003.2278853893.000002698385F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 00000004.00000003.2274137862.000002698807D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 00000004.00000003.2274448890.0000026987D5B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 00000004.00000003.2274349565.0000026988070000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: firefox.exe, 00000004.00000003.2274349565.0000026988070000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: profapi.pdbX-Telemetry-Agent source: firefox.exe, 00000004.00000003.2275483905.00000269839B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 00000004.00000003.2278853893.000002698385F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2278648529.000002698386F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 00000004.00000003.2274349565.0000026988070000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EC42DE

Source: gmpopenh264.dll.tmp.4.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EE0A76 push ecx; ret

0_2_00EE0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EDF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00EDF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F51C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00F51C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96063

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 8_2_000001AC23C92377 rdtsc

8_2_000001AC23C92377

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.4 %

Source: C:\Users\user\Desktop\file.exe TID: 516

Thread sleep count: 70 > 30

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F2DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F2DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFC2A2 FindFirstFileExW,	0_2_00EFC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F368EE FindFirstFileW,FindClose,	0_2_00F368EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00F3698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F2D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F2D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F2D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F2D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F39642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F39642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F3979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F39B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00F39B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F35C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00F35C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EC42DE

Source: firefox.exe, 00000008.00000002.3388224390.000001AC23D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: firefox.exe, 00000006.00000002.3384442075.000002825016A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.3382960149.000001AC2344A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.3387901785.0000023A5A300000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.3383181431.0000023A59E9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000006.00000002.3388568536.0000028250512000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000006.00000002.3384442075.000002825016A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: firefox.exe, 00000006.00000002.3389218486.0000028250600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: firefox.exe, 00000006.00000002.3389218486.0000028250600000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.3388224390.000001AC23D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 8_2_000001AC23C92377 rdtsc

8_2_000001AC23C92377

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F3EAA2 BlockInput,

0_2_00F3EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EF2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00EF2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EC42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EE4CE8 mov eax, dword ptr fs:[00000030h]

0_2_00EE4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F20B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00F20B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EF2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EE083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE09D5 SetUnhandledExceptionFilter,	0_2_00EE09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00EE0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00F21201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F02BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F02BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F2B226 SendInput,keybd_event,

0_2_00F2B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00F422DA

Source: C:\Users\user\Desktop\file.exe

0_2_00F20B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F21663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00F21663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EE0698 cpuid

0_2_00EE0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F38195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00F38195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F1D27A GetUserNameW,

0_2_00F1D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EFB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00EFB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EC42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 3884, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 3884, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F41204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00F41204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F41806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00F41806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	21%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://login.microsoftonline.com	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.129	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	52.222.236.80	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.181.238	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.184.238	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.193.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000009.00000002.3385299951.0000023A5A2C4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://detectportal.firefox.com/	firefox.exe, 00000004.00000003.2311435127.000002698104E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 00000004.00000003.2203493236.0000026989297000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2222821948.0000026983912000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2297691913.000002698391A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2202024378.00000269892A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2203569112.00000269892AF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.4.dr	false		unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000008.00000002.3385255523.000001AC237CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.3385299951.0000023A5A28F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 00000004.00000003.2308149214.00000269815A0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.leboncoin.fr/	firefox.exe, 00000004.00000003.2309832328.00000269810EB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/spocs	firefox.exe, 00000004.00000003.2223620431.00000269837C9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 00000004.00000003.2255920946.0000026988151000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 00000004.00000003.2307876424.00000269815D7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 00000004.00000003.2135252284.000002697F852000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2134811159.000002697F80F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2135002929.000002697F831000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2134608703.000002697F600000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 00000004.00000003.2221048528.00000269891F6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 00000004.00000003.2258736540.0000026988045000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2302121545.0000026988045000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 00000004.00000003.2223752441.0000026983742000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000004.00000003.2259237090.0000026983850000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2295332916.0000026981DE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2223278644.0000026983850000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2135252284.000002697F852000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2134811159.000002697F80F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2228093358.0000026981CF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2284289429.0000026983868000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2278814219.0000026983866000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2135002929.000002697F831000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2134608703.000002697F600000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 00000004.00000003.2224058072.0000026982E30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2284746319.0000026982E30000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 00000004.00000003.2134811159.000002697F80F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2135002929.000002697F831000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2134608703.000002697F600000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 00000004.00000003.2164543294.000002698140F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://youtube.com/	firefox.exe, 00000004.00000003.2316524824.0000026983386000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2284653203.00000269836AC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 00000004.00000003.2307876424.00000269815D7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 00000004.00000003.2308149214.00000269815A0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://detectportal.firefox.comx	firefox.exe, 00000004.00000003.2303823131.0000026982E59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2224058072.0000026982E59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2298295687.0000026982E59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2284746319.0000026982E59000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://ac	firefox.exe, 00000009.00000002.3384893108.0000023A5A1F0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 00000004.00000003.2275483905.00000269839B5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.instagram.com/	firefox.exe, 00000004.00000003.2179528893.0000026987EA6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.4.dr	false		unknown
https://www.amazon.com/	firefox.exe, 00000004.00000003.2259483284.000002698376C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.googlK	firefox.exe, 00000009.00000002.3383181431.0000023A59E9A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 00000004.00000003.2313422158.00000269805CF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/	firefox.exe, 00000009.00000002.3385299951.0000023A5A20C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 00000004.00000003.2203493236.0000026989297000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2202024378.00000269892B8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://MD8.mozilla.org/1/m	firefox.exe, 00000004.00000003.2223886244.00000269833D8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.bbc.co.uk/	firefox.exe, 00000004.00000003.2309832328.00000269810EB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 00000004.00000003.2222821948.0000026983994000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2275483905.00000269839B5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000009.00000002.3385299951.0000023A5A2C4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:	firefox.exe, 00000004.00000003.2305776586.0000026981D3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 00000004.00000003.2203493236.0000026989297000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2202024378.00000269892A3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 00000004.00000003.2240433779.00000269816DB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mo	firefox.exe, 00000004.00000003.2297461328.0000026983994000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 00000004.00000003.2221048528.00000269891F6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.4.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 00000004.00000003.2311435127.000002698104E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/	firefox.exe, 00000004.00000003.2223620431.00000269837C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2315200496.0000026987D62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.3385255523.000001AC23712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.3385299951.0000023A5A213000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.iqiyi.com/	firefox.exe, 00000004.00000003.2309832328.00000269810EB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.4.dr	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://addons.mozilla.org/	firefox.exe, 00000004.00000003.2222821948.000002698393D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000009.00000002.3385299951.0000023A5A28F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 00000004.00000003.2309832328.00000269810E0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/about	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 00000004.00000003.2264247234.0000026987EC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2260126263.0000026982497000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2271900247.0000026981CC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2184835225.0000026987F31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2178167650.0000026987FC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2160808370.00000269835F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2137305840.000002697F93E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2294316701.00000269823B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2291806836.00000269820D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2230929862.0000026987EAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2305021313.00000269820BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2252190063.0000026987FBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2139629284.000002697FC9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2176921807.0000026987FC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2316252381.0000026983388000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2305021313.00000269820D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2141606576.000002697FC72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2311872982.0000026980C93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2141606576.000002697FC99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2173513695.0000026987F7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2141606576.000002697FC79000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 00000004.00000003.2305328144.00000269820AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2291806836.0000026982093000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 00000004.00000003.2284746319.0000026982E2A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.4.dr	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 00000004.00000003.2258183926.00000269880DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2221833153.00000269880DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2273930926.00000269880DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2313422158.00000269805CF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 00000004.00000003.2258183926.00000269880DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2221833153.00000269880DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2273930926.00000269880DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2313422158.00000269805CF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 00000004.00000003.2309832328.00000269810E0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 00000004.00000003.2223752441.0000026983742000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 00000004.00000003.2321432687.0000026981212000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 00000004.00000003.2223752441.0000026983742000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 00000004.00000003.2298295687.0000026982E40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2284746319.0000026982E3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2224058072.0000026982E3B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 00000004.00000003.2203493236.0000026989297000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2202024378.00000269892A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2203569112.00000269892AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2202891678.000002698929A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=htt#	file.exe, 00000000.00000003.2134650475.000000000105B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2135354249.000000000105B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 00000004.00000003.2222821948.0000026983994000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2275483905.00000269839B5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 00000004.00000003.2223620431.00000269837C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.amazon.co.uk/	firefox.exe, 00000004.00000003.2309832328.00000269810EB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 00000004.00000003.2221833153.00000269880BA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://screenshots.firefox.com/	firefox.exe, 00000004.00000003.2134608703.000002697F600000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://truecolors.firefox.com/	firefox.exe, 00000004.00000003.2222821948.000002698393D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/search	firefox.exe, 00000004.00000003.2259237090.0000026983850000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2295332916.0000026981DE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2223278644.0000026983850000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2135252284.000002697F852000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2134811159.000002697F80F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2228093358.0000026981CF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2284289429.0000026983868000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2278814219.0000026983866000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2135002929.000002697F831000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2134608703.000002697F600000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://relay.firefox.com/api/v1/	firefox.exe, 00000006.00000002.3385497621.0000028250300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.3384699418.000001AC235B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3384746272.0000023A5A100000.00000002.10000000.00040000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
52.222.236.80	services.addons.mozilla.org	United States	16509	AMAZON-02US	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.238	youtube.com	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528661
Start date and time:	2024-10-08 08:21:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@19/34@70/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 97% Number of executed functions: 39 Number of non-executed functions: 309
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.242.27.108, 44.238.148.23, 44.224.63.42, 142.250.186.142, 2.22.61.56, 2.22.61.59, 142.250.184.202, 142.250.184.234, 142.250.185.206
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 4592 because there are no executed function
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
02:22:11	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse
52.222.236.80	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	18.245.162.100
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse	52.222.236.23
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	http://kendellseafoods.com/	Get hash	malicious	Unknown	Browse	157.240.253.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	High Court Summons Notice.pdf	Get hash	malicious	Unknown	Browse	34.117.162.98
AMAZON-02US	https://www.anwaltssocietaet.at/#	Get hash	malicious	Unknown	Browse	18.197.194.31
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	Products Order Catalogs20242.exe	Get hash	malicious	FormBook	Browse	34.251.91.168
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	rfc[1].html	Get hash	malicious	Unknown	Browse	18.238.55.20
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	18.245.162.100
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	http://xdr.euw31usea1-carbonhelixbytedandomaincontrolpanele-for-github.sentinelone.net/	Get hash	malicious	Unknown	Browse	34.36.213.229
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	http://xdr.euw31usea1-carbonhelixbytedandomaincontrolpanele-for-github.sentinelone.net/	Get hash	malicious	Unknown	Browse	34.36.213.229

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_845e1396-f980-4bfe-b1f5-5bf2d4182059.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.174164003463722
Encrypted:	false
SSDEEP:	192:b2BMXXjUcbhbVbTbfbRbObtbyEl7n9rRJA6unSrDtTkdxSofn:b2i4cNhnzFSJdrM1nSrDhkdxz
MD5:	3A47DD238B8C7F3DED669F44BCF96824
SHA1:	4E475C4512BFA42046EDCC738C6F08E5CD0F8E1E
SHA-256:	278EC2B6E66836CD217A25B7B372C0CD604AAFBD139DFF80E0B856F0CAE0E5FD
SHA-512:	E24A68EB77CC739167E255D7E52DFD70652BE3AC9011B7B02938C7C4EE49D41CC09C2D5DF13944A96335FC4C8541244484A7AB03933B41D2A60167080AA79259
Malicious:	false
Reputation:	low
Preview:	{"type":"uninstall","id":"845e1396-f980-4bfe-b1f5-5bf2d4182059","creationDate":"2024-10-08T08:19:11.577Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_845e1396-f980-4bfe-b1f5-5bf2d4182059.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.174164003463722
Encrypted:	false
SSDEEP:	192:b2BMXXjUcbhbVbTbfbRbObtbyEl7n9rRJA6unSrDtTkdxSofn:b2i4cNhnzFSJdrM1nSrDhkdxz
MD5:	3A47DD238B8C7F3DED669F44BCF96824
SHA1:	4E475C4512BFA42046EDCC738C6F08E5CD0F8E1E
SHA-256:	278EC2B6E66836CD217A25B7B372C0CD604AAFBD139DFF80E0B856F0CAE0E5FD
SHA-512:	E24A68EB77CC739167E255D7E52DFD70652BE3AC9011B7B02938C7C4EE49D41CC09C2D5DF13944A96335FC4C8541244484A7AB03933B41D2A60167080AA79259
Malicious:	false
Reputation:	low
Preview:	{"type":"uninstall","id":"845e1396-f980-4bfe-b1f5-5bf2d4182059","creationDate":"2024-10-08T08:19:11.577Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.931426146260912
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsL7T8P:gXiNFS+OcUGOdwiOdwBjkYL7T8P
MD5:	909EF9333ECD7B21A1827E7F0CCE06E6
SHA1:	E5EF454B3E71ECA45F8386C3E32ADD269EB134BB
SHA-256:	9AB2005A385150ED7D8DE9DFED6E8E559B67B12E229B927EF53BE51B1C64AF2D
SHA-512:	9D5B12A77628D25BAE64D1794681B0B7E1B12065B2BD6FF0A8848885A7EB5CDBA898708D1F52BE44630652A1E86820789460458A01B847364BB66416B2A030B8
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.931426146260912
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsL7T8P:gXiNFS+OcUGOdwiOdwBjkYL7T8P
MD5:	909EF9333ECD7B21A1827E7F0CCE06E6
SHA1:	E5EF454B3E71ECA45F8386C3E32ADD269EB134BB
SHA-256:	9AB2005A385150ED7D8DE9DFED6E8E559B67B12E229B927EF53BE51B1C64AF2D
SHA-512:	9D5B12A77628D25BAE64D1794681B0B7E1B12065B2BD6FF0A8848885A7EB5CDBA898708D1F52BE44630652A1E86820789460458A01B847364BB66416B2A030B8
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 26944 bytes
Category:	dropped
Size (bytes):	6071
Entropy (8bit):	6.61263436125208
Encrypted:	false
SSDEEP:	96:72YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlSAJVrfzjZXjkTndS12opTaM:7Tx2x2t0FDJ4NF6ILDfzjtedh6TX
MD5:	FD36D36BC5077FC3D16CD68CC7FFC65A
SHA1:	2111D7339EA8F94FC7F4F8E2964ABDBE6198F90B
SHA-256:	3A65636ABBCBF9BC2447FEA1BCE9BFC0E6DACD10D5721D21D670A537FFF0D545
SHA-512:	074547A0C2D572BA22D27A4EC3A0957C27B72E732D0ED37501C30A9657CAD258584819D3A92215B52638888D9FC0682E871F454B0ECBFC75373CBAE38DA4D656
Malicious:	false
Preview:	mozLz40.@i....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 26944 bytes
Category:	dropped
Size (bytes):	6071
Entropy (8bit):	6.61263436125208
Encrypted:	false
SSDEEP:	96:72YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlSAJVrfzjZXjkTndS12opTaM:7Tx2x2t0FDJ4NF6ILDfzjtedh6TX
MD5:	FD36D36BC5077FC3D16CD68CC7FFC65A
SHA1:	2111D7339EA8F94FC7F4F8E2964ABDBE6198F90B
SHA-256:	3A65636ABBCBF9BC2447FEA1BCE9BFC0E6DACD10D5721D21D670A537FFF0D545
SHA-512:	074547A0C2D572BA22D27A4EC3A0957C27B72E732D0ED37501C30A9657CAD258584819D3A92215B52638888D9FC0682E871F454B0ECBFC75373CBAE38DA4D656
Malicious:	false
Preview:	mozLz40.@i....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07324889249370756
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiLW:DLhesh7Owd4+jiL
MD5:	BB765F133577632440F1B5D7C626B6F3
SHA1:	80F1B8FF814D5C9D674F9FBCFEDFC80AC9F55119
SHA-256:	B82BC3013E13C6D8AD1203BCF09BBBB7FE0513C667D616681321968358F60D07
SHA-512:	4AE710F731B2F9AD2217A86B99CF78A7C388A74A3EFE19B36E7B6431DC2797E79233B9BEF70C38FF65FAD55EFD02776C26B0D4D71BE38F8EED86BB5159AC8E6D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039667308764353294
Encrypted:	false
SSDEEP:	3:GHlhVuJEDqB3AkmwHlhVuJEDqB3AkmNwl8a9//Ylll4llqlyllel4lt:G7Vu+qB3Ao7Vu+qB3AuL9XIwlio
MD5:	D8D54058A005CE872157490ED790BAE7
SHA1:	7DE29BCEBC6676E48C66E7B25F1435E01CB3A02E
SHA-256:	E19EF68DAC7E8777DFFF089C0F4BC3D0EF9BF9AA0B5E5A6E0BE7E0451D61E5C0
SHA-512:	2EB30187974B80A6B408BCD0D94447FCC4623BA59DA06249B6DA5B7B7023EFB9FE46AF6D3F3681B9D302050501FBDA3F9677C53344DE45E9910154139B748A58
Malicious:	false
Preview:	..-......................h~..f.Vq>.=.[.e!....94...-......................h~..f.Vq>.=.[.e!....94.........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	163992
Entropy (8bit):	0.09527927401563994
Encrypted:	false
SSDEEP:	24:Kn9sY7M9oILxs9YCF9K45xsMldCCQE/TSKCrsCs81xsay39P4gmwlgU2iEg:g9sMM9o8st9jzJKDC8XVy39P4UmU
MD5:	7955DBCAB5CE95D866020BC37AD0CC2F
SHA1:	4448608B67EDB929ADEDBF630F3BF613935F56F5
SHA-256:	1D9AFDCFDB4E89BF4A3F4C8CBB70639BBCF97F0B0643036B1E7BF81FB71F594B
SHA-512:	05EDAB931105DB0B5158DCA51D9B51A31EDB1B827D187ADE00027536DDA747EBC161D43C77631EB77E5843837636057AB14F84AA73CD62CD1D830A2F7EC2EB4F
Malicious:	false
Preview:	7....-..........q>.=.[.e..A.1.u.........q>.=.[.e1....yHF................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.467917262561653
Encrypted:	false
SSDEEP:	192:unTFTRRUYbBp6uLZNMGaXY6qU4Iizy+/3/7TO5RYiNBw8dmSl:0KePFNMvPiyCCdw50
MD5:	04F9B6341BCD9F93071CB546D3A87643
SHA1:	2931F5BC85625347E45A6A95355559A60A9AC25E
SHA-256:	452FFCBE61BEC93DEF7F130E36445AC2DAB0AA7731AF3D643BC03E6F278A6185
SHA-512:	7A077B2C9278D7572F59A0963236C3C8F6B1913C5BFFA7EA3CC5B4BF0D504D4387328333471DC0E3D560C83CFFFB6325167E6AB33FC059A6ECDA38758A952F2C
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728375522);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728375522);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728375522);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172837

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.467917262561653
Encrypted:	false
SSDEEP:	192:unTFTRRUYbBp6uLZNMGaXY6qU4Iizy+/3/7TO5RYiNBw8dmSl:0KePFNMvPiyCCdw50
MD5:	04F9B6341BCD9F93071CB546D3A87643
SHA1:	2931F5BC85625347E45A6A95355559A60A9AC25E
SHA-256:	452FFCBE61BEC93DEF7F130E36445AC2DAB0AA7731AF3D643BC03E6F278A6185
SHA-512:	7A077B2C9278D7572F59A0963236C3C8F6B1913C5BFFA7EA3CC5B4BF0D504D4387328333471DC0E3D560C83CFFFB6325167E6AB33FC059A6ECDA38758A952F2C
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728375522);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728375522);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728375522);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172837

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.333717762244417
Encrypted:	false
SSDEEP:	24:v+USUGlcAxStaD2LXnIgU9/pnxQwRlscT5sKLs3eHVvwKXTCehujJmyOOxmOmaoA:GUpOx6WnRfY3eNwCTCTJNKRh4
MD5:	06C25E69675F8C3871CC661C388BA5E3
SHA1:	87B516C59D035BB6E095B8A58BB1F926B108CB6D
SHA-256:	BA1B6AAA50612C66350C9948FC78616C27D175515ECB74FA5FCEEB9E7AA731BD
SHA-512:	CD0D30F9694EA23D09AF4D6E302BD16B3AE3617A28F9EC706A39700E9FC1CC4D4AAF472618C07249ACFA2F9E4764C12A950C2DEDE469E6217E70787D2CB6EC8B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{3dc2932c-db77-4650-9438-c8cc69b396b1}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728375529174,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`491486...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....495931,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.333717762244417
Encrypted:	false
SSDEEP:	24:v+USUGlcAxStaD2LXnIgU9/pnxQwRlscT5sKLs3eHVvwKXTCehujJmyOOxmOmaoA:GUpOx6WnRfY3eNwCTCTJNKRh4
MD5:	06C25E69675F8C3871CC661C388BA5E3
SHA1:	87B516C59D035BB6E095B8A58BB1F926B108CB6D
SHA-256:	BA1B6AAA50612C66350C9948FC78616C27D175515ECB74FA5FCEEB9E7AA731BD
SHA-512:	CD0D30F9694EA23D09AF4D6E302BD16B3AE3617A28F9EC706A39700E9FC1CC4D4AAF472618C07249ACFA2F9E4764C12A950C2DEDE469E6217E70787D2CB6EC8B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{3dc2932c-db77-4650-9438-c8cc69b396b1}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728375529174,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`491486...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....495931,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.333717762244417
Encrypted:	false
SSDEEP:	24:v+USUGlcAxStaD2LXnIgU9/pnxQwRlscT5sKLs3eHVvwKXTCehujJmyOOxmOmaoA:GUpOx6WnRfY3eNwCTCTJNKRh4
MD5:	06C25E69675F8C3871CC661C388BA5E3
SHA1:	87B516C59D035BB6E095B8A58BB1F926B108CB6D
SHA-256:	BA1B6AAA50612C66350C9948FC78616C27D175515ECB74FA5FCEEB9E7AA731BD
SHA-512:	CD0D30F9694EA23D09AF4D6E302BD16B3AE3617A28F9EC706A39700E9FC1CC4D4AAF472618C07249ACFA2F9E4764C12A950C2DEDE469E6217E70787D2CB6EC8B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{3dc2932c-db77-4650-9438-c8cc69b396b1}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728375529174,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`491486...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....495931,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 4, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.042811512334329
Encrypted:	false
SSDEEP:	24:JBkSldh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jkSWEUo9LXtR+JdkOnohYsl
MD5:	21235938025E2102017AC8C9748948A4
SHA1:	A1EED1C4588724A8396C95FC9923C0A33B360FF8
SHA-256:	E34B06B180E3F73DC8E441650BB7FE694A9D58E927412D6ED40B0852B784824E
SHA-512:	D334B419A2A75179C17D7F53BF65FCC132ADE03B21059F0007ACDBB08284A281D8CE1C1CC598E6A070024D0DAE158E2E9618E121342BE068E87A051FE33D6061
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.008781373253256
Encrypted:	false
SSDEEP:	48:YrSAYTHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJFde:ycTCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	97465EB72505DA0E264CF8CCFEAA8E81
SHA1:	3DD0FBD5C1624E849CAF468E100FBF754CB4249B
SHA-256:	D188C66D9E0C754571B4CC6425D06E9799911DBC9D8F260A7D93D70DA6329639
SHA-512:	609568CAFE8E05912D017A74ADBBE39500E179569E0E9060AAA97CF634EDF1FE1A8CBEA7599F1CFD334D79D5F17236AF269EEC3F7B61FDFA2076008BBC22D97A
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-08T08:18:27.016Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.008781373253256
Encrypted:	false
SSDEEP:	48:YrSAYTHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJFde:ycTCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	97465EB72505DA0E264CF8CCFEAA8E81
SHA1:	3DD0FBD5C1624E849CAF468E100FBF754CB4249B
SHA-256:	D188C66D9E0C754571B4CC6425D06E9799911DBC9D8F260A7D93D70DA6329639
SHA-512:	609568CAFE8E05912D017A74ADBBE39500E179569E0E9060AAA97CF634EDF1FE1A8CBEA7599F1CFD334D79D5F17236AF269EEC3F7B61FDFA2076008BBC22D97A
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-08T08:18:27.016Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.583695456179563
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'040 bytes
MD5:	a285f5909b06ca67637548eef1ebf393
SHA1:	df7cbe7b48a92972efac417a4c047b4d990256f6
SHA256:	288f31b4bd5cf651e3317023de536d58162f9e94088118d67a5759f75291614e
SHA512:	f5fb389ba1010162f37887f36652812d26cd452ec6a82731a2022c55a09b08c10e12198f70352d6a3669293733bdb66bbd33bdf8f89927ef50aa8d303da97d1f
SSDEEP:	12288:1qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga3T0:1qDEvCTbMWu7rQYlBQcBiT6rprG8aj0
TLSH:	7B159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6704CEB6 [Tue Oct 8 06:18:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F2B08AF2733h
jmp 00007F2B08AF203Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2B08AF221Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2B08AF21EAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F2B08AF4DDDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F2B08AF4E28h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F2B08AF4E11h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9bd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9bd0	0x9c00	4b177aed33fbc5d2fb2e049efe374454	False	0.31723257211538464	data	5.330516208466992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xe96	data			1.0029459025174077
RT_GROUP_ICON	0xdd650	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd6c8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd6dc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd6f0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd704	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd7e0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 08:22:07.952845097 CEST	49716	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:07.952904940 CEST	443	49716	35.190.72.216	192.168.2.6
Oct 8, 2024 08:22:07.953042984 CEST	49716	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:07.958174944 CEST	49716	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:07.958201885 CEST	443	49716	35.190.72.216	192.168.2.6
Oct 8, 2024 08:22:07.958571911 CEST	49717	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:07.958671093 CEST	443	49717	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:07.960444927 CEST	49717	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:07.964098930 CEST	49717	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:07.964142084 CEST	443	49717	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:07.982131958 CEST	49718	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:07.982156992 CEST	443	49718	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:07.984312057 CEST	49718	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:07.986862898 CEST	49718	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:07.986890078 CEST	443	49718	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:07.990315914 CEST	49719	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:07.995156050 CEST	80	49719	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:07.999917030 CEST	49719	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:08.000132084 CEST	49719	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:08.004957914 CEST	80	49719	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:08.439202070 CEST	443	49716	35.190.72.216	192.168.2.6
Oct 8, 2024 08:22:08.440722942 CEST	49716	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:08.444052935 CEST	80	49719	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:08.495210886 CEST	49719	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:08.620641947 CEST	443	49717	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:08.621829987 CEST	49717	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:08.622078896 CEST	443	49717	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:08.623359919 CEST	49717	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:08.639892101 CEST	443	49718	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:08.640904903 CEST	443	49718	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:08.643023014 CEST	49718	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:08.643054962 CEST	443	49718	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:08.672379971 CEST	49716	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:08.672434092 CEST	443	49716	35.190.72.216	192.168.2.6
Oct 8, 2024 08:22:08.673079967 CEST	443	49716	35.190.72.216	192.168.2.6
Oct 8, 2024 08:22:08.673383951 CEST	49716	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:08.673393011 CEST	443	49716	35.190.72.216	192.168.2.6
Oct 8, 2024 08:22:08.673731089 CEST	49717	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:08.673810005 CEST	443	49717	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:08.674154997 CEST	443	49717	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:08.674310923 CEST	49717	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:08.674331903 CEST	443	49717	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:08.674638987 CEST	49722	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:08.674705029 CEST	443	49722	35.190.72.216	192.168.2.6
Oct 8, 2024 08:22:08.675293922 CEST	49722	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:08.677130938 CEST	49722	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:08.677148104 CEST	443	49722	35.190.72.216	192.168.2.6
Oct 8, 2024 08:22:08.678606987 CEST	49718	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:08.678643942 CEST	443	49718	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:08.678704023 CEST	49718	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:08.679069042 CEST	49723	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:08.679157019 CEST	443	49723	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:08.679192066 CEST	443	49718	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:08.679296970 CEST	49718	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:08.679315090 CEST	49723	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:08.680653095 CEST	49723	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:08.680691004 CEST	443	49723	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:08.879435062 CEST	443	49717	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:08.879502058 CEST	443	49716	35.190.72.216	192.168.2.6
Oct 8, 2024 08:22:08.880886078 CEST	49717	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:08.880942106 CEST	49716	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:08.881901979 CEST	49724	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:08.881938934 CEST	443	49724	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:08.882118940 CEST	49724	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:08.884217024 CEST	49724	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:08.884236097 CEST	443	49724	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:08.905888081 CEST	49725	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:08.910746098 CEST	80	49725	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:08.912494898 CEST	49725	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:08.913660049 CEST	49725	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:08.918425083 CEST	80	49725	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:08.921475887 CEST	49726	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:08.921499014 CEST	443	49726	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:08.922029018 CEST	49726	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:08.922184944 CEST	49726	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:08.922194958 CEST	443	49726	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:08.923003912 CEST	49727	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:08.923019886 CEST	443	49727	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:08.923722982 CEST	49727	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:08.925649881 CEST	49727	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:08.925662994 CEST	443	49727	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:09.095607996 CEST	49728	443	192.168.2.6	34.160.144.191
Oct 8, 2024 08:22:09.095705032 CEST	443	49728	34.160.144.191	192.168.2.6
Oct 8, 2024 08:22:09.095923901 CEST	49728	443	192.168.2.6	34.160.144.191
Oct 8, 2024 08:22:09.096038103 CEST	49728	443	192.168.2.6	34.160.144.191
Oct 8, 2024 08:22:09.096057892 CEST	443	49728	34.160.144.191	192.168.2.6
Oct 8, 2024 08:22:09.143640995 CEST	443	49722	35.190.72.216	192.168.2.6
Oct 8, 2024 08:22:09.144383907 CEST	49722	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:09.147926092 CEST	49722	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:09.147933006 CEST	443	49722	35.190.72.216	192.168.2.6
Oct 8, 2024 08:22:09.147998095 CEST	49722	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:09.148144960 CEST	443	49722	35.190.72.216	192.168.2.6
Oct 8, 2024 08:22:09.149522066 CEST	49722	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:09.286123037 CEST	49719	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:09.290956020 CEST	80	49719	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:09.329150915 CEST	443	49723	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:09.329319954 CEST	49723	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:09.329783916 CEST	443	49723	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:09.330243111 CEST	49723	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:09.333707094 CEST	49723	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:09.333733082 CEST	443	49723	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:09.333785057 CEST	49723	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:09.333990097 CEST	443	49723	142.250.181.238	192.168.2.6
Oct 8, 2024 08:22:09.334244013 CEST	49723	443	192.168.2.6	142.250.181.238
Oct 8, 2024 08:22:09.355118990 CEST	80	49725	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:09.378160000 CEST	443	49724	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:09.378237963 CEST	49724	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:09.380193949 CEST	80	49719	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:09.383800983 CEST	49724	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:09.383807898 CEST	443	49724	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:09.383913040 CEST	49724	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:09.384068966 CEST	443	49724	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:09.384316921 CEST	49729	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:09.384362936 CEST	443	49729	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:09.384391069 CEST	49724	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:09.384583950 CEST	49729	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:09.385966063 CEST	49729	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:09.385984898 CEST	443	49729	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:09.399167061 CEST	443	49727	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:09.399229050 CEST	49727	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:09.402909994 CEST	49725	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:09.403181076 CEST	443	49726	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:09.403423071 CEST	49726	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:09.405838966 CEST	49726	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:09.405846119 CEST	443	49726	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:09.405896902 CEST	49727	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:09.405913115 CEST	443	49727	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:09.406052113 CEST	443	49727	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:09.406183958 CEST	443	49726	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:09.406380892 CEST	49727	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:09.406389952 CEST	443	49727	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:09.408200979 CEST	49726	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:09.408253908 CEST	49726	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:09.408356905 CEST	49726	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:09.429522991 CEST	49719	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:09.437302113 CEST	49725	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:09.437318087 CEST	49719	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:09.442503929 CEST	80	49725	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:09.442994118 CEST	80	49719	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:09.445305109 CEST	49725	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:09.445312977 CEST	49719	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:09.514832020 CEST	49731	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:09.514874935 CEST	443	49731	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:09.515367985 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:09.518727064 CEST	49731	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:09.519946098 CEST	49731	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:09.519963026 CEST	443	49731	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:09.520328045 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:09.520492077 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:09.520639896 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:09.525461912 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:09.564642906 CEST	443	49728	34.160.144.191	192.168.2.6
Oct 8, 2024 08:22:09.564727068 CEST	49728	443	192.168.2.6	34.160.144.191
Oct 8, 2024 08:22:09.567969084 CEST	49728	443	192.168.2.6	34.160.144.191
Oct 8, 2024 08:22:09.567985058 CEST	443	49728	34.160.144.191	192.168.2.6
Oct 8, 2024 08:22:09.568234921 CEST	443	49728	34.160.144.191	192.168.2.6
Oct 8, 2024 08:22:09.570816040 CEST	49728	443	192.168.2.6	34.160.144.191
Oct 8, 2024 08:22:09.570935011 CEST	49728	443	192.168.2.6	34.160.144.191
Oct 8, 2024 08:22:09.571012020 CEST	443	49728	34.160.144.191	192.168.2.6
Oct 8, 2024 08:22:09.571293116 CEST	49733	443	192.168.2.6	34.160.144.191
Oct 8, 2024 08:22:09.571332932 CEST	443	49733	34.160.144.191	192.168.2.6
Oct 8, 2024 08:22:09.571363926 CEST	49728	443	192.168.2.6	34.160.144.191
Oct 8, 2024 08:22:09.571433067 CEST	49733	443	192.168.2.6	34.160.144.191
Oct 8, 2024 08:22:09.571554899 CEST	49733	443	192.168.2.6	34.160.144.191
Oct 8, 2024 08:22:09.571563005 CEST	443	49733	34.160.144.191	192.168.2.6
Oct 8, 2024 08:22:09.615405083 CEST	443	49727	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:09.615453005 CEST	49727	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:09.713449001 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:09.718548059 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:09.724672079 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:09.724672079 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:09.729615927 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:09.861032009 CEST	443	49729	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:09.861129045 CEST	49729	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:09.896483898 CEST	49729	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:09.896513939 CEST	443	49729	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:09.896560907 CEST	49729	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:09.897109032 CEST	443	49729	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:09.897269964 CEST	49729	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:09.974801064 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:10.020376921 CEST	443	49731	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:10.020452976 CEST	49731	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:10.024671078 CEST	49731	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:10.024682045 CEST	443	49731	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:10.024734020 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:10.024766922 CEST	49731	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:10.024905920 CEST	443	49731	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:10.025129080 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:10.025172949 CEST	443	49735	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:10.025204897 CEST	49731	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:10.025271893 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:10.025468111 CEST	443	49733	34.160.144.191	192.168.2.6
Oct 8, 2024 08:22:10.026577950 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:10.026595116 CEST	443	49735	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:10.026659966 CEST	49733	443	192.168.2.6	34.160.144.191
Oct 8, 2024 08:22:10.029336929 CEST	49733	443	192.168.2.6	34.160.144.191
Oct 8, 2024 08:22:10.029347897 CEST	443	49733	34.160.144.191	192.168.2.6
Oct 8, 2024 08:22:10.029628038 CEST	443	49733	34.160.144.191	192.168.2.6
Oct 8, 2024 08:22:10.035975933 CEST	49733	443	192.168.2.6	34.160.144.191
Oct 8, 2024 08:22:10.036035061 CEST	49733	443	192.168.2.6	34.160.144.191
Oct 8, 2024 08:22:10.036122084 CEST	443	49733	34.160.144.191	192.168.2.6
Oct 8, 2024 08:22:10.036459923 CEST	49733	443	192.168.2.6	34.160.144.191
Oct 8, 2024 08:22:10.179045916 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:10.231801033 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:10.510690928 CEST	443	49735	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:10.510768890 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:10.515235901 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:10.515242100 CEST	443	49735	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:10.515340090 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:10.515423059 CEST	443	49735	34.117.188.166	192.168.2.6
Oct 8, 2024 08:22:10.515470982 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 8, 2024 08:22:10.629878044 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:10.630084038 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:10.634824038 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:10.634957075 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:10.726402044 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:10.726433992 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:10.780191898 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:10.780199051 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:12.767406940 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:12.772259951 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:12.773189068 CEST	49738	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:12.773297071 CEST	443	49738	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:12.775964975 CEST	49738	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:12.777311087 CEST	49738	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:12.777348042 CEST	443	49738	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:12.864094019 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:12.917399883 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:13.252785921 CEST	443	49738	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:13.256087065 CEST	49738	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:13.321018934 CEST	49738	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:13.321047068 CEST	443	49738	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:13.321098089 CEST	49738	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:13.321654081 CEST	443	49738	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:13.334248066 CEST	49738	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:13.636118889 CEST	49740	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:13.636149883 CEST	443	49740	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:13.636385918 CEST	49740	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:13.636518955 CEST	49740	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:13.636527061 CEST	443	49740	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:13.642611980 CEST	49741	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:13.642644882 CEST	443	49741	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:13.643946886 CEST	49741	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:13.645319939 CEST	49741	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:13.645338058 CEST	443	49741	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:13.646864891 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:13.649718046 CEST	49742	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:13.649740934 CEST	443	49742	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:13.650190115 CEST	49742	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:13.651468992 CEST	49742	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:13.651480913 CEST	443	49742	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:13.651624918 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:14.698081970 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:14.700903893 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:14.701000929 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:14.701054096 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:14.701075077 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:14.701075077 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:14.701144934 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:14.709557056 CEST	443	49740	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:14.709631920 CEST	49740	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:14.717381954 CEST	443	49741	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:14.718722105 CEST	49741	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:15.130084991 CEST	49740	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:15.130105972 CEST	443	49740	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:15.131035089 CEST	443	49740	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:15.135078907 CEST	49740	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:15.135149956 CEST	49740	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:15.135376930 CEST	49741	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:15.135376930 CEST	49741	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:15.135411024 CEST	443	49741	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:15.135565996 CEST	443	49740	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:15.135756969 CEST	443	49741	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:15.136014938 CEST	49740	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:15.136267900 CEST	49741	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:15.149063110 CEST	443	49742	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:15.149141073 CEST	49742	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:15.164081097 CEST	49742	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:15.164099932 CEST	443	49742	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:15.164170980 CEST	49742	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:15.164387941 CEST	443	49742	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:15.164479971 CEST	49742	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:17.938950062 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:17.943876982 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:18.035358906 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:18.078542948 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:19.001219034 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:19.033967972 CEST	49769	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:19.034068108 CEST	443	49769	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:19.035897970 CEST	49769	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:19.037216902 CEST	49769	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:19.037249088 CEST	443	49769	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:19.051920891 CEST	49770	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:19.051987886 CEST	443	49770	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:19.054902077 CEST	49770	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:19.056103945 CEST	49770	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:19.056155920 CEST	443	49770	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:19.143165112 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:19.153600931 CEST	49771	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.153666973 CEST	443	49771	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:19.153753042 CEST	49771	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.154073954 CEST	49772	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.154155970 CEST	443	49772	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:19.154171944 CEST	49771	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.154208899 CEST	443	49771	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:19.154218912 CEST	49772	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.154325962 CEST	49772	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.154349089 CEST	443	49772	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:19.235105991 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:19.278079033 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:19.321191072 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:19.325985909 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:19.336129904 CEST	49773	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.336155891 CEST	443	49773	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:19.336639881 CEST	49773	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.338820934 CEST	49773	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.338833094 CEST	443	49773	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:19.417609930 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:19.466995955 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:19.595890045 CEST	443	49769	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:19.596077919 CEST	49769	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:19.604986906 CEST	443	49770	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:19.605067968 CEST	49770	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:19.610105038 CEST	443	49771	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:19.610192060 CEST	49771	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.625809908 CEST	443	49772	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:19.625910044 CEST	49772	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.653881073 CEST	49771	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.653964996 CEST	443	49771	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:19.654607058 CEST	443	49771	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:19.656418085 CEST	49772	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.656496048 CEST	443	49772	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:19.657391071 CEST	443	49772	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:19.698873997 CEST	49771	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.698993921 CEST	49772	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.739916086 CEST	49771	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.740010977 CEST	49771	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.740278006 CEST	443	49771	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:19.741307020 CEST	49770	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:19.741324902 CEST	443	49770	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:19.741461039 CEST	49770	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:19.741583109 CEST	49772	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.741595984 CEST	443	49770	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:19.741626978 CEST	49772	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.741750002 CEST	49771	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.741780996 CEST	49770	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:19.742291927 CEST	443	49772	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:19.742456913 CEST	49772	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:19.743630886 CEST	49769	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:19.743644953 CEST	443	49769	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:19.743719101 CEST	49769	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:19.743923903 CEST	443	49769	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:19.743969917 CEST	49769	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:19.800252914 CEST	443	49773	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:19.801573992 CEST	49773	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:20.255357981 CEST	49773	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:20.255388021 CEST	443	49773	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:20.255443096 CEST	49773	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:20.255934954 CEST	443	49773	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:20.256639004 CEST	49773	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:20.595001936 CEST	49785	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:20.595048904 CEST	443	49785	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:20.595853090 CEST	49785	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:20.596002102 CEST	49785	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:20.596024990 CEST	443	49785	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:20.596386909 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:20.601156950 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:20.605582952 CEST	49786	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:20.605598927 CEST	443	49786	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:20.617043972 CEST	49786	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:20.618335962 CEST	49786	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:20.618350029 CEST	443	49786	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:20.692740917 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:20.732932091 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:20.773597002 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:20.778464079 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:20.836231947 CEST	49787	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:20.836261034 CEST	443	49787	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:20.836466074 CEST	49787	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:20.836466074 CEST	49787	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:20.836497068 CEST	443	49787	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:20.870055914 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:20.917900085 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:21.066845894 CEST	443	49785	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:21.066932917 CEST	49785	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:21.079662085 CEST	443	49786	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:21.079679012 CEST	443	49786	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:21.079761982 CEST	49786	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:21.295996904 CEST	443	49787	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:21.296331882 CEST	49787	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:21.322276115 CEST	49785	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:21.322326899 CEST	443	49785	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:21.322624922 CEST	443	49785	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:21.334235907 CEST	49787	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:21.334258080 CEST	443	49787	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:21.334630966 CEST	443	49787	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:21.372514009 CEST	49785	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:21.387974977 CEST	49787	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:21.860599041 CEST	49785	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:21.860599041 CEST	49785	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:21.860852957 CEST	49786	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:21.860903025 CEST	443	49786	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:21.860932112 CEST	49786	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:21.861016035 CEST	443	49785	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:21.861192942 CEST	443	49786	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:21.861200094 CEST	49787	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:21.861200094 CEST	49787	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:21.861584902 CEST	49785	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:21.861584902 CEST	49786	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:21.861922026 CEST	443	49787	34.120.208.123	192.168.2.6
Oct 8, 2024 08:22:21.862576962 CEST	49787	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:22:25.131877899 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:25.137065887 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:25.228688955 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:25.232214928 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:25.237040997 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:25.275265932 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:25.328803062 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:25.375449896 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:30.411161900 CEST	63925	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:30.411201954 CEST	443	63925	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:30.411449909 CEST	63925	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:30.412616014 CEST	63925	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:30.412626982 CEST	443	63925	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:30.869584084 CEST	443	63925	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:30.869683027 CEST	63925	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:30.875478029 CEST	63925	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:30.875488997 CEST	443	63925	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:30.875637054 CEST	63925	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:30.875675917 CEST	443	63925	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:30.875818968 CEST	63925	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:30.879165888 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:30.884074926 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:30.975688934 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:30.980444908 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:30.985384941 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:31.029510021 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:31.077218056 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:31.129813910 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:35.441915035 CEST	63952	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:35.442008018 CEST	443	63952	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:35.449213028 CEST	63952	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:35.449649096 CEST	63952	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:35.449688911 CEST	443	63952	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:35.458050966 CEST	63953	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:35.458080053 CEST	443	63953	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:35.458252907 CEST	63953	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:35.458355904 CEST	63953	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:35.458367109 CEST	443	63953	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:35.461494923 CEST	63954	443	192.168.2.6	52.222.236.80
Oct 8, 2024 08:22:35.461502075 CEST	443	63954	52.222.236.80	192.168.2.6
Oct 8, 2024 08:22:35.461571932 CEST	63954	443	192.168.2.6	52.222.236.80
Oct 8, 2024 08:22:35.461658001 CEST	63954	443	192.168.2.6	52.222.236.80
Oct 8, 2024 08:22:35.461667061 CEST	443	63954	52.222.236.80	192.168.2.6
Oct 8, 2024 08:22:35.482891083 CEST	63955	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:35.482979059 CEST	443	63955	35.190.72.216	192.168.2.6
Oct 8, 2024 08:22:35.484527111 CEST	63955	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:35.485733032 CEST	63955	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:35.485769987 CEST	443	63955	35.190.72.216	192.168.2.6
Oct 8, 2024 08:22:35.501215935 CEST	63956	443	192.168.2.6	35.201.103.21
Oct 8, 2024 08:22:35.501243114 CEST	443	63956	35.201.103.21	192.168.2.6
Oct 8, 2024 08:22:35.502604008 CEST	63956	443	192.168.2.6	35.201.103.21
Oct 8, 2024 08:22:35.503870010 CEST	63956	443	192.168.2.6	35.201.103.21
Oct 8, 2024 08:22:35.503882885 CEST	443	63956	35.201.103.21	192.168.2.6
Oct 8, 2024 08:22:35.906436920 CEST	443	63952	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:35.906449080 CEST	443	63952	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:35.908144951 CEST	63952	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:35.910835981 CEST	63952	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:35.910851955 CEST	443	63952	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:35.911066055 CEST	443	63952	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:35.912892103 CEST	63952	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:35.913032055 CEST	443	63952	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:35.913129091 CEST	63952	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:35.913146973 CEST	443	63952	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:35.916273117 CEST	63952	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:35.916273117 CEST	63952	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:35.916273117 CEST	63952	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:35.917736053 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:35.922652960 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:35.932853937 CEST	443	63953	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:35.932924986 CEST	63953	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:35.935902119 CEST	63953	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:35.935916901 CEST	443	63953	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:35.936110020 CEST	443	63953	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:35.938172102 CEST	63953	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:35.938232899 CEST	63953	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:35.938309908 CEST	443	63953	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:35.938941002 CEST	63953	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:35.950198889 CEST	443	63955	35.190.72.216	192.168.2.6
Oct 8, 2024 08:22:35.950361967 CEST	63955	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:35.954211950 CEST	63955	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:35.954242945 CEST	443	63955	35.190.72.216	192.168.2.6
Oct 8, 2024 08:22:35.954322100 CEST	63955	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:35.954509974 CEST	443	63955	35.190.72.216	192.168.2.6
Oct 8, 2024 08:22:35.966311932 CEST	63955	443	192.168.2.6	35.190.72.216
Oct 8, 2024 08:22:35.979536057 CEST	443	63956	35.201.103.21	192.168.2.6
Oct 8, 2024 08:22:35.979608059 CEST	63956	443	192.168.2.6	35.201.103.21
Oct 8, 2024 08:22:35.985054970 CEST	63956	443	192.168.2.6	35.201.103.21
Oct 8, 2024 08:22:35.985063076 CEST	443	63956	35.201.103.21	192.168.2.6
Oct 8, 2024 08:22:35.985137939 CEST	63956	443	192.168.2.6	35.201.103.21
Oct 8, 2024 08:22:35.985219002 CEST	443	63956	35.201.103.21	192.168.2.6
Oct 8, 2024 08:22:35.985481977 CEST	63956	443	192.168.2.6	35.201.103.21
Oct 8, 2024 08:22:35.996974945 CEST	63962	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:35.997065067 CEST	443	63962	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:35.997262001 CEST	63962	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:35.997262001 CEST	63962	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:35.997340918 CEST	443	63962	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:36.014034986 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:36.016343117 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:36.021194935 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:36.066684008 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:36.113249063 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:36.166805983 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:36.223345041 CEST	443	63954	52.222.236.80	192.168.2.6
Oct 8, 2024 08:22:36.223709106 CEST	63954	443	192.168.2.6	52.222.236.80
Oct 8, 2024 08:22:36.226227999 CEST	63954	443	192.168.2.6	52.222.236.80
Oct 8, 2024 08:22:36.226260900 CEST	443	63954	52.222.236.80	192.168.2.6
Oct 8, 2024 08:22:36.226459026 CEST	443	63954	52.222.236.80	192.168.2.6
Oct 8, 2024 08:22:36.228705883 CEST	63954	443	192.168.2.6	52.222.236.80
Oct 8, 2024 08:22:36.228705883 CEST	63954	443	192.168.2.6	52.222.236.80
Oct 8, 2024 08:22:36.228840113 CEST	443	63954	52.222.236.80	192.168.2.6
Oct 8, 2024 08:22:36.235335112 CEST	63954	443	192.168.2.6	52.222.236.80
Oct 8, 2024 08:22:36.236052990 CEST	63963	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.236085892 CEST	443	63963	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.236505985 CEST	63963	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.236505985 CEST	63963	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.236532927 CEST	443	63963	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.239676952 CEST	63964	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.239695072 CEST	443	63964	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.242630005 CEST	63964	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.242644072 CEST	63965	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.242729902 CEST	443	63965	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.242844105 CEST	63964	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.242851973 CEST	443	63964	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.243031979 CEST	63965	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.243031979 CEST	63965	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.243122101 CEST	443	63965	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.244499922 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:36.461581945 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:36.463568926 CEST	443	63962	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:36.464309931 CEST	63962	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:36.466567039 CEST	63962	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:36.466597080 CEST	443	63962	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:36.466851950 CEST	443	63962	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:36.469053030 CEST	63962	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:36.469151020 CEST	63962	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:36.469202042 CEST	443	63962	34.149.100.209	192.168.2.6
Oct 8, 2024 08:22:36.469790936 CEST	63962	443	192.168.2.6	34.149.100.209
Oct 8, 2024 08:22:36.555200100 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:36.560483932 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:36.565234900 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:36.606096029 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:36.656682014 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:36.706041098 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:36.911468029 CEST	443	63964	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.912369967 CEST	63964	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.914041042 CEST	63964	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.914045095 CEST	443	63964	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.914262056 CEST	443	63964	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.916212082 CEST	63964	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.916212082 CEST	63964	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.916338921 CEST	443	63964	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.916606903 CEST	443	63963	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.917283058 CEST	63964	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.919406891 CEST	63963	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.921576977 CEST	63963	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.921582937 CEST	443	63963	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.921892881 CEST	443	63963	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.922107935 CEST	63963	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.922142982 CEST	63963	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.922249079 CEST	63963	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.922250032 CEST	443	63963	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.924407005 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:36.925278902 CEST	63963	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.929279089 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:36.934767008 CEST	443	63965	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.935455084 CEST	63965	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.937177896 CEST	63965	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.937207937 CEST	443	63965	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.937963009 CEST	443	63965	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.939716101 CEST	63965	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.939901114 CEST	443	63965	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.939937115 CEST	63965	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.939954042 CEST	443	63965	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.947401047 CEST	443	63965	35.244.181.201	192.168.2.6
Oct 8, 2024 08:22:36.950865984 CEST	63965	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.950865984 CEST	63965	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.950905085 CEST	63965	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:36.950906038 CEST	63965	443	192.168.2.6	35.244.181.201
Oct 8, 2024 08:22:37.021255016 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:37.025412083 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:37.030266047 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:37.069499016 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:37.121603012 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:37.169650078 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:47.036073923 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:47.040904999 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:47.136126995 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:47.140999079 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:48.617352009 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:48.622168064 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:48.714083910 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:48.716667891 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:48.721522093 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:48.756485939 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:48.816237926 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:48.872242928 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:50.889605045 CEST	64064	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:50.889642954 CEST	443	64064	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:50.889839888 CEST	64064	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:50.891043901 CEST	64064	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:50.891055107 CEST	443	64064	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:51.374141932 CEST	443	64064	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:51.374245882 CEST	64064	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:51.378041029 CEST	64064	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:51.378058910 CEST	443	64064	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:51.378150940 CEST	64064	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:51.378298044 CEST	443	64064	34.107.243.93	192.168.2.6
Oct 8, 2024 08:22:51.378900051 CEST	64064	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:22:51.381234884 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:51.386181116 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:51.477948904 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:51.481338978 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:51.486170053 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:51.526866913 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:22:51.577975035 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:22:51.627068043 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:01.494473934 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:01.578995943 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:01.607502937 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:01.607518911 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:05.100333929 CEST	64109	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.100419998 CEST	443	64109	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.100472927 CEST	64110	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.100493908 CEST	443	64110	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.100578070 CEST	64112	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.100615978 CEST	443	64112	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.100918055 CEST	64109	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.100928068 CEST	64112	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.100995064 CEST	64110	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.101116896 CEST	64109	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.101135969 CEST	443	64109	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.101218939 CEST	64112	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.101233959 CEST	443	64112	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.101288080 CEST	64110	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.101314068 CEST	443	64110	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.124978065 CEST	64113	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.125065088 CEST	443	64113	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.125241995 CEST	64114	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.125267982 CEST	443	64114	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.125353098 CEST	64115	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.125380993 CEST	443	64115	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.125951052 CEST	64115	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.125952005 CEST	64113	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.125952005 CEST	64114	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.126091957 CEST	64113	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.126113892 CEST	443	64113	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.126180887 CEST	64115	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.126199007 CEST	443	64115	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.126241922 CEST	64114	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.126266003 CEST	443	64114	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.555835009 CEST	443	64110	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.556101084 CEST	64110	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.559088945 CEST	64110	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.559118986 CEST	443	64110	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.559485912 CEST	443	64110	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.561892986 CEST	64110	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.561991930 CEST	64110	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.562092066 CEST	443	64110	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.562586069 CEST	64116	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.562613010 CEST	443	64116	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.563021898 CEST	64110	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.563214064 CEST	64116	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.563251019 CEST	64116	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.563257933 CEST	443	64116	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.579906940 CEST	443	64109	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.580276012 CEST	64109	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.581233025 CEST	443	64115	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.583425999 CEST	64109	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.583439112 CEST	443	64109	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.583787918 CEST	443	64109	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.583954096 CEST	64115	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.584950924 CEST	443	64112	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.586200953 CEST	64115	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.586215019 CEST	443	64115	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.586463928 CEST	443	64115	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.587421894 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:05.587546110 CEST	64112	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.589859009 CEST	64112	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.589864969 CEST	443	64112	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.590760946 CEST	443	64112	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.592343092 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:05.592915058 CEST	64109	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.593002081 CEST	64109	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.593379021 CEST	64117	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.593420029 CEST	443	64117	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.593918085 CEST	64117	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.594055891 CEST	443	64114	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.594180107 CEST	443	64109	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.595129967 CEST	64117	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.595159054 CEST	443	64117	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.595196962 CEST	64115	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.595258951 CEST	64115	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.595361948 CEST	443	64115	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.595840931 CEST	64112	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.596132040 CEST	64112	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.596230030 CEST	443	64112	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.596276999 CEST	64109	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.596293926 CEST	64115	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.596304893 CEST	64114	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.596606970 CEST	64112	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.599150896 CEST	64114	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.599175930 CEST	443	64114	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.599524021 CEST	443	64114	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.601610899 CEST	64114	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.601700068 CEST	64114	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.601850033 CEST	64114	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.619301081 CEST	443	64113	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.621890068 CEST	64113	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.624624968 CEST	64113	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.624665976 CEST	443	64113	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.625020981 CEST	443	64113	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.626415014 CEST	64113	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.626486063 CEST	64113	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.626617908 CEST	443	64113	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:05.626684904 CEST	64113	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:05.684261084 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:05.716186047 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:05.721445084 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:05.737873077 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:05.816072941 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:05.869309902 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:06.028331995 CEST	443	64116	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:06.029180050 CEST	64116	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:06.031349897 CEST	64116	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:06.031363964 CEST	443	64116	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:06.031713009 CEST	443	64116	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:06.035403013 CEST	64116	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:06.035403013 CEST	64116	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:06.035605907 CEST	443	64116	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:06.036392927 CEST	64116	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:06.037045002 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:06.041968107 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:06.045135975 CEST	443	64117	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:06.045361996 CEST	64117	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:06.049393892 CEST	64117	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:06.049427032 CEST	443	64117	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:06.049662113 CEST	443	64117	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:06.052251101 CEST	64117	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:06.052381992 CEST	443	64117	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:06.052402973 CEST	64117	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:06.052421093 CEST	443	64117	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:06.133382082 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:06.136282921 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:06.141088009 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:06.192361116 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:06.232374907 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:06.259413004 CEST	443	64117	34.120.208.123	192.168.2.6
Oct 8, 2024 08:23:06.259476900 CEST	64117	443	192.168.2.6	34.120.208.123
Oct 8, 2024 08:23:06.292665005 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:16.140557051 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:16.145864964 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:16.237409115 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:16.242357016 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:26.150887966 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:26.156229973 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:26.251152992 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:26.256218910 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:31.392647982 CEST	64119	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:23:31.392760038 CEST	443	64119	34.107.243.93	192.168.2.6
Oct 8, 2024 08:23:31.392940998 CEST	64119	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:23:31.394258022 CEST	64119	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:23:31.394293070 CEST	443	64119	34.107.243.93	192.168.2.6
Oct 8, 2024 08:23:31.872704029 CEST	443	64119	34.107.243.93	192.168.2.6
Oct 8, 2024 08:23:31.872874975 CEST	64119	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:23:31.876082897 CEST	64119	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:23:31.876115084 CEST	443	64119	34.107.243.93	192.168.2.6
Oct 8, 2024 08:23:31.876177073 CEST	64119	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:23:31.876341105 CEST	443	64119	34.107.243.93	192.168.2.6
Oct 8, 2024 08:23:31.876395941 CEST	64119	443	192.168.2.6	34.107.243.93
Oct 8, 2024 08:23:31.878655910 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:31.883682966 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:31.975827932 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:31.979629040 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:31.985097885 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:32.029913902 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:32.076800108 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:32.129987001 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:41.996737003 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:42.002341986 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:42.096776962 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:42.101847887 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:52.003819942 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:52.008729935 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:23:52.104006052 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:23:52.109137058 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:24:02.017904043 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:24:02.022864103 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:24:02.118067026 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:24:02.123260021 CEST	80	49732	34.107.221.82	192.168.2.6
Oct 8, 2024 08:24:12.029953957 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:24:12.035491943 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 8, 2024 08:24:12.130223989 CEST	49732	80	192.168.2.6	34.107.221.82
Oct 8, 2024 08:24:12.135416031 CEST	80	49732	34.107.221.82	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 08:22:07.936463118 CEST	49343	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:07.942192078 CEST	51315	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:07.944638968 CEST	53	49343	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:07.962291002 CEST	61395	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:07.962441921 CEST	64204	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:07.962569952 CEST	63183	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:07.969043970 CEST	53	61395	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:07.969347954 CEST	53	63183	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:07.969362020 CEST	53	64204	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:07.977876902 CEST	60323	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:07.979037046 CEST	65435	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:07.979316950 CEST	65523	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:07.984534025 CEST	53	60323	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:07.985944033 CEST	53	65435	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:07.987940073 CEST	53	65523	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:08.860614061 CEST	56394	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:08.861171961 CEST	58852	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:08.867464066 CEST	53	56394	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:08.867739916 CEST	53	58852	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:08.871638060 CEST	65528	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:08.878895998 CEST	53	65528	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:08.882920980 CEST	63586	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:08.889636993 CEST	53	63586	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:08.894608974 CEST	50077	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:08.903601885 CEST	51749	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:08.908478975 CEST	53064	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:08.910371065 CEST	53	51749	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:08.914964914 CEST	53	53064	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:08.921948910 CEST	54975	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:08.923641920 CEST	64480	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:08.928550959 CEST	53	54975	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:08.930756092 CEST	53	64480	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:08.942466974 CEST	53373	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:08.946299076 CEST	55098	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:08.949194908 CEST	53	53373	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:08.953577042 CEST	53	55098	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:09.086617947 CEST	55034	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:09.094510078 CEST	53	55034	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:09.095488071 CEST	62745	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:09.102317095 CEST	53	62745	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:09.103121996 CEST	54803	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:09.118551970 CEST	53	54803	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:09.430629969 CEST	52863	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:09.470767975 CEST	53	54708	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:10.582179070 CEST	55492	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:10.589376926 CEST	53	55492	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:10.590519905 CEST	54010	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:10.597368956 CEST	53	54010	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:10.598418951 CEST	50097	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:10.605197906 CEST	53	50097	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:12.771852016 CEST	49770	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:12.779232025 CEST	53	49770	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:12.780170918 CEST	56427	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:12.787307978 CEST	53	56427	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:12.792432070 CEST	61924	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:12.799710035 CEST	53	61924	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:13.631753922 CEST	50125	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:13.638503075 CEST	53	50125	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:13.642476082 CEST	61195	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:13.649157047 CEST	53	61195	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:13.650008917 CEST	51683	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:13.651968956 CEST	50689	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:13.656893015 CEST	53	51683	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:13.658708096 CEST	53	50689	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:13.659261942 CEST	53275	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:14.670897007 CEST	53275	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:14.701085091 CEST	53	53275	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:14.701093912 CEST	53	53275	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:19.007266998 CEST	59895	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:19.034389019 CEST	56966	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:19.144714117 CEST	53	56966	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:19.145056963 CEST	53	59895	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:20.594224930 CEST	63841	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:20.594480991 CEST	61985	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:20.595330000 CEST	59516	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:20.601026058 CEST	53	61985	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:20.601035118 CEST	53	63841	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:20.601861000 CEST	55989	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:20.601959944 CEST	53	59516	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:20.602477074 CEST	57824	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:20.608491898 CEST	53	55989	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:20.609635115 CEST	53	57824	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:20.617539883 CEST	63183	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:20.618849993 CEST	57699	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:20.619225025 CEST	59286	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:20.624780893 CEST	53	63183	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:20.625422001 CEST	51577	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:20.625616074 CEST	53	57699	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:20.626066923 CEST	54504	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:20.626255989 CEST	53	59286	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:20.627316952 CEST	57213	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:20.632188082 CEST	53	51577	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:20.633233070 CEST	53	54504	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:20.633702993 CEST	53643	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:20.633789062 CEST	53	57213	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:20.634816885 CEST	59787	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:20.641201019 CEST	53	53643	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:20.641508102 CEST	53	59787	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:20.641721964 CEST	53725	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:20.642051935 CEST	57330	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:20.648571014 CEST	53	57330	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:20.648788929 CEST	53	53725	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:23.029963970 CEST	53	56097	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:30.410248995 CEST	49214	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:30.417115927 CEST	53	49214	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:30.418303013 CEST	50332	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:30.424953938 CEST	53	50332	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:35.442512035 CEST	56317	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:35.449197054 CEST	53	56317	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:35.453708887 CEST	54822	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:35.455724001 CEST	49911	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:35.460843086 CEST	53	54822	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:35.461963892 CEST	58358	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:35.462306976 CEST	53	49911	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:35.468851089 CEST	53	58358	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:35.469305038 CEST	59874	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:35.476030111 CEST	53	59874	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:35.487776995 CEST	59520	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:35.494882107 CEST	53	59520	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:35.501909971 CEST	59692	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:35.508801937 CEST	53	59692	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:35.515427113 CEST	61425	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:35.522661924 CEST	53	61425	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:48.617243052 CEST	64716	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:50.881100893 CEST	63382	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:50.888797998 CEST	53	63382	1.1.1.1	192.168.2.6
Oct 8, 2024 08:22:50.889700890 CEST	59769	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:22:50.897521019 CEST	53	59769	1.1.1.1	192.168.2.6
Oct 8, 2024 08:23:05.099375010 CEST	63219	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:23:05.106544018 CEST	53	63219	1.1.1.1	192.168.2.6
Oct 8, 2024 08:23:05.587091923 CEST	49712	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:23:31.384426117 CEST	60655	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:23:31.391580105 CEST	53	60655	1.1.1.1	192.168.2.6
Oct 8, 2024 08:23:31.392457962 CEST	61510	53	192.168.2.6	1.1.1.1
Oct 8, 2024 08:23:31.399482965 CEST	53	61510	1.1.1.1	192.168.2.6
Oct 8, 2024 08:23:31.878796101 CEST	57575	53	192.168.2.6	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 08:22:07.936463118 CEST	192.168.2.6	1.1.1.1	0x9a56	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:07.942192078 CEST	192.168.2.6	1.1.1.1	0x1f72	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:07.962291002 CEST	192.168.2.6	1.1.1.1	0x3879	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:07.962441921 CEST	192.168.2.6	1.1.1.1	0xe55e	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:07.962569952 CEST	192.168.2.6	1.1.1.1	0x3e3c	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:07.977876902 CEST	192.168.2.6	1.1.1.1	0x7b26	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 08:22:07.979037046 CEST	192.168.2.6	1.1.1.1	0x546f	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 8, 2024 08:22:07.979316950 CEST	192.168.2.6	1.1.1.1	0xfbb9	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 08:22:08.860614061 CEST	192.168.2.6	1.1.1.1	0x5dc1	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:08.861171961 CEST	192.168.2.6	1.1.1.1	0x22e6	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:08.871638060 CEST	192.168.2.6	1.1.1.1	0xf49b	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:08.882920980 CEST	192.168.2.6	1.1.1.1	0x58c6	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:08.894608974 CEST	192.168.2.6	1.1.1.1	0xc411	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:08.903601885 CEST	192.168.2.6	1.1.1.1	0xdfa0	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 08:22:08.908478975 CEST	192.168.2.6	1.1.1.1	0xa2d4	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:08.921948910 CEST	192.168.2.6	1.1.1.1	0xa226	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:08.923641920 CEST	192.168.2.6	1.1.1.1	0x9979	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:08.942466974 CEST	192.168.2.6	1.1.1.1	0x2227	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 08:22:08.946299076 CEST	192.168.2.6	1.1.1.1	0xaac4	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 08:22:09.086617947 CEST	192.168.2.6	1.1.1.1	0xba6f	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:09.095488071 CEST	192.168.2.6	1.1.1.1	0x5579	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:09.103121996 CEST	192.168.2.6	1.1.1.1	0xa069	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 08:22:09.430629969 CEST	192.168.2.6	1.1.1.1	0xcd7	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:10.582179070 CEST	192.168.2.6	1.1.1.1	0xe3b5	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:10.590519905 CEST	192.168.2.6	1.1.1.1	0x50a6	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:10.598418951 CEST	192.168.2.6	1.1.1.1	0x832e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 08:22:12.771852016 CEST	192.168.2.6	1.1.1.1	0xdb48	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:12.780170918 CEST	192.168.2.6	1.1.1.1	0x2091	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:12.792432070 CEST	192.168.2.6	1.1.1.1	0xe3eb	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 08:22:13.631753922 CEST	192.168.2.6	1.1.1.1	0x21af	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:13.642476082 CEST	192.168.2.6	1.1.1.1	0xb2ee	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:13.650008917 CEST	192.168.2.6	1.1.1.1	0x45bd	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:13.651968956 CEST	192.168.2.6	1.1.1.1	0xec2e	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 08:22:13.659261942 CEST	192.168.2.6	1.1.1.1	0x8fe8	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 08:22:14.670897007 CEST	192.168.2.6	1.1.1.1	0x8fe8	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 08:22:19.007266998 CEST	192.168.2.6	1.1.1.1	0x48c5	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 08:22:19.034389019 CEST	192.168.2.6	1.1.1.1	0x66cc	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 08:22:20.594224930 CEST	192.168.2.6	1.1.1.1	0x4fba	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.594480991 CEST	192.168.2.6	1.1.1.1	0x686f	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.595330000 CEST	192.168.2.6	1.1.1.1	0xf18d	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601861000 CEST	192.168.2.6	1.1.1.1	0x59a	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.602477074 CEST	192.168.2.6	1.1.1.1	0x472b	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.617539883 CEST	192.168.2.6	1.1.1.1	0xa1f2	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 8, 2024 08:22:20.618849993 CEST	192.168.2.6	1.1.1.1	0xf622	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.619225025 CEST	192.168.2.6	1.1.1.1	0xcd2c	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 8, 2024 08:22:20.625422001 CEST	192.168.2.6	1.1.1.1	0xd0d7	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.626066923 CEST	192.168.2.6	1.1.1.1	0xa891	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 8, 2024 08:22:20.627316952 CEST	192.168.2.6	1.1.1.1	0xd2bb	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.633702993 CEST	192.168.2.6	1.1.1.1	0x7a43	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.634816885 CEST	192.168.2.6	1.1.1.1	0xaa6e	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.641721964 CEST	192.168.2.6	1.1.1.1	0x6083	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 8, 2024 08:22:20.642051935 CEST	192.168.2.6	1.1.1.1	0x813e	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 8, 2024 08:22:30.410248995 CEST	192.168.2.6	1.1.1.1	0x3720	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:30.418303013 CEST	192.168.2.6	1.1.1.1	0xc3d7	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 08:22:35.442512035 CEST	192.168.2.6	1.1.1.1	0x3048	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:35.453708887 CEST	192.168.2.6	1.1.1.1	0xbc7	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:35.455724001 CEST	192.168.2.6	1.1.1.1	0xaca1	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 08:22:35.461963892 CEST	192.168.2.6	1.1.1.1	0x6f69	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:35.469305038 CEST	192.168.2.6	1.1.1.1	0x1f7e	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 8, 2024 08:22:35.487776995 CEST	192.168.2.6	1.1.1.1	0xebb2	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:35.501909971 CEST	192.168.2.6	1.1.1.1	0x96b0	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:35.515427113 CEST	192.168.2.6	1.1.1.1	0x67a9	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 08:22:48.617243052 CEST	192.168.2.6	1.1.1.1	0x87e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:50.881100893 CEST	192.168.2.6	1.1.1.1	0x9e9f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:50.889700890 CEST	192.168.2.6	1.1.1.1	0xd1b9	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 08:23:05.099375010 CEST	192.168.2.6	1.1.1.1	0x315c	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 08:23:05.587091923 CEST	192.168.2.6	1.1.1.1	0xe630	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:23:31.384426117 CEST	192.168.2.6	1.1.1.1	0xcac	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:23:31.392457962 CEST	192.168.2.6	1.1.1.1	0x7159	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 08:23:31.878796101 CEST	192.168.2.6	1.1.1.1	0xf8d1	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 08:22:07.943376064 CEST	1.1.1.1	192.168.2.6	0x7843	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:07.944638968 CEST	1.1.1.1	192.168.2.6	0x9a56	No error (0)	youtube.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:07.948776960 CEST	1.1.1.1	192.168.2.6	0x1f72	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:07.948776960 CEST	1.1.1.1	192.168.2.6	0x1f72	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:07.969043970 CEST	1.1.1.1	192.168.2.6	0x3879	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:07.969347954 CEST	1.1.1.1	192.168.2.6	0x3e3c	No error (0)	youtube.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:07.969362020 CEST	1.1.1.1	192.168.2.6	0xe55e	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:07.984534025 CEST	1.1.1.1	192.168.2.6	0x7b26	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 8, 2024 08:22:07.985944033 CEST	1.1.1.1	192.168.2.6	0x546f	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 8, 2024 08:22:08.867464066 CEST	1.1.1.1	192.168.2.6	0x5dc1	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:08.867739916 CEST	1.1.1.1	192.168.2.6	0x22e6	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:08.867739916 CEST	1.1.1.1	192.168.2.6	0x22e6	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:08.878895998 CEST	1.1.1.1	192.168.2.6	0xf49b	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:08.889636993 CEST	1.1.1.1	192.168.2.6	0x58c6	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:08.901249886 CEST	1.1.1.1	192.168.2.6	0xc411	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:08.901249886 CEST	1.1.1.1	192.168.2.6	0xc411	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:08.912394047 CEST	1.1.1.1	192.168.2.6	0x9aa9	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:08.912394047 CEST	1.1.1.1	192.168.2.6	0x9aa9	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:08.914964914 CEST	1.1.1.1	192.168.2.6	0xa2d4	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:08.914964914 CEST	1.1.1.1	192.168.2.6	0xa2d4	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:08.928550959 CEST	1.1.1.1	192.168.2.6	0xa226	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:08.930756092 CEST	1.1.1.1	192.168.2.6	0x9979	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:09.094510078 CEST	1.1.1.1	192.168.2.6	0xba6f	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:09.094510078 CEST	1.1.1.1	192.168.2.6	0xba6f	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:09.094510078 CEST	1.1.1.1	192.168.2.6	0xba6f	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:09.102317095 CEST	1.1.1.1	192.168.2.6	0x5579	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:09.118551970 CEST	1.1.1.1	192.168.2.6	0xa069	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 8, 2024 08:22:09.438085079 CEST	1.1.1.1	192.168.2.6	0xcd7	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:10.589376926 CEST	1.1.1.1	192.168.2.6	0xe3b5	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:10.597368956 CEST	1.1.1.1	192.168.2.6	0x50a6	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:12.779232025 CEST	1.1.1.1	192.168.2.6	0xdb48	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:12.779232025 CEST	1.1.1.1	192.168.2.6	0xdb48	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:12.779232025 CEST	1.1.1.1	192.168.2.6	0xdb48	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:12.787307978 CEST	1.1.1.1	192.168.2.6	0x2091	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:13.632953882 CEST	1.1.1.1	192.168.2.6	0x7829	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:13.632953882 CEST	1.1.1.1	192.168.2.6	0x7829	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:13.638503075 CEST	1.1.1.1	192.168.2.6	0x21af	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:13.638503075 CEST	1.1.1.1	192.168.2.6	0x21af	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:13.647136927 CEST	1.1.1.1	192.168.2.6	0x4519	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:13.649157047 CEST	1.1.1.1	192.168.2.6	0xb2ee	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:13.656893015 CEST	1.1.1.1	192.168.2.6	0x45bd	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:19.144855022 CEST	1.1.1.1	192.168.2.6	0xff20	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601026058 CEST	1.1.1.1	192.168.2.6	0x686f	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601026058 CEST	1.1.1.1	192.168.2.6	0x686f	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601035118 CEST	1.1.1.1	192.168.2.6	0x4fba	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601035118 CEST	1.1.1.1	192.168.2.6	0x4fba	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601035118 CEST	1.1.1.1	192.168.2.6	0x4fba	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601035118 CEST	1.1.1.1	192.168.2.6	0x4fba	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601035118 CEST	1.1.1.1	192.168.2.6	0x4fba	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601035118 CEST	1.1.1.1	192.168.2.6	0x4fba	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601035118 CEST	1.1.1.1	192.168.2.6	0x4fba	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601035118 CEST	1.1.1.1	192.168.2.6	0x4fba	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601035118 CEST	1.1.1.1	192.168.2.6	0x4fba	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601035118 CEST	1.1.1.1	192.168.2.6	0x4fba	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601035118 CEST	1.1.1.1	192.168.2.6	0x4fba	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601035118 CEST	1.1.1.1	192.168.2.6	0x4fba	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601035118 CEST	1.1.1.1	192.168.2.6	0x4fba	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601035118 CEST	1.1.1.1	192.168.2.6	0x4fba	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601035118 CEST	1.1.1.1	192.168.2.6	0x4fba	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601035118 CEST	1.1.1.1	192.168.2.6	0x4fba	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601035118 CEST	1.1.1.1	192.168.2.6	0x4fba	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601959944 CEST	1.1.1.1	192.168.2.6	0xf18d	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:20.601959944 CEST	1.1.1.1	192.168.2.6	0xf18d	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.608491898 CEST	1.1.1.1	192.168.2.6	0x59a	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.609635115 CEST	1.1.1.1	192.168.2.6	0x472b	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.609635115 CEST	1.1.1.1	192.168.2.6	0x472b	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.609635115 CEST	1.1.1.1	192.168.2.6	0x472b	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.609635115 CEST	1.1.1.1	192.168.2.6	0x472b	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.609635115 CEST	1.1.1.1	192.168.2.6	0x472b	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.609635115 CEST	1.1.1.1	192.168.2.6	0x472b	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.609635115 CEST	1.1.1.1	192.168.2.6	0x472b	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.609635115 CEST	1.1.1.1	192.168.2.6	0x472b	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.609635115 CEST	1.1.1.1	192.168.2.6	0x472b	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.609635115 CEST	1.1.1.1	192.168.2.6	0x472b	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.609635115 CEST	1.1.1.1	192.168.2.6	0x472b	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.609635115 CEST	1.1.1.1	192.168.2.6	0x472b	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.609635115 CEST	1.1.1.1	192.168.2.6	0x472b	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.609635115 CEST	1.1.1.1	192.168.2.6	0x472b	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.609635115 CEST	1.1.1.1	192.168.2.6	0x472b	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.609635115 CEST	1.1.1.1	192.168.2.6	0x472b	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.624780893 CEST	1.1.1.1	192.168.2.6	0xa1f2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 8, 2024 08:22:20.624780893 CEST	1.1.1.1	192.168.2.6	0xa1f2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 8, 2024 08:22:20.624780893 CEST	1.1.1.1	192.168.2.6	0xa1f2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 8, 2024 08:22:20.624780893 CEST	1.1.1.1	192.168.2.6	0xa1f2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 8, 2024 08:22:20.625616074 CEST	1.1.1.1	192.168.2.6	0xf622	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.626255989 CEST	1.1.1.1	192.168.2.6	0xcd2c	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 8, 2024 08:22:20.632188082 CEST	1.1.1.1	192.168.2.6	0xd0d7	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:20.632188082 CEST	1.1.1.1	192.168.2.6	0xd0d7	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.632188082 CEST	1.1.1.1	192.168.2.6	0xd0d7	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.632188082 CEST	1.1.1.1	192.168.2.6	0xd0d7	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.632188082 CEST	1.1.1.1	192.168.2.6	0xd0d7	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.633233070 CEST	1.1.1.1	192.168.2.6	0xa891	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 8, 2024 08:22:20.633789062 CEST	1.1.1.1	192.168.2.6	0xd2bb	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.641201019 CEST	1.1.1.1	192.168.2.6	0x7a43	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.641201019 CEST	1.1.1.1	192.168.2.6	0x7a43	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.641201019 CEST	1.1.1.1	192.168.2.6	0x7a43	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.641201019 CEST	1.1.1.1	192.168.2.6	0x7a43	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:20.641508102 CEST	1.1.1.1	192.168.2.6	0xaa6e	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:30.417115927 CEST	1.1.1.1	192.168.2.6	0x3720	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:35.448179007 CEST	1.1.1.1	192.168.2.6	0xd661	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:35.448179007 CEST	1.1.1.1	192.168.2.6	0xd661	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:35.449197054 CEST	1.1.1.1	192.168.2.6	0x3048	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:35.460843086 CEST	1.1.1.1	192.168.2.6	0xbc7	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:35.460843086 CEST	1.1.1.1	192.168.2.6	0xbc7	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:35.460843086 CEST	1.1.1.1	192.168.2.6	0xbc7	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:35.460843086 CEST	1.1.1.1	192.168.2.6	0xbc7	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:35.468851089 CEST	1.1.1.1	192.168.2.6	0x6f69	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:35.468851089 CEST	1.1.1.1	192.168.2.6	0x6f69	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:35.468851089 CEST	1.1.1.1	192.168.2.6	0x6f69	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:35.468851089 CEST	1.1.1.1	192.168.2.6	0x6f69	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:35.494882107 CEST	1.1.1.1	192.168.2.6	0xebb2	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:35.494882107 CEST	1.1.1.1	192.168.2.6	0xebb2	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:35.508801937 CEST	1.1.1.1	192.168.2.6	0x96b0	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:36.936259031 CEST	1.1.1.1	192.168.2.6	0x64b8	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:36.936259031 CEST	1.1.1.1	192.168.2.6	0x64b8	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:48.623907089 CEST	1.1.1.1	192.168.2.6	0x87e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:22:48.623907089 CEST	1.1.1.1	192.168.2.6	0x87e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:22:50.888797998 CEST	1.1.1.1	192.168.2.6	0x9e9f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:23:05.096856117 CEST	1.1.1.1	192.168.2.6	0x6a7c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:23:05.593899965 CEST	1.1.1.1	192.168.2.6	0xe630	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:23:05.593899965 CEST	1.1.1.1	192.168.2.6	0xe630	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:23:31.391580105 CEST	1.1.1.1	192.168.2.6	0xcac	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 8, 2024 08:23:31.885705948 CEST	1.1.1.1	192.168.2.6	0xf8d1	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 08:23:31.885705948 CEST	1.1.1.1	192.168.2.6	0xf8d1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49719	34.107.221.82	80	4592	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 08:22:08.000132084 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 08:22:08.444052935 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 00:31:58 GMT Age: 21010 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:22:09.286123037 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 08:22:09.380193949 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 00:31:58 GMT Age: 21011 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49725	34.107.221.82	80	4592	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 08:22:08.913660049 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 08:22:09.355118990 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 10:24:18 GMT Age: 71871 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49732	34.107.221.82	80	4592	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 08:22:09.520639896 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 08:22:09.974801064 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 79123 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 08:22:10.630084038 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 08:22:10.726433992 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 79124 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 08:22:12.767406940 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 08:22:12.864094019 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 79126 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 08:22:17.938950062 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 08:22:18.035358906 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 79131 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 08:22:19.321191072 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 08:22:19.417609930 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 79133 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 08:22:20.773597002 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 08:22:20.870055914 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 79134 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 08:22:25.232214928 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 08:22:25.328803062 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 79139 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 08:22:30.980444908 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 08:22:31.077218056 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 79145 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 08:22:36.016343117 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 08:22:36.113249063 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 79150 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 08:22:36.560483932 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 08:22:36.656682014 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 79150 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 08:22:37.025412083 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 08:22:37.121603012 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 79151 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 08:22:47.136126995 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 08:22:48.716667891 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 08:22:48.816237926 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 79162 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 08:22:51.481338978 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 08:22:51.577975035 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 79165 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 08:23:01.578995943 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 08:23:05.716186047 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 08:23:05.816072941 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 79179 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 08:23:06.136282921 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 08:23:06.232374907 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 79180 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 08:23:16.237409115 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 08:23:26.251152992 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 08:23:31.979629040 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 08:23:32.076800108 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 07 Oct 2024 08:23:26 GMT Age: 79206 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 08:23:42.096776962 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 08:23:52.104006052 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 08:24:02.118067026 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 08:24:12.130223989 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49734	34.107.221.82	80	4592	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 08:22:09.724672079 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 08:22:10.179045916 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 71898 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:22:10.629878044 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 08:22:10.726402044 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 71898 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:22:13.646864891 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 08:22:14.698081970 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 71901 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:22:14.700903893 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 71901 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:22:14.701000929 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 71901 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:22:14.701054096 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 71901 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:22:19.001219034 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 08:22:19.235105991 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 71907 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:22:20.596386909 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 08:22:20.692740917 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 71908 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:22:25.131877899 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 08:22:25.228688955 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 71913 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:22:30.879165888 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 08:22:30.975688934 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 71918 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:22:35.917736053 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 08:22:36.014034986 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 71923 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:22:36.244499922 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 08:22:36.555200100 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 71924 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:22:36.924407005 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 08:22:37.021255016 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 71924 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:22:47.036073923 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 08:22:48.617352009 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 08:22:48.714083910 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 71936 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:22:51.381234884 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 08:22:51.477948904 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 71939 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:23:01.494473934 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 08:23:05.587421894 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 08:23:05.684261084 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 71953 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:23:06.037045002 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 08:23:06.133382082 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 71954 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:23:16.140557051 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 08:23:26.150887966 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 08:23:31.878655910 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 08:23:31.975827932 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 07 Oct 2024 10:23:52 GMT Age: 71979 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 08:23:41.996737003 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 08:23:52.003819942 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 08:24:02.017904043 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 08:24:12.029953957 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	02:22:02
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xec0000
File size:	919'040 bytes
MD5 hash:	A285F5909B06CA67637548EEF1EBF393
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:22:02
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:22:03
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:22:03
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	02:22:03
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2204 -prefMapHandle 2196 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb25bf00-0e92-4224-8617-766308d235c1} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 26970770310 socket
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	02:22:05
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3608 -parentBuildID 20230927232528 -prefsHandle 3532 -prefMapHandle 3528 -prefsLen 26099 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c82f38b1-d4a1-4ab0-a36f-7b88e5e27983} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 2697077f610 rdd
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	02:22:12
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4996 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5048 -prefMapHandle 5044 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95ecbc6d-5389-4c38-a915-fc420e42cf97} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" 269880d3710 utility
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1505
Total number of Limit Nodes:	65

Executed Functions

Function 00EC42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00EC430D

Part of subcall function 00EC6B57: _wcslen.LIBCMT ref: 00EC6B6A

GetCurrentProcess.KERNEL32(?,00F5CB64,00000000,?,?), ref: 00EC4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00EC4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00EC4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00EC4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00EC4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00EC447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00EC44A0

Strings

|O, xrefs: 00F036F8
kernel32.dll, xrefs: 00EC444F
GetNativeSystemInfo, xrefs: 00EC4460

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 770f47040dd9cb41b9cb2c4af68c4a8d0fe21a864950f43b4c6d67f448740bef
Instruction ID: 7b8041a03b264d29a9f5a2ca9ae3fe436c0dc435d8271582ff956d9c417f6140
Opcode Fuzzy Hash: 770f47040dd9cb41b9cb2c4af68c4a8d0fe21a864950f43b4c6d67f448740bef
Instruction Fuzzy Hash: C4A1D5A590A3CEDFC716C7B97D40EE53FB87B26300B1854BFE481A3AA1D2214509FB61

Function 00EC42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00EC50AA,?,?,00000000,00000000), ref: 00EC42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00EC50AA,?,?,00000000,00000000), ref: 00EC42C9
LoadResource.KERNEL32(?,00000000,?,?,00EC50AA,?,?,00000000,00000000,?,?,?,?,?,?,00EC4F20), ref: 00F035BE
SizeofResource.KERNEL32(?,00000000,?,?,00EC50AA,?,?,00000000,00000000,?,?,?,?,?,?,00EC4F20), ref: 00F035D3
LockResource.KERNEL32(00EC50AA,?,?,00EC50AA,?,?,00000000,00000000,?,?,?,?,?,?,00EC4F20,?), ref: 00F035E6

Strings

SCRIPT, xrefs: 00EC42BF

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: b9806228d57eb89911516244d1a2af71a0dfcd8428db223b0f2ba3610c8f6e70
Instruction ID: 8224779bba72b8fce58713118f850d23cad95c10be55db304379d0a9e4c1c8fb
Opcode Fuzzy Hash: b9806228d57eb89911516244d1a2af71a0dfcd8428db223b0f2ba3610c8f6e70
Instruction Fuzzy Hash: 0411ACB0200304BFD7259B65DD49F677BB9EBC5B52F20416DF903962A0DB72D800E660

Function 00F02BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00EC2B6B

Part of subcall function 00EC3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F91418,?,00EC2E7F,?,?,?,00000000), ref: 00EC3A78

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00F82224), ref: 00F02C10
ShellExecuteW.SHELL32(00000000,?,?,00F82224), ref: 00F02C17

Strings

runas, xrefs: 00F02C0B

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 0fbf00e4ea88b78d1f8f7327bbd6705b455c114ddc9f71b36d30300abb07a121
Instruction ID: 7d81b6138e07724e89e635e1eb039333ae0b4aabc647a7dd851eb166e335b32a
Opcode Fuzzy Hash: 0fbf00e4ea88b78d1f8f7327bbd6705b455c114ddc9f71b36d30300abb07a121
Instruction Fuzzy Hash: 1511A2312083455AC714FF74DA55FAEBBE4AB95710F44643DF252620A3CF228A4BA752

Function 00EE4CE8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00EF28E9,(,00EE4CBE,00000000,00F888B8,0000000C,00EE4E15,(,00000002,00000000,?,00EF28E9,00000003,00EF2DF7,?,?), ref: 00EE4D09
TerminateProcess.KERNEL32(00000000,?,00EF28E9,00000003,00EF2DF7,?,?,?,00EEE6D1,?,00F88A48,00000010,00EC4F4A,?,?,00000000), ref: 00EE4D10
ExitProcess.KERNEL32 ref: 00EE4D22

Strings

(, xrefs: 00EE4CEA

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID: (
API String ID: 1703294689-2063206799
Opcode ID: af2d7eb4523c26d0074b5335a915d8b5ffc967571330c15c5235b6f837448c59
Instruction ID: 203ab839a6113e0dd6ea599c924eea04e6696d08d962c963ead95ad45a08e691
Opcode Fuzzy Hash: af2d7eb4523c26d0074b5335a915d8b5ffc967571330c15c5235b6f837448c59
Instruction Fuzzy Hash: 71E0B6B100078CAFCF11AF65DD09A583F69EF81786B105054FE06EA263CB35DD42DA80

Function 00F2D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F2D501
Process32FirstW.KERNEL32(00000000,?), ref: 00F2D50F
Process32NextW.KERNEL32(00000000,?), ref: 00F2D52F
CloseHandle.KERNELBASE(00000000), ref: 00F2D5DC

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 08179218d81bd420c325cb58cf9ddba374461ebc2c65e15e7f0afc0718986d86
Instruction ID: 2f2904af8aa2de80a7199241fadd44fc7ac37bc071a6a765763937eec8c39ae5
Opcode Fuzzy Hash: 08179218d81bd420c325cb58cf9ddba374461ebc2c65e15e7f0afc0718986d86
Instruction Fuzzy Hash: 6D318D720083049FD304EF54D886EAFBBE8EF99354F14092DF582931A2EB719945DBA2

Function 00F2DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00F05222), ref: 00F2DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00F2DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00F2DBEE
FindClose.KERNEL32(00000000), ref: 00F2DBFA

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: a806e110d6743ccf12622a06ccd93601fa7f3550b30f0d2c90b93e054c9ee139
Instruction ID: cfb9e3cfbb51aa01da5140d4eb6fc409e6301a9bc3d7aee89aea324f3e814f8c
Opcode Fuzzy Hash: a806e110d6743ccf12622a06ccd93601fa7f3550b30f0d2c90b93e054c9ee139
Instruction Fuzzy Hash: 1FF0A031850B285B82206B78AC0D8AA3B6C9E01336B104702F936D20E0EBB05954E6D6

Function 00F4AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00F4B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F4B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F4B1D4
_wcslen.LIBCMT ref: 00F4B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F4B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F4B236
_wcslen.LIBCMT ref: 00F4B332

Part of subcall function 00F305A7: GetStdHandle.KERNEL32(000000F6), ref: 00F305C6

_wcslen.LIBCMT ref: 00F4B34B
_wcslen.LIBCMT ref: 00F4B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F4B3B6
GetLastError.KERNEL32(00000000), ref: 00F4B407
CloseHandle.KERNEL32(?), ref: 00F4B439
CloseHandle.KERNEL32(00000000), ref: 00F4B44A
CloseHandle.KERNEL32(00000000), ref: 00F4B45C
CloseHandle.KERNEL32(00000000), ref: 00F4B46E
CloseHandle.KERNEL32(?), ref: 00F4B4E3

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 2896b8ae7d4fb239aafb8ededa66d7de8889b588063ffbfd2749052432a26ebd
Instruction ID: df38287776780252d8a62fae6eb44ad09565eea8c1da359816b21d48d020ff7d
Opcode Fuzzy Hash: 2896b8ae7d4fb239aafb8ededa66d7de8889b588063ffbfd2749052432a26ebd
Instruction Fuzzy Hash: B0F1AF31908340DFC714EF24C891B6EBBE5AF85324F14855DF89A9B2A2DB31EC45DB92

Function 00ECD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00ECD807
timeGetTime.WINMM ref: 00ECDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ECDB28
TranslateMessage.USER32(?), ref: 00ECDB7B
DispatchMessageW.USER32(?), ref: 00ECDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ECDB9F
Sleep.KERNELBASE(0000000A), ref: 00ECDBB1

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 424d3c029e61f61616999fdb0a5c641983e06d8f584a4196c984faa7b0cfac24
Instruction ID: 35840316ef51c69f9d9fbc0f53b2c5607b8f2190274e4993d2a20fbbd9e728c4
Opcode Fuzzy Hash: 424d3c029e61f61616999fdb0a5c641983e06d8f584a4196c984faa7b0cfac24
Instruction Fuzzy Hash: F6422130608341AFD728CF24CD84FAAB7E0FF85314F14552EE556A7291D772E896EB82

Function 00EC2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00EC2D07
RegisterClassExW.USER32(00000030), ref: 00EC2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EC2D42
InitCommonControlsEx.COMCTL32(?), ref: 00EC2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EC2D6F
LoadIconW.USER32(000000A9), ref: 00EC2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EC2D94

Strings

+, xrefs: 00EC2CF0
TaskbarCreated, xrefs: 00EC2D37
0, xrefs: 00EC2CE9
AutoIt v3 GUI, xrefs: 00EC2D23

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 09e34aa8e8e6a80e1d9ea8ccff8e12e1f1e340bf37d086b32474636808e9c3c9
Instruction ID: ce6fe701a1a8499821dbd38a4ee3bd2319d3b14cd6e22ddeb1c54945d6e734e7
Opcode Fuzzy Hash: 09e34aa8e8e6a80e1d9ea8ccff8e12e1f1e340bf37d086b32474636808e9c3c9
Instruction Fuzzy Hash: 7921C3B590131DAFDB00DFA4EC49BDDBBB4FB08701F10412AFA12A62A0D7B54544EF91

Function 00F0065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F0039A: CreateFileW.KERNELBASE(00000000,00000000,?,00F00704,?,?,00000000,?,00F00704,00000000,0000000C), ref: 00F003B7

GetLastError.KERNEL32 ref: 00F0076F
__dosmaperr.LIBCMT ref: 00F00776
GetFileType.KERNELBASE(00000000), ref: 00F00782
GetLastError.KERNEL32 ref: 00F0078C
__dosmaperr.LIBCMT ref: 00F00795
CloseHandle.KERNEL32(00000000), ref: 00F007B5
CloseHandle.KERNEL32(?), ref: 00F008FF
GetLastError.KERNEL32 ref: 00F00931
__dosmaperr.LIBCMT ref: 00F00938

Strings

H, xrefs: 00F008BD

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 052a13f9734581dd395c0e9d77fec2145187b9a9e997a9926eef5cce2197aa2d
Instruction ID: d4918b6a7401cf235c45546c172e5d2118533ef5ab37d89ec2939715bf497cfe
Opcode Fuzzy Hash: 052a13f9734581dd395c0e9d77fec2145187b9a9e997a9926eef5cce2197aa2d
Instruction Fuzzy Hash: E2A14732A001488FDF19EF68DC51BAD3BE1EB46324F14415AF815AB3E1DB359D12EB91

Function 00EC344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EC3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F91418,?,00EC2E7F,?,?,?,00000000), ref: 00EC3A78

Part of subcall function 00EC3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EC3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00EC356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F0318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F031CE
RegCloseKey.ADVAPI32(?), ref: 00F03210
_wcslen.LIBCMT ref: 00F03277
_wcslen.LIBCMT ref: 00F03286

Strings

\Include\, xrefs: 00EC3527
Software\AutoIt v3\AutoIt, xrefs: 00EC3560
Include, xrefs: 00F03184, 00F031C5
\, xrefs: 00F0328C

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: e845927cad76b7eed83ecc9d23cd123c918bbb8b5ab86c8d20558fc0d6ffab08
Instruction ID: eec8229ca00aafc53b6857671f78049bb0a0bfce056748faebfc57ad24dfe8d9
Opcode Fuzzy Hash: e845927cad76b7eed83ecc9d23cd123c918bbb8b5ab86c8d20558fc0d6ffab08
Instruction Fuzzy Hash: 7971C171405304AEC354DF69EC82DAFBBE8FF85350F40192EF545A31A1EB319A49EB92

Function 00EC2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00EC2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00EC2B9D
LoadIconW.USER32(00000063), ref: 00EC2BB3
LoadIconW.USER32(000000A4), ref: 00EC2BC5
LoadIconW.USER32(000000A2), ref: 00EC2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00EC2BEF
RegisterClassExW.USER32(?), ref: 00EC2C40

Part of subcall function 00EC2CD4: GetSysColorBrush.USER32(0000000F), ref: 00EC2D07
Part of subcall function 00EC2CD4: RegisterClassExW.USER32(00000030), ref: 00EC2D31
Part of subcall function 00EC2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EC2D42
Part of subcall function 00EC2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00EC2D5F
Part of subcall function 00EC2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EC2D6F
Part of subcall function 00EC2CD4: LoadIconW.USER32(000000A9), ref: 00EC2D85
Part of subcall function 00EC2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EC2D94

Strings

#, xrefs: 00EC2C16
AutoIt v3, xrefs: 00EC2C2F
0, xrefs: 00EC2C0F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 811c863c8adc2d6a0d1dfd9205c9711cc7aa01185f57681dc1c315009e38c55b
Instruction ID: 4c53af011fa4056a39c2a1fcd0b54ba154f39443e861b6d98badfd2188461c5b
Opcode Fuzzy Hash: 811c863c8adc2d6a0d1dfd9205c9711cc7aa01185f57681dc1c315009e38c55b
Instruction Fuzzy Hash: 14211870E0031DAFDB119FA5EC55FAA7FB4FB48B50F04412BE605A66A0D7B20540EF90

Function 00EC3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00EC316A,?,?), ref: 00EC31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00EC316A,?,?), ref: 00EC3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EC3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00EC316A,?,?), ref: 00EC3232
CreatePopupMenu.USER32 ref: 00EC3246
PostQuitMessage.USER32(00000000), ref: 00EC3267

Strings

TaskbarCreated, xrefs: 00EC322D

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: b82651809ad3592536598b857c9efde631b0cce31359879399b486fd57a7998a
Instruction ID: 94609698ac968be3d7aed0d5d1a8d5a96d69e28cc81c917aed074e8a4c8e9ba4
Opcode Fuzzy Hash: b82651809ad3592536598b857c9efde631b0cce31359879399b486fd57a7998a
Instruction Fuzzy Hash: 23412931644309AEDF191B78DE0EFF93A65F705355F08912EF602A55A2C7638E03BBA1

Function 00EC1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00EC1459
CoUninitialize.COMBASE ref: 00EC14F8
UnregisterHotKey.USER32(?), ref: 00EC16DD
DestroyWindow.USER32(?), ref: 00F024B9
FreeLibrary.KERNEL32(?), ref: 00F0251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F0254B

Strings

close all, xrefs: 00EC1454

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: e966565caa6e70836bce80d8ac5e79c84013a6e58db2200be80d96b257813bb6
Instruction ID: e8fc750ba19c59fb954b020f2aeeeffa4f287cb0b6e52a45513f18690a1d8cd3
Opcode Fuzzy Hash: e966565caa6e70836bce80d8ac5e79c84013a6e58db2200be80d96b257813bb6
Instruction Fuzzy Hash: 09D16A316012128FCB19EF14C999F69F7A0BF06710F1451ADE94A7B292CB32AD13EF95

Function 00EC2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00EC2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00EC2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00EC1CAD,?), ref: 00EC2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00EC1CAD,?), ref: 00EC2CCF

Strings

edit, xrefs: 00EC2CAC
AutoIt v3, xrefs: 00EC2C89, 00EC2C8E, 00EC2C8F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 4aa82162819764c6ff02f4dbf284d5b20955588df5d5c371804b6a5273adfe08
Instruction ID: 848547fe7dafec8bb2e51aeca611eb72aac14fd440283a064223839cf5891b80
Opcode Fuzzy Hash: 4aa82162819764c6ff02f4dbf284d5b20955588df5d5c371804b6a5273adfe08
Instruction Fuzzy Hash: DDF0DA755403997EEB311727AC08E773EBDE7CAF51B00006AFA04A35A0C6721854FAB0

Function 00EC3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00EC3B0F,SwapMouseButtons,00000004,?), ref: 00EC3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00EC3B0F,SwapMouseButtons,00000004,?), ref: 00EC3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00EC3B0F,SwapMouseButtons,00000004,?), ref: 00EC3B83

Strings

Control Panel\Mouse, xrefs: 00EC3B3E

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 42ca7919ba5f9abc8ff6d850c96bc35c7b8a7168a9e192f2f169d7eee38001bc
Instruction ID: b44384c850941454afa2da01916897c980f7d69aca7c12bc7622148c181b10c2
Opcode Fuzzy Hash: 42ca7919ba5f9abc8ff6d850c96bc35c7b8a7168a9e192f2f169d7eee38001bc
Instruction Fuzzy Hash: 91112AB5510308FFDB208FA5DD44EEFBBB9EF04755B109459B906E7110D2329E41ABA0

Function 00EC3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F033A2

Part of subcall function 00EC6B57: _wcslen.LIBCMT ref: 00EC6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00EC3A04

Strings

Line: , xrefs: 00F033EB

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: f63ef383e8856c5c1559a45b7423d2e5478b84bd0e3ead73e66c5fda1256bdd6
Instruction ID: 3a79be48c48cc376ced9ab316cb193d36a59dc2dd913c1a33b2a9c3f38730942
Opcode Fuzzy Hash: f63ef383e8856c5c1559a45b7423d2e5478b84bd0e3ead73e66c5fda1256bdd6
Instruction Fuzzy Hash: 2731F471908305AAD724EB20DC45FEFB3E8AB84714F00992EF599A30D1DB719A4AD7C2

Function 00EDFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00EE0668

Part of subcall function 00EE32A4: RaiseException.KERNEL32(?,?,?,00EE068A,?,00F91444,?,?,?,?,?,?,00EE068A,00EC1129,00F88738,00EC1129), ref: 00EE3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00EE0685

Strings

Unknown exception, xrefs: 00EE0692

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 5b6e5643c629bf7d510b4ea8b2a86560907a5e2ea9b0b571512ca75da7e778ba
Instruction ID: 1215e6b10ba8a1ae87d240cc74259b8799c7bdb126493f74749d0edcc0894eff
Opcode Fuzzy Hash: 5b6e5643c629bf7d510b4ea8b2a86560907a5e2ea9b0b571512ca75da7e778ba
Instruction Fuzzy Hash: E1F04C3080028D73CB00F676D846E9E77BD9E00344BA05031F914F65E1EFB0DA5AC6C1

Function 00EC10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EC1BF4
Part of subcall function 00EC1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00EC1BFC
Part of subcall function 00EC1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EC1C07
Part of subcall function 00EC1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EC1C12
Part of subcall function 00EC1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00EC1C1A
Part of subcall function 00EC1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00EC1C22

Part of subcall function 00EC1B4A: RegisterWindowMessageW.USER32(00000004,?,00EC12C4), ref: 00EC1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00EC136A
OleInitialize.OLE32 ref: 00EC1388
CloseHandle.KERNEL32(00000000,00000000), ref: 00F024AB

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 44f618d36162f99b59d9e1a1e7addea6d05db673babd1a84bb400c0d6a388b99
Instruction ID: 8a96f1fb48a9411e339804837f06587a2bce2912980d1d64bd69c41485266072
Opcode Fuzzy Hash: 44f618d36162f99b59d9e1a1e7addea6d05db673babd1a84bb400c0d6a388b99
Instruction Fuzzy Hash: FC71BAB490130A8FD785DF7AAE45A593AE0FB8934435A923FD51AD7362EB304406FF81

Function 00F2C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00EC3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F2C259
KillTimer.USER32(?,00000001,?,?), ref: 00F2C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F2C270

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: bfe14ca3c7901319914eb5fa7e1ac2b57dcaaa73bf397ce5429dd4a2a879f8b7
Instruction ID: eb3f667471e2489ddd0e4ccb56335ca3ce30e232b66d7a9f5fdde160231aa981
Opcode Fuzzy Hash: bfe14ca3c7901319914eb5fa7e1ac2b57dcaaa73bf397ce5429dd4a2a879f8b7
Instruction Fuzzy Hash: 9B31C571904354AFEB32CF649855BEBBBECAF06304F00049ED2DAA3281C7745A84DB91

Function 00EF86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00EF85CC,?,00F88CC8,0000000C), ref: 00EF8704
GetLastError.KERNEL32(?,00EF85CC,?,00F88CC8,0000000C), ref: 00EF870E
__dosmaperr.LIBCMT ref: 00EF8739

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 672ae803b42872011b94cd5de7dde541f9655a6def07b2d14a4150845c9ed7ce
Instruction ID: 0eed68accd4d67f6f3b160a0b85e7767b20954feabf7a9df3503ef3b01bad3ba
Opcode Fuzzy Hash: 672ae803b42872011b94cd5de7dde541f9655a6def07b2d14a4150845c9ed7ce
Instruction Fuzzy Hash: B2016F3360562C1AD22063346A4977E37C58B9277DF36211AFB04FB0D2DE608C818190

Function 00ECDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00ECDB7B
DispatchMessageW.USER32(?), ref: 00ECDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ECDB9F
Sleep.KERNELBASE(0000000A), ref: 00ECDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00F11CC9

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 83b204618f94659d88d7f236b61b4f621234de1f1314b446319389598b31d6d4
Instruction ID: 3b5ce774b8230ef5de318327cc56fc2895a96cbc84ef08940987872c9e70ed6b
Opcode Fuzzy Hash: 83b204618f94659d88d7f236b61b4f621234de1f1314b446319389598b31d6d4
Instruction Fuzzy Hash: 88F054305443459BE734C760DC49FDA73A8FB44311F105529E70A930C0DB319489AB55

Function 00ED1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00ED17F6

Strings

CALL, xrefs: 00ED17C6

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 0a11dec6044266345005ff6cd9612040a2c96167719056594c5ddf1f889d08d7
Instruction ID: 995606cc13fce4e7277d8c17b5ca58169bd063c5963728377640ff773f03c2b8
Opcode Fuzzy Hash: 0a11dec6044266345005ff6cd9612040a2c96167719056594c5ddf1f889d08d7
Instruction Fuzzy Hash: 57227B70608241AFC714DF14C480B6ABBF1FF85314F18999EF496AB3A1D736E886DB52

Function 00EC2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00F02C8C

Part of subcall function 00EC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EC3A97,?,?,00EC2E7F,?,?,?,00000000), ref: 00EC3AC2

Part of subcall function 00EC2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EC2DC4

Strings

X, xrefs: 00F02C5A

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 5b6ac8e4c43b932c453ce8b0b3fe717b6a11f564809dba229a7ce1b51cb951f8
Instruction ID: 5fefa688b6eb5a5d3e490069baebd60e5d946d383835a24cea193b48dc4e58f2
Opcode Fuzzy Hash: 5b6ac8e4c43b932c453ce8b0b3fe717b6a11f564809dba229a7ce1b51cb951f8
Instruction Fuzzy Hash: 4D219371E002589FDB41EF94C949BEE7BF8AF48314F00805DE505FB281DBB55A4A9FA1

Function 00EC3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EC3908

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 3501207d821a6747158ffab584bc0d62405ee928f5087f2c62ba0e4624cf8dc2
Instruction ID: 2c7aad236c7970a507af1325e2fa9489c40550b36abf2b58e6034583cd05ef46
Opcode Fuzzy Hash: 3501207d821a6747158ffab584bc0d62405ee928f5087f2c62ba0e4624cf8dc2
Instruction Fuzzy Hash: 0D3193719043059FD721DF34D985B97BBF8FB49708F00092EF59A93290E772AA44DB92

Function 00EDF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00EDF661

Part of subcall function 00ECD730: GetInputState.USER32 ref: 00ECD807

Sleep.KERNEL32(00000000), ref: 00F1F2DE

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 249c05dc6fc5f4668541ecaff9673e56e28b91448008f9f322c21fee2bb34efc
Instruction ID: 137e6e5b2ac97972b7770abdd25bc566b369a2402e00b593e656123061b6a649
Opcode Fuzzy Hash: 249c05dc6fc5f4668541ecaff9673e56e28b91448008f9f322c21fee2bb34efc
Instruction Fuzzy Hash: 1BF0EC302407049FC300EF29D90AFAAB7E8EF09321F00002AE81AD7360DB70A801CB90

Function 00EC4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EC4EDD,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4E9C
Part of subcall function 00EC4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00EC4EAE
Part of subcall function 00EC4E90: FreeLibrary.KERNEL32(00000000,?,?,00EC4EDD,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4EFD

Part of subcall function 00EC4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F03CDE,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4E62
Part of subcall function 00EC4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00EC4E74
Part of subcall function 00EC4E59: FreeLibrary.KERNEL32(00000000,?,?,00F03CDE,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4E87

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 5d4af75c80f379cd4d0ec5c092f971713f0007249284193a884b20f9e772aa27
Instruction ID: 2375b45ab2b3682ff577383e994a6a58ae7bba2b9f7937b48ff55f7a3041cd19
Opcode Fuzzy Hash: 5d4af75c80f379cd4d0ec5c092f971713f0007249284193a884b20f9e772aa27
Instruction Fuzzy Hash: 72112772700305AEDB10EB60DE12FAD77E59F40710F10942DF542BA2C1EE72AA46A790

Function 00EF8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00EF8440

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f76123ada1e8aeca1dfde5c26c1154b496ecc65b6ef21389c9c878affc8613bf
Instruction ID: 5f0075ef97e0b96aed26277dc73518e61cd9bd21dd6e3b917dd6a6389ef385d5
Opcode Fuzzy Hash: f76123ada1e8aeca1dfde5c26c1154b496ecc65b6ef21389c9c878affc8613bf
Instruction Fuzzy Hash: 1911487190410EAFCB05DF58E9419AE7BF4EF48304F104059F918AB312DB30DA11CBA4

Function 00EF5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EF4C7D: RtlAllocateHeap.NTDLL(00000008,00EC1129,00000000,?,00EF2E29,00000001,00000364,?,?,?,00EEF2DE,00EF3863,00F91444,?,00EDFDF5,?), ref: 00EF4CBE

_free.LIBCMT ref: 00EF506C

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 43bafa0bd62c72625e4714adf256e95395ebb7cf87e7c91d2e3c4e181f62cfb4
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 05012B732047095BE3218E65984196AFBE8FB85370F65051DE394A32C0EA706905C674

Function 00EEE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 59c7e065b2e7f46d57ef89c880ebcf143552e09509d9d7a52a73b1b39a79f4ae
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: EFF0F432511E5D96DA313A6B9C05BAA33D89F92334F102719F621B33D2DB70D80186A5

Function 00EF4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00EC1129,00000000,?,00EF2E29,00000001,00000364,?,?,?,00EEF2DE,00EF3863,00F91444,?,00EDFDF5,?), ref: 00EF4CBE

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d644f2e9c5e91b2466d661bc5206a729a04183b24a57af42ba2d00a42e0ac9e1
Instruction ID: c21f08675f3811978152300968e1a788263e19a8333282e3432a3cab2aa6649d
Opcode Fuzzy Hash: d644f2e9c5e91b2466d661bc5206a729a04183b24a57af42ba2d00a42e0ac9e1
Instruction Fuzzy Hash: 87F0B4B160226C66FB215F63AC05F7BB7D8BF417A5B187121BB15BB2D1CB30D80096E0

Function 00EF3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00F91444,?,00EDFDF5,?,?,00ECA976,00000010,00F91440,00EC13FC,?,00EC13C6,?,00EC1129), ref: 00EF3852

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4c22d37b8b7c5ac295c9c2bb9b40dc1347cbc4b52d17ca51040179ea7033e982
Instruction ID: e368f0e6778fb43d629c07d6616bd73544bba1a0be6896f1e4bbb7c88fb2ad69
Opcode Fuzzy Hash: 4c22d37b8b7c5ac295c9c2bb9b40dc1347cbc4b52d17ca51040179ea7033e982
Instruction Fuzzy Hash: 22E0E5312002ECA6D62526779D00BBA36C8AB427F4F152221BF09B65D1DB19DD0191E0

Function 00EC4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4F6D

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 12b1820bc681fc150b55240d3755d5131b90e2d7dd11193aef29f2c2a996b499
Instruction ID: 450e8c6d6187c2a5380ae308d03caff390086c2f28ab95c10a84708947f07aa7
Opcode Fuzzy Hash: 12b1820bc681fc150b55240d3755d5131b90e2d7dd11193aef29f2c2a996b499
Instruction Fuzzy Hash: B4F0A0B0205782CFDB348F20D5A0E52B7E0BF00319310A97EE1DB92650C7329844DF10

Function 00EC30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00EC314E

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 34a65faa623b053dec4abd5619efc0651b683a1b3eed52642b15fbed50036ca7
Instruction ID: 3833362fd7db8839d4d3d8ff3ace70fb81013e94cc12a2839c48ef8021d4949e
Opcode Fuzzy Hash: 34a65faa623b053dec4abd5619efc0651b683a1b3eed52642b15fbed50036ca7
Instruction Fuzzy Hash: C3F082709003099FE7529B24DC46B957ABCB70170CF0001EAA248A6181D7704B88CF41

Function 00EC2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EC2DC4

Part of subcall function 00EC6B57: _wcslen.LIBCMT ref: 00EC6B6A

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 2c2a4024ec217221029fa80efaf2e11f6d11da5be05a09c99c64a06d8778bb85
Instruction ID: 9960ca605e44fbcd5959a1ad2ed248a52588de9a5ac06643017620de2edb8a51
Opcode Fuzzy Hash: 2c2a4024ec217221029fa80efaf2e11f6d11da5be05a09c99c64a06d8778bb85
Instruction Fuzzy Hash: 66E0CD726002245BCB10D3589C05FDA77DDDFC8791F050075FD09E7248D964AD809590

Function 00EC2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00EC3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EC3908

Part of subcall function 00ECD730: GetInputState.USER32 ref: 00ECD807

SetCurrentDirectoryW.KERNEL32(?), ref: 00EC2B6B

Part of subcall function 00EC30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00EC314E

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f610219d2b5ae46b7310165c2edfae0880a3351d0f21867d001ff1e198c60b20
Instruction ID: 1277559b04f5ef2b54e1113baf7d140b8113b303133f6d8b6cab3982fc22e362
Opcode Fuzzy Hash: f610219d2b5ae46b7310165c2edfae0880a3351d0f21867d001ff1e198c60b20
Instruction Fuzzy Hash: D7E0862230434906CA08BB749A56F7DB7D99BD6355F40753EF143A31A3CE2749474291

Function 00F0039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00F00704,?,?,00000000,?,00F00704,00000000,0000000C), ref: 00F003B7

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a006e44704f0b9e429191c3d7437ce5da3eb34adb5d6576503eb2f5209acdeef
Instruction ID: 81aea5e8a333dc1fc6080a04f77d6ac14860e673010d1df81670e2f69b844476
Opcode Fuzzy Hash: a006e44704f0b9e429191c3d7437ce5da3eb34adb5d6576503eb2f5209acdeef
Instruction Fuzzy Hash: 83D06C3204020DBFDF028F84DD06EDA3BAAFB48714F014000BE1856020C732E821AB90

Function 00EC1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00EC1CBC

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 4844e6fabc6578a6643fbae6b37921186b6cc0cb3d236bc9b6042707c81c75ea
Instruction ID: 3cf51d46182c1d544826e466779b7632cf37fddaf6d2c113aa089f676d172b0d
Opcode Fuzzy Hash: 4844e6fabc6578a6643fbae6b37921186b6cc0cb3d236bc9b6042707c81c75ea
Instruction Fuzzy Hash: E6C0923A28030DAFF2148BD0BC4AF107764B348B01F488002F70EA95E3D7B22820FA90

Non-executed Functions

Function 00F59576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00ED9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00F5961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F5965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00F5969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F596C9
SendMessageW.USER32 ref: 00F596F2
GetKeyState.USER32(00000011), ref: 00F5978B
GetKeyState.USER32(00000009), ref: 00F59798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F597AE
GetKeyState.USER32(00000010), ref: 00F597B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F597E9
SendMessageW.USER32 ref: 00F59810
SendMessageW.USER32(?,00001030,?,00F57E95), ref: 00F59918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00F5992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F59941
SetCapture.USER32(?), ref: 00F5994A
ClientToScreen.USER32(?,?), ref: 00F599AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F599BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F599D6
ReleaseCapture.USER32 ref: 00F599E1
GetCursorPos.USER32(?), ref: 00F59A19
ScreenToClient.USER32(?,?), ref: 00F59A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F59A80
SendMessageW.USER32 ref: 00F59AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F59AEB
SendMessageW.USER32 ref: 00F59B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F59B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F59B4A
GetCursorPos.USER32(?), ref: 00F59B68
ScreenToClient.USER32(?,?), ref: 00F59B75
GetParent.USER32(?), ref: 00F59B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F59BFA
SendMessageW.USER32 ref: 00F59C2B
ClientToScreen.USER32(?,?), ref: 00F59C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F59CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F59CDE
SendMessageW.USER32 ref: 00F59D01
ClientToScreen.USER32(?,?), ref: 00F59D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F59D82

Part of subcall function 00ED9944: GetWindowLongW.USER32(?,000000EB), ref: 00ED9952

GetWindowLongW.USER32(?,000000F0), ref: 00F59E05

Strings

@GUI_DRAGID, xrefs: 00F5997D
F, xrefs: 00F59D07

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 85ac0bfa8684cda1e79d12d63e9d55c23af0eef7df448f47df2a75049630778c
Instruction ID: 3e80aa832224eb451fe66967b3cce56fb3b5c5ace252ae8af1d0daa47ff29c38
Opcode Fuzzy Hash: 85ac0bfa8684cda1e79d12d63e9d55c23af0eef7df448f47df2a75049630778c
Instruction Fuzzy Hash: 7842BF30608305EFDB29CF24CD44BAABBE5FF49321F14061DFA59872A1D7B19859EB81

Function 00F54873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00F548F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00F54908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00F54927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00F5494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00F5495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00F5497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00F549AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00F549D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00F54A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00F54A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00F54A7E
IsMenu.USER32(?), ref: 00F54A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F54AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F54B20
GetWindowLongW.USER32(?,000000F0), ref: 00F54B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00F54BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00F54C82
wsprintfW.USER32 ref: 00F54CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F54CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00F54CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F54D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F54D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00F54D5A

Strings

%d/%02d/%02d, xrefs: 00F54CA8

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: ea7adc9e17246e010007273ca2df6b5800b21a318d87e87113469c8e9d7be787
Instruction ID: 1bcfa8383ce873a2070b343d7ca028df6bf3942fa360c9550f94537d71d99aea
Opcode Fuzzy Hash: ea7adc9e17246e010007273ca2df6b5800b21a318d87e87113469c8e9d7be787
Instruction Fuzzy Hash: EE12D371900318ABEB248F28CC49FAE7BF4EF45725F104119FA1AEB2D1D774A985EB50

Function 00EDF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00EDF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F1F474
IsIconic.USER32(00000000), ref: 00F1F47D
ShowWindow.USER32(00000000,00000009), ref: 00F1F48A
SetForegroundWindow.USER32(00000000), ref: 00F1F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F1F4AA
GetCurrentThreadId.KERNEL32 ref: 00F1F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F1F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F1F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F1F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00F1F4DE
SetForegroundWindow.USER32(00000000), ref: 00F1F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1F4F6
keybd_event.USER32(00000012,00000000), ref: 00F1F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1F50B
keybd_event.USER32(00000012,00000000), ref: 00F1F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1F519
keybd_event.USER32(00000012,00000000), ref: 00F1F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1F528
keybd_event.USER32(00000012,00000000), ref: 00F1F52D
SetForegroundWindow.USER32(00000000), ref: 00F1F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00F1F557

Strings

Shell_TrayWnd, xrefs: 00F1F46F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: da269b133a309274a333a981ec4acbfddb65e2df1351eefd6127bcc49787ce07
Instruction ID: 015f58d127646292220780adfd4f0bd848a64983d91921bfaf40a5228d330b02
Opcode Fuzzy Hash: da269b133a309274a333a981ec4acbfddb65e2df1351eefd6127bcc49787ce07
Instruction Fuzzy Hash: 06318E71A4031CBFEB206BB59C4AFBF7E6DEB44B61F140065FB06E61D1D6B05940BAA0

Function 00F21201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00F216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F2170D
Part of subcall function 00F216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F2173A
Part of subcall function 00F216C3: GetLastError.KERNEL32 ref: 00F2174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00F21286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00F212A8
CloseHandle.KERNEL32(?), ref: 00F212B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F212D1
GetProcessWindowStation.USER32 ref: 00F212EA
SetProcessWindowStation.USER32(00000000), ref: 00F212F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F21310

Part of subcall function 00F210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F211FC), ref: 00F210D4
Part of subcall function 00F210BF: CloseHandle.KERNEL32(?,?,00F211FC), ref: 00F210E9

Strings

, xrefs: 00F2125A
winsta0, xrefs: 00F212CC
default, xrefs: 00F2130B

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 6ab826dfe4a50053eb14a3ef45302dc4d7f7cc81fced274b67f1ab0f67f8661c
Instruction ID: 4490b6ac818c909ada94e1827489f5ccb46fa6c258cd706179108c8b4b6ff1b6
Opcode Fuzzy Hash: 6ab826dfe4a50053eb14a3ef45302dc4d7f7cc81fced274b67f1ab0f67f8661c
Instruction Fuzzy Hash: 91819971900319AFDF20EFA4EC49BEE7BB9FF09710F044129FA15A61A0C7358A54EB64

Function 00F20B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F21114
Part of subcall function 00F210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F20B9B,?,?,?), ref: 00F21120
Part of subcall function 00F210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F20B9B,?,?,?), ref: 00F2112F
Part of subcall function 00F210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F20B9B,?,?,?), ref: 00F21136
Part of subcall function 00F210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F2114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F20BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F20C00
GetLengthSid.ADVAPI32(?), ref: 00F20C17
GetAce.ADVAPI32(?,00000000,?), ref: 00F20C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F20C6D
GetLengthSid.ADVAPI32(?), ref: 00F20C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F20C8C
HeapAlloc.KERNEL32(00000000), ref: 00F20C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F20CB4
CopySid.ADVAPI32(00000000), ref: 00F20CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F20CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F20D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F20D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F20D45
HeapFree.KERNEL32(00000000), ref: 00F20D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F20D55
HeapFree.KERNEL32(00000000), ref: 00F20D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F20D65
HeapFree.KERNEL32(00000000), ref: 00F20D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00F20D78
HeapFree.KERNEL32(00000000), ref: 00F20D7F

Part of subcall function 00F21193: GetProcessHeap.KERNEL32(00000008,00F20BB1,?,00000000,?,00F20BB1,?), ref: 00F211A1
Part of subcall function 00F21193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F20BB1,?), ref: 00F211A8
Part of subcall function 00F21193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F20BB1,?), ref: 00F211B7

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 697a08b12944fa3498470ac7581b982a239ab09f14d30e0f76a9712043b42bef
Instruction ID: 41869c53645369b8fda9d4d036bf020e5f8fb6122d0105674cfb5acd17731de9
Opcode Fuzzy Hash: 697a08b12944fa3498470ac7581b982a239ab09f14d30e0f76a9712043b42bef
Instruction Fuzzy Hash: D8717A72D0131AAFDF109FA5EC44BAEBBB8FF04311F044115EA15E6292DB75A905EFA0

Function 00F3EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00F5CC08), ref: 00F3EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00F3EB37
GetClipboardData.USER32(0000000D), ref: 00F3EB43
CloseClipboard.USER32 ref: 00F3EB4F
GlobalLock.KERNEL32(00000000), ref: 00F3EB87
CloseClipboard.USER32 ref: 00F3EB91
GlobalUnlock.KERNEL32(00000000), ref: 00F3EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00F3EBC9
GetClipboardData.USER32(00000001), ref: 00F3EBD1
GlobalLock.KERNEL32(00000000), ref: 00F3EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00F3EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00F3EC38
GetClipboardData.USER32(0000000F), ref: 00F3EC44
GlobalLock.KERNEL32(00000000), ref: 00F3EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00F3EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00F3EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00F3ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00F3ECF3
CountClipboardFormats.USER32 ref: 00F3ED14
CloseClipboard.USER32 ref: 00F3ED59

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 49309df82f9c05ceb780fde465420eaee3d85070527189943facf56b8ff3b3b2
Instruction ID: 7df14fc039209e993418edcbe81764d02851e86efddcdf12a888f69afac6f27f
Opcode Fuzzy Hash: 49309df82f9c05ceb780fde465420eaee3d85070527189943facf56b8ff3b3b2
Instruction Fuzzy Hash: DD61CD352043059FD300EF24D889F3AB7E4AF84724F14551DF956972E2CB31D906EBA2

Function 00F3698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F369BE
FindClose.KERNEL32(00000000), ref: 00F36A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F36A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F36A75

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00F36AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00F36ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00F36B6A
%4d, xrefs: 00F36BB1
%03d, xrefs: 00F36DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00F36B32
%02d, xrefs: 00F36C00, 00F36C0A, 00F36C5A, 00F36CAA, 00F36CFA, 00F36D4A

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: c5cc9f6d60afc0bbeff013933eb8934201ffd714826c8d36075412ddfd2aa559
Instruction ID: cc37e7dcfe955103cbb56bdc26a0983beba0a0d214f229671524950265a45f3a
Opcode Fuzzy Hash: c5cc9f6d60afc0bbeff013933eb8934201ffd714826c8d36075412ddfd2aa559
Instruction Fuzzy Hash: D1D19272508340AFC314EBA0C986EAFB7ECAF88704F04591DF585D7291EB75DA49CB62

Function 00F39642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00F39663
GetFileAttributesW.KERNEL32(?), ref: 00F396A1
SetFileAttributesW.KERNEL32(?,?), ref: 00F396BB
FindNextFileW.KERNEL32(00000000,?), ref: 00F396D3
FindClose.KERNEL32(00000000), ref: 00F396DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00F396FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00F3974A
SetCurrentDirectoryW.KERNEL32(00F86B7C), ref: 00F39768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F39772
FindClose.KERNEL32(00000000), ref: 00F3977F
FindClose.KERNEL32(00000000), ref: 00F3978F

Strings

*.*, xrefs: 00F396F5

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 2b1647df6f4ce7daaec51bc60581ea7708579eed26160c0f2c8837382878285f
Instruction ID: ba15432032eed59edf3af0dbef27b55532d5b3d0dad5dd53801e11545674bc3f
Opcode Fuzzy Hash: 2b1647df6f4ce7daaec51bc60581ea7708579eed26160c0f2c8837382878285f
Instruction Fuzzy Hash: 5431D03294531E6EDB10AFB4DC49ADE37AC9F49331F104055EA16E20A0DBB4DD44AA90

Function 00F3979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00F397BE
FindNextFileW.KERNEL32(00000000,?), ref: 00F39819
FindClose.KERNEL32(00000000), ref: 00F39824
FindFirstFileW.KERNEL32(*.*,?), ref: 00F39840
SetCurrentDirectoryW.KERNEL32(?), ref: 00F39890
SetCurrentDirectoryW.KERNEL32(00F86B7C), ref: 00F398AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F398B8
FindClose.KERNEL32(00000000), ref: 00F398C5
FindClose.KERNEL32(00000000), ref: 00F398D5

Part of subcall function 00F2DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F2DB00

Strings

*.*, xrefs: 00F3983B

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 2c6481e09884ac341102b550a589e20356b48f7db5d6994f0b42ef57809293bf
Instruction ID: 40d878f64975fa02a322f13148468a281da272a5492c0c0d32bea704a036d3f5
Opcode Fuzzy Hash: 2c6481e09884ac341102b550a589e20356b48f7db5d6994f0b42ef57809293bf
Instruction Fuzzy Hash: 8D31C33290471E6EDB10AFB4EC48ADE77AC9F8A335F504155E911E20A0DBB0DD44EF60

Function 00F4BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F4B6AE,?,?), ref: 00F4C9B5
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4C9F1
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4CA68
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F4BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00F4BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00F4BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F4C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F4C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F4C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F4C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00F4C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F4C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F4C382
RegCloseKey.ADVAPI32(00000000), ref: 00F4C38F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: eb6ee8a37ed7b6fcfc9c28670249f7e9ead5317261d4d0eb12b64eddc4fa1fda
Instruction ID: 641808a01887023581fdd0d77eac25ab99e564c80ff4b036a5d32a6419de2983
Opcode Fuzzy Hash: eb6ee8a37ed7b6fcfc9c28670249f7e9ead5317261d4d0eb12b64eddc4fa1fda
Instruction Fuzzy Hash: 72027E716042009FC754CF28C895E2ABBE5EF89318F18D49DF84ADB2A2D731ED46DB91

Function 00F38195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F38257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00F38267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F38273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F38310
SetCurrentDirectoryW.KERNEL32(?), ref: 00F38324
SetCurrentDirectoryW.KERNEL32(?), ref: 00F38356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F3838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00F38395

Strings

*.*, xrefs: 00F3839B

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: b9e11ec08aa73e1cb533d9b5b4388cfefcfe2aede8318673932ee32745c9c563
Instruction ID: e9effa9fa8cc91d727d460ca8f24df0eb8f784317d140fec165b0bc3e88e854a
Opcode Fuzzy Hash: b9e11ec08aa73e1cb533d9b5b4388cfefcfe2aede8318673932ee32745c9c563
Instruction Fuzzy Hash: A6615A725043459FC710EF60C841A9EB3E8FF89364F04491DF989D7251DB39E946DB92

Function 00F2D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EC3A97,?,?,00EC2E7F,?,?,?,00000000), ref: 00EC3AC2

Part of subcall function 00F2E199: GetFileAttributesW.KERNEL32(?,00F2CF95), ref: 00F2E19A

FindFirstFileW.KERNEL32(?,?), ref: 00F2D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00F2D1DD
MoveFileW.KERNEL32(?,?), ref: 00F2D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F2D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F2D237

Part of subcall function 00F2D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00F2D21C,?,?), ref: 00F2D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00F2D253
FindClose.KERNEL32(00000000), ref: 00F2D264

Strings

\*.*, xrefs: 00F2D0CD, 00F2D0D6, 00F2D0EB

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 6e15c5e8ff7a6c00f6fbcbbf1b2fda2009c13ef354d1d617fb310cdab5403a8f
Instruction ID: 8f473042387b59dbfd08f87daf5d8fc99844e79eb7e69431fc287d66e568d134
Opcode Fuzzy Hash: 6e15c5e8ff7a6c00f6fbcbbf1b2fda2009c13ef354d1d617fb310cdab5403a8f
Instruction Fuzzy Hash: 3D614C31C0121D9ECF05EBE0EA52EEDB7B5AF55304F244169E40277192EB35AF0AEB60

Function 00F3ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00F3ED91
EmptyClipboard.USER32 ref: 00F3ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00F3EDAC
CloseClipboard.USER32 ref: 00F3EEA3

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: aa2115ec0efdff59765f5021b210fdfb552eb60a6588e7707df6aa57b3f08588
Instruction ID: 0a7a5d21b73cd650505abf59733bc5191293ccf2000065824830171465e44a9e
Opcode Fuzzy Hash: aa2115ec0efdff59765f5021b210fdfb552eb60a6588e7707df6aa57b3f08588
Instruction Fuzzy Hash: 71419C35604611AFE320DF15D888F2ABBE1EF44329F15C09DE41A9B6A2C736ED42DBD0

Function 00F2E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00F216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F2170D
Part of subcall function 00F216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F2173A
Part of subcall function 00F216C3: GetLastError.KERNEL32 ref: 00F2174A

ExitWindowsEx.USER32(?,00000000), ref: 00F2E932

Strings

, xrefs: 00F2E95C
@, xrefs: 00F2E925
SeShutdownPrivilege, xrefs: 00F2E902
, xrefs: 00F2E920

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 964ec88f4fbb9e1cddd86eb345e24f4bc329a8a600317b42b189f3257442c09d
Instruction ID: 636c07331031293f244a202b0dd69b17a3d0a2e52ff0f3e937ca4a0344fd6ac8
Opcode Fuzzy Hash: 964ec88f4fbb9e1cddd86eb345e24f4bc329a8a600317b42b189f3257442c09d
Instruction Fuzzy Hash: 6701D673A10335AFEB6466B4BC8ABBF725CAB14751F250423F903E21D1D5A45C84B2D4

Function 00F41204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F41276
WSAGetLastError.WSOCK32 ref: 00F41283
bind.WSOCK32(00000000,?,00000010), ref: 00F412BA
WSAGetLastError.WSOCK32 ref: 00F412C5
closesocket.WSOCK32(00000000), ref: 00F412F4
listen.WSOCK32(00000000,00000005), ref: 00F41303
WSAGetLastError.WSOCK32 ref: 00F4130D
closesocket.WSOCK32(00000000), ref: 00F4133C

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: ab4a8fe78464ab705505f71165aa516c06ca870e18bfdc9d6b5c8d11e6d1d559
Instruction ID: fc4392949ab512cce06a63bd2b4da5a3229fda4faa6d70027084ee35958e4736
Opcode Fuzzy Hash: ab4a8fe78464ab705505f71165aa516c06ca870e18bfdc9d6b5c8d11e6d1d559
Instruction Fuzzy Hash: B8418131A002049FD710DF64C584B2ABBE6BF46329F18818CE9569F392C771ED82DBE1

Function 00EFB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EFB9D4
_free.LIBCMT ref: 00EFB9F8
_free.LIBCMT ref: 00EFBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00F63700), ref: 00EFBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00F9121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00EFBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00F91270,000000FF,?,0000003F,00000000,?), ref: 00EFBC36
_free.LIBCMT ref: 00EFBD4B

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 39da39cd21a013c3c3a0d596ab85a67dcfc30003614753f05503f0cf3776c96f
Instruction ID: 6b3a3e38e9e119f1742436c3ace1ba36c8d7487a701825a65704888bfb1702e2
Opcode Fuzzy Hash: 39da39cd21a013c3c3a0d596ab85a67dcfc30003614753f05503f0cf3776c96f
Instruction Fuzzy Hash: EAC1277190420DAFDB20AF69DC41BBABBF8EF41314F1461AAE694FB251E7708E41D750

Function 00F2D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EC3A97,?,?,00EC2E7F,?,?,?,00000000), ref: 00EC3AC2

Part of subcall function 00F2E199: GetFileAttributesW.KERNEL32(?,00F2CF95), ref: 00F2E19A

FindFirstFileW.KERNEL32(?,?), ref: 00F2D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F2D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F2D481
FindClose.KERNEL32(00000000), ref: 00F2D498
FindClose.KERNEL32(00000000), ref: 00F2D4A1

Strings

\*.*, xrefs: 00F2D3F2

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: d0772c15070e14f7f8bf2a534e8c3261293083dc44b4b94f21724e7e8f4cadac
Instruction ID: 269abb9e477b58b17c19942d399acedd6e6847c7c22c98b5654b38fa78de17c4
Opcode Fuzzy Hash: d0772c15070e14f7f8bf2a534e8c3261293083dc44b4b94f21724e7e8f4cadac
Instruction Fuzzy Hash: AA31C2310083449FC304FF64E951DAF77E8AE91314F445A2DF4D1A3191EB35AA0AD7A3

Function 00EFE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00EFE645

Strings

1#INF, xrefs: 00EFF852
1#SNAN, xrefs: 00EFF844
1#IND, xrefs: 00EFF83D
1#QNAN, xrefs: 00EFF84B

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c20d9169929254866983ded583c8f9901f6983d445c10103acb693d249bd3192
Instruction ID: 751c0e2205666272b87f33770f43d1b20a96a9afc2aa6f530364a9dba31eff00
Opcode Fuzzy Hash: c20d9169929254866983ded583c8f9901f6983d445c10103acb693d249bd3192
Instruction Fuzzy Hash: B4C21772E0862C8BDB25CE289D407EAB7B5EF84305F1451EAD94DF7291E774AE818F40

Function 00F3648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F364DC
CoInitialize.OLE32(00000000), ref: 00F36639
CoCreateInstance.OLE32(00F5FCF8,00000000,00000001,00F5FB68,?), ref: 00F36650
CoUninitialize.OLE32 ref: 00F368D4

Strings

.lnk, xrefs: 00F364BA, 00F36524, 00F365E0

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: a80c34eebbd60168302c4273080f763d867138c4aaa2ee8f83f6712471ccf681
Instruction ID: fbffc27fde1a401b9c6d9b2b2e57ead75ac74bbbabbe96bbdb8b5cebfe2788fc
Opcode Fuzzy Hash: a80c34eebbd60168302c4273080f763d867138c4aaa2ee8f83f6712471ccf681
Instruction Fuzzy Hash: 57D14B71508341AFC304EF24C981E6BB7E8FF98314F14896DF5959B291DB71E906CBA2

Function 00F422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00F422E8

Part of subcall function 00F3E4EC: GetWindowRect.USER32(?,?), ref: 00F3E504

GetDesktopWindow.USER32 ref: 00F42312
GetWindowRect.USER32(00000000), ref: 00F42319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00F42355
GetCursorPos.USER32(?), ref: 00F42381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F423DF

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: c4815cb55d87f049dd2c5a32395af9494231766d0c45aa39a3b3c0c364d3c0c5
Instruction ID: 2c7c2441f23b44ca2f709a72bfc5c039a972821871ce597cdfbcf68fde99a172
Opcode Fuzzy Hash: c4815cb55d87f049dd2c5a32395af9494231766d0c45aa39a3b3c0c364d3c0c5
Instruction Fuzzy Hash: CD31E072504319AFD720DF54DC49B6BBBA9FF88324F400929F98597281DB34EA08DBD2

Function 00F39B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00F39B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00F39C8B

Part of subcall function 00F33874: GetInputState.USER32 ref: 00F338CB
Part of subcall function 00F33874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F33966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00F39BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00F39C75

Strings

*.*, xrefs: 00F39B5D

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 0713973e474a1e19d7cbba3e0f52c7516bce2b70787afcc76d7411fd6bf7b6e7
Instruction ID: 394e41c26c7159c2b71d12de4d1807f7b03676b4bcf3b14269259d4ea7777900
Opcode Fuzzy Hash: 0713973e474a1e19d7cbba3e0f52c7516bce2b70787afcc76d7411fd6bf7b6e7
Instruction Fuzzy Hash: 2C41B071D0820A9FCF14DF64C989AEEBBF4EF05360F244059E815A2191EBB19E84DFA0

Function 00ED997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00ED9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00ED9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00ED9A4E
GetSysColor.USER32(0000000F), ref: 00ED9B23
SetBkColor.GDI32(?,00000000), ref: 00ED9B36

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: f73186eef0e0f991942d0ba6a8f102e8e0de9d296752cb9d6af8f06644ec2a53
Instruction ID: 44f0c1a9be13774785bb97abf3cb4f4c97c4e61c4b9a17df681b45e9f6a3ba1c
Opcode Fuzzy Hash: f73186eef0e0f991942d0ba6a8f102e8e0de9d296752cb9d6af8f06644ec2a53
Instruction Fuzzy Hash: 92A14871108604AEE728AB3C8C58EFB36ADEB42354F15221BF506E67D3DA259D43F271

Function 00F41806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F4307A
Part of subcall function 00F4304E: _wcslen.LIBCMT ref: 00F4309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F4185D
WSAGetLastError.WSOCK32 ref: 00F41884
bind.WSOCK32(00000000,?,00000010), ref: 00F418DB
WSAGetLastError.WSOCK32 ref: 00F418E6
closesocket.WSOCK32(00000000), ref: 00F41915

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: e77201294ebe55f165178e253d4f623c95a602535d13ba102600d4734588d852
Instruction ID: 4f1e8db0c6c95d40ef4e54bbc304b1b36b56bf588af8b1755a5a742a70c30ba6
Opcode Fuzzy Hash: e77201294ebe55f165178e253d4f623c95a602535d13ba102600d4734588d852
Instruction Fuzzy Hash: 9E51A271A00210AFEB10AF24C986F2A7BE5EB44718F18805CF9566F3D3D771AD42DBA1

Function 00F51C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00F51CC0
IsWindowEnabled.USER32 ref: 00F51CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00F51CDB
IsIconic.USER32 ref: 00F51CE9
IsZoomed.USER32 ref: 00F51CF7

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 1e2a9dd0fef66f621af6d0c3133f8988a63ea4876b1459f0bfb3dc1a0ff2a218
Instruction ID: ac77ff3c221783714b46d0a351d517ffbf8f916b3388d0fbd1aba4719bb3da4c
Opcode Fuzzy Hash: 1e2a9dd0fef66f621af6d0c3133f8988a63ea4876b1459f0bfb3dc1a0ff2a218
Instruction Fuzzy Hash: 7C218231B402115FD7208F1AC888F667BE5BF95326B19805CED4A8B351D776EC46EB90

Function 00EC8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00EC83E8
VUUU, xrefs: 00EC843C
VUUU, xrefs: 00EC83FA
VUUU, xrefs: 00F05DF0
ERCP, xrefs: 00EC813C

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 21df2748f70b45aa53a223ae3909dea09f6f7fd108a06a300a5603971e9fd832
Instruction ID: dc98fcb3ed8331fc89ce9727b5dd8a602d563cc0a6e7545870dddb2737c13f3a
Opcode Fuzzy Hash: 21df2748f70b45aa53a223ae3909dea09f6f7fd108a06a300a5603971e9fd832
Instruction Fuzzy Hash: A6A28070E0021ACBDF24CF58CB40BEEB7B1BB54714F2491AAD815A7285DB719D92EF90

Function 00F2AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00F2AAAC
SetKeyboardState.USER32(00000080), ref: 00F2AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00F2AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00F2AB88

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 497250b5ffff99b2b4d4ba6ff7262a3cc52c2a4fa0cc0c37b937e4658b4437e3
Instruction ID: 3fd996e12b003d2b13cd9d35a7977d911f55c7af2c9b4f4edc2055f6ff84113f
Opcode Fuzzy Hash: 497250b5ffff99b2b4d4ba6ff7262a3cc52c2a4fa0cc0c37b937e4658b4437e3
Instruction Fuzzy Hash: 0B311A30E40728AFFB358A64AC05BFA7BA6AFC4320F04421AF585561D1D3798985E7A2

Function 00F3CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00F3CE89
GetLastError.KERNEL32(?,00000000), ref: 00F3CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00F3CEFE

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 4e5148c975c7ff33c261860e458a62a7e7a88653dce1332ac4e00f8d3437ec61
Instruction ID: 97353621eefa7e0b1deb21715958c113bec80595cfc3757058278d2f6ffc6ebc
Opcode Fuzzy Hash: 4e5148c975c7ff33c261860e458a62a7e7a88653dce1332ac4e00f8d3437ec61
Instruction Fuzzy Hash: 6721CF719003099FD720DFA5C948BAB77FCEB00724F10441EE646E2251E770EE44EBA0

Function 00F28298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F282AA

Strings

(, xrefs: 00F282F0
|, xrefs: 00F282DA

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 3c570456fdb1c5cd0fb86b6e6e0f6f7070454a429a2d331d37bcea196efda5a6
Instruction ID: 2adf2eec5f7dfc894b4193a82e4845edf78a84862291102551b3ec186993d2b8
Opcode Fuzzy Hash: 3c570456fdb1c5cd0fb86b6e6e0f6f7070454a429a2d331d37bcea196efda5a6
Instruction Fuzzy Hash: 3A323875A017159FC728CF59D480AAAB7F0FF48760B15C46EE49ADB3A1DB70E942CB40

Function 00F35C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F35CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00F35D17
FindClose.KERNEL32(?), ref: 00F35D5F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 2f8c604349f948e5b8a7c5bd4d54b8fb1c4608b9dd77a08f28119150f11cc90a
Instruction ID: 6facdbffc430518de9c6344ee0ebc89bd9d4c58f5ca526ee7e66823491e7c3c3
Opcode Fuzzy Hash: 2f8c604349f948e5b8a7c5bd4d54b8fb1c4608b9dd77a08f28119150f11cc90a
Instruction Fuzzy Hash: 1B519975A04B019FC714CF28C494E9AB7E4FF89324F14855EE99A8B3A2CB31ED05DB91

Function 00EF2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00EF271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00EF2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00EF2731

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6e005b4324860b459f2287389f637b9c6e29591e16047e9b67d5b8a556cbec07
Instruction ID: 470e465d928c3a5fd2bb53667869787d9eac9e3fce5f75209c852649267cd71a
Opcode Fuzzy Hash: 6e005b4324860b459f2287389f637b9c6e29591e16047e9b67d5b8a556cbec07
Instruction Fuzzy Hash: 6E31C47490131C9BCB21DF65DC88798B7B8AF08310F5051EAE51CA6260E7709F818F45

Function 00F351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F351DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F35238
SetErrorMode.KERNEL32(00000000), ref: 00F352A1

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 5e119df56aabe61e6b272c8dd9a4ca15c6d94153d3b52036a96760819e3c6333
Instruction ID: 18d74bd48d38aa94bc586e88a7e8dd98485bc864301e0f54e4c9af8829f3d62b
Opcode Fuzzy Hash: 5e119df56aabe61e6b272c8dd9a4ca15c6d94153d3b52036a96760819e3c6333
Instruction Fuzzy Hash: B4313C75A00618DFDB00DF54D884EAEBBF4FF49318F188099E905AB352DB36E856CB90

Function 00F216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00EDFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00EE0668
Part of subcall function 00EDFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00EE0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F2170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F2173A
GetLastError.KERNEL32 ref: 00F2174A

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: a806372e6099cdad80c0a2f3fa79754f6c105bd7dfeddf744b78369f50de323e
Instruction ID: 9fe39d154bbe2793ac2240d1c80327d303dadce8a83bef8b963d8f6fa708833c
Opcode Fuzzy Hash: a806372e6099cdad80c0a2f3fa79754f6c105bd7dfeddf744b78369f50de323e
Instruction Fuzzy Hash: 1F1191B2404308AFD718DF54EC86E6BB7F9FB44725B20852EE05697241EB70BC41DA64

Function 00F2D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F2D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00F2D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F2D650

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 6592e938a12926a7f77b731248b9bbf6cf7ebf4c2e853f2f921ba21cd22b0902
Instruction ID: c3a6de0898bc2dd5130a95721135d1e1d813886a57759150215957d6bb6830ea
Opcode Fuzzy Hash: 6592e938a12926a7f77b731248b9bbf6cf7ebf4c2e853f2f921ba21cd22b0902
Instruction Fuzzy Hash: 06115A71E01328BFDB108B94AC44BAFBFBCEB45B60F108111F914A7290C2704A019BE1

Function 00F21663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F2168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F216A1
FreeSid.ADVAPI32(?), ref: 00F216B1

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d3c97cacc040dd460e8f1643e3d4c6b237c6c3a969c702019ab738576c125e6f
Instruction ID: 46b4840c9a29ef84a9765a9324bcf0f362f218d03ac8fa094ea57d2e3ade922c
Opcode Fuzzy Hash: d3c97cacc040dd460e8f1643e3d4c6b237c6c3a969c702019ab738576c125e6f
Instruction Fuzzy Hash: F8F0F47195030DFFDB00DFE49C89AAEBBBCFB08615F504565E601E2181E774AA449A94

Function 00EFC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00EFC36C

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 63fe882e3b5b28184e99cbe332be15e0eef7f7ea819117221e20909e1031d475
Instruction ID: 3a2f64883215357a6f41a42708eb9bc6935386cef546769282ff6a10a1b3b10e
Opcode Fuzzy Hash: 63fe882e3b5b28184e99cbe332be15e0eef7f7ea819117221e20909e1031d475
Instruction Fuzzy Hash: 6141497290061DAFDB209FB9CD48DBB77B8EB84358F7052A9FA05E7180E6709D81CB50

Function 00F1D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00F1D28C

Strings

X64, xrefs: 00F1D2A8

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 5cd7279d3f0a00cdaf67c3cffc112a5d96e7eb9658911bce594b7f4051ed5825
Instruction ID: 01fa8931029586c772b6a5b97c9d4dfbd1a3ee31a2df6de1c4900a2e5bf76e3f
Opcode Fuzzy Hash: 5cd7279d3f0a00cdaf67c3cffc112a5d96e7eb9658911bce594b7f4051ed5825
Instruction Fuzzy Hash: 92D0C9B580521DEECF94CB90DC88DD9B3BCFB04305F100152F106E2140D77495499F10

Function 00EECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 1954aa55d6fd906a5e8102a8e95c4a958df42c09f242f6e0ec56695762a7c76d
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 74021C71E002599BDF14CFA9C8806ADFBF1EF48314F259169E919F7384D731AA42CB94

Function 00F368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F36918
FindClose.KERNEL32(00000000), ref: 00F36961

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 9c2320e788065cf22502d10f95a2aeb3144a82eb7aa71765a3c79b0cbf6eb580
Instruction ID: edcc6c9c9216ce145b658d6369231b83ffa1f9ed8718120cff1ad8a4183a1bdd
Opcode Fuzzy Hash: 9c2320e788065cf22502d10f95a2aeb3144a82eb7aa71765a3c79b0cbf6eb580
Instruction Fuzzy Hash: 96118E31604200AFC710DF29D484B16BBE5EF85339F15C69DE5699F6A2C731EC06DB91

Function 00F337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00F44891,?,?,00000035,?), ref: 00F337E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00F44891,?,?,00000035,?), ref: 00F337F4

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8998b97040181d0aaadea43af597f41fbb812974dc8c4ff8bcf2532f405c5f3c
Instruction ID: d3ddb1c0d78c3c4a68f5b854c6b9e2581c4f70b8c5d4a8202c8ae1fe057abb28
Opcode Fuzzy Hash: 8998b97040181d0aaadea43af597f41fbb812974dc8c4ff8bcf2532f405c5f3c
Instruction Fuzzy Hash: B5F0E5B16043292AEB2057668C4DFEB7AAEEFC4772F000165F609E2291D9609904D7F0

Function 00F2B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00F2B25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00F2B270

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 2746d18589a04c0a218c937ac6f05b8c40695b8cdd8a0b49e243999eaaefeb36
Instruction ID: 01c9745654839bfc111a7a40db94e7ee110095c2c2a4d2992f7dfde69d5b09af
Opcode Fuzzy Hash: 2746d18589a04c0a218c937ac6f05b8c40695b8cdd8a0b49e243999eaaefeb36
Instruction Fuzzy Hash: 7FF01D7180434DAFDB059FA0D805BAE7FB4FF08315F048009FA55A5192D7798611EF94

Function 00F210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F211FC), ref: 00F210D4
CloseHandle.KERNEL32(?,?,00F211FC), ref: 00F210E9

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: d8da6c7555dc5e82cc004e4de7a880d548aa1ce867143eadcc61947b09577089
Instruction ID: 2074b94a8f2f4be4b86e8ae736042863a1f4830ca5b9e9c7a3810092e41816d7
Opcode Fuzzy Hash: d8da6c7555dc5e82cc004e4de7a880d548aa1ce867143eadcc61947b09577089
Instruction Fuzzy Hash: EAE04F32004710AEF7256B51FC05E7377E9EB04321B10882EF5A7804B1DB626C90EB50

Function 00ECCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00F10C40

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: b2d84c74d6ca714b0e63d3c73ff7c305f5cebd0350adbda05ca07e4ba3a6f777
Instruction ID: 83b5e57607435d9f7435de91b00e522636ac79a30578796157f043ee90b1b95f
Opcode Fuzzy Hash: b2d84c74d6ca714b0e63d3c73ff7c305f5cebd0350adbda05ca07e4ba3a6f777
Instruction Fuzzy Hash: 72326C709002189BCF14DF90CA85FEDB7B5BF05318F24506DE80ABB292DB76AD86DB51

Function 00EF676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00EF6766,?,?,00000008,?,?,00EFFEFE,00000000), ref: 00EF6998

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b2bc6243f22442120dcb365a508adac9e34911c89805ac9b7e277e33f1338a91
Instruction ID: 2bcf0080dc6b4dfb0f8b3a341ee1a158166bd772defc11b8c6bf08cea1024dde
Opcode Fuzzy Hash: b2bc6243f22442120dcb365a508adac9e34911c89805ac9b7e277e33f1338a91
Instruction Fuzzy Hash: C1B14C31610608DFDB19CF28C486BA57BE0FF45368F25965CE999DF2A2C335E991CB40

Function 00EDB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00F1851F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e4b3bfb410c63fb664fe5485b3cecc047c1fafc124e5f3f721b6216a6c0da4a1
Instruction ID: 7113c3a40e73f15f29db8d71e341d0cb242fc6034a17b5be6cfae362002b0467
Opcode Fuzzy Hash: e4b3bfb410c63fb664fe5485b3cecc047c1fafc124e5f3f721b6216a6c0da4a1
Instruction Fuzzy Hash: A1125D71D00229DBCB14CF58C981AEEB7F5FF48710F15819AE859EB251EB349E82DB90

Function 00F3EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00F3EABD

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: e1907faa3a6218e12b874c709d7f4a4a33718319c32d46778729052198f5de7e
Instruction ID: 163dbdb2b17d45078d4a256847f2dc6cb9e6e459c2858618ae225f3529d10bf4
Opcode Fuzzy Hash: e1907faa3a6218e12b874c709d7f4a4a33718319c32d46778729052198f5de7e
Instruction Fuzzy Hash: 17E04F322002059FC710EF59D805E9AF7EDAF98770F00841AFD4AD7391DB75E8419B90

Function 00EE09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00EE03EE), ref: 00EE09DA

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ec4c36d3996b1f457508e2e9c5583f87854221f34c136ee4767d151f39f8b744
Instruction ID: d02f2b2f92d904410ba0b03e6551977a4629998ee0c43bea2cc5ae563a0cb4a7
Opcode Fuzzy Hash: ec4c36d3996b1f457508e2e9c5583f87854221f34c136ee4767d151f39f8b744
Instruction Fuzzy Hash:

Function 00EE781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00EE798B

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: f0ad20216dfa87e8848c5afb5c7a043b959b1a42f81d7569eeb528c3f5fa4a2a
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: DA51737160C6DD5ADB3C856B894A7BE23C98FA2308F183519D8CAF7283C612DE41D35A

Function 00EF6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822d021e56fddfb73c20d73b729141b099013a7c78af955c8e862c478447add6
Instruction ID: 63ec5f48e0d677a59d2d7adcd58ba117abd54748428b6c89964ac616b39a6580
Opcode Fuzzy Hash: 822d021e56fddfb73c20d73b729141b099013a7c78af955c8e862c478447add6
Instruction Fuzzy Hash: C6325522D29F094DD7639634CC22335A249AFB73C9F14E737F86AB59A9EB79C4835100

Function 00EDCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89ff3d5e31ecf48989bf6b0385d15d727979a63714bff16c9669cc26be70f8f
Instruction ID: ed4122e575db6e14ae85214ef3facaa3dc34478ce4e6b76eef801c1d124d8021
Opcode Fuzzy Hash: d89ff3d5e31ecf48989bf6b0385d15d727979a63714bff16c9669cc26be70f8f
Instruction Fuzzy Hash: 99322632A841568BCF28CE28C4A06FDB7A1EF45364F28816BD559DB391D235DDC2FB80

Function 00EC7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a28a37430ce8b86114679f9ce7a844c57b735b2bea1581e6822f00690c94ea0a
Instruction ID: e1ee0f03e2090036ccc69ccbb37000d271d93722aee843a2294a4b31d29eefd9
Opcode Fuzzy Hash: a28a37430ce8b86114679f9ce7a844c57b735b2bea1581e6822f00690c94ea0a
Instruction Fuzzy Hash: E322BD70A0060A9BDF14CFA4C981BEEB3F6FF44710F245129E856A7291EB769D12EF50

Function 00EC91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2206182a6bda68d20b77a91135c8455da425b28a67f7b6ca5ef06501de656477
Instruction ID: fa1ae90dff3576c23adfbfdee74c2ba4d8e540b9a5ec1ba861088cc25b63f1ad
Opcode Fuzzy Hash: 2206182a6bda68d20b77a91135c8455da425b28a67f7b6ca5ef06501de656477
Instruction Fuzzy Hash: 6402A6B1E00209EBDB04DF54D941BAEB7F1FF44310F108569E816AB3D1EB359A51EB91

Function 00EF9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea15460153bba5314d80b6547e3948ca0653b535775c45b8901eaf821fa1047b
Instruction ID: f8ab1dc55aaf8630532d40d8bb858cb5fbc0a98bd254d6825227da0874213289
Opcode Fuzzy Hash: ea15460153bba5314d80b6547e3948ca0653b535775c45b8901eaf821fa1047b
Instruction Fuzzy Hash: 2FB10520D2AF444DD32396398832336B75CAFBB6D5F51D71BFC2A74E62EB2285835140

Function 00EE7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2026fbc9c7ae01fb9fd2046277619b619d68556a1f4ba686bd55297440426312
Instruction ID: 2d3ccc09b15eacc0d305e173db9ba64b60d9981c9031c8d15a5f4aca9a124bcb
Opcode Fuzzy Hash: 2026fbc9c7ae01fb9fd2046277619b619d68556a1f4ba686bd55297440426312
Instruction Fuzzy Hash: E46168316087CD96DB34992B8995BFF73DADF41748F203929E8CAFB281D6119E428315

Function 00EE7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a840f263640d32dc8352e5cec260ffca929a1e68796ea5d691b708c6ae642d2
Instruction ID: 2bced42580bbd5d5f0a881a36df20400382eedd1fe9d5907a07838c8f7833f8d
Opcode Fuzzy Hash: 1a840f263640d32dc8352e5cec260ffca929a1e68796ea5d691b708c6ae642d2
Instruction Fuzzy Hash: C76178312087CD62DB388A2B5D91BFE23C99F43708F10395DE8C2FB291EA12AD428211

Function 00F32046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78561a0a4737c4fdcb4481a050950f7d9c63cd1a86eca8cdbb55a3a065832a9
Instruction ID: 9d2b9a0f9e4cc3c23d2567ab5cf7b1de652275d157e9ef3efc3b9fe736d8bace
Opcode Fuzzy Hash: c78561a0a4737c4fdcb4481a050950f7d9c63cd1a86eca8cdbb55a3a065832a9
Instruction Fuzzy Hash: 7521D5727216158BDB2CCF79C82267E73E5A754320F14862EE4A7C37D0DE39A904DB80

Function 00F42ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F42B30
DeleteObject.GDI32(00000000), ref: 00F42B43
DestroyWindow.USER32 ref: 00F42B52
GetDesktopWindow.USER32 ref: 00F42B6D
GetWindowRect.USER32(00000000), ref: 00F42B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00F42CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00F42CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F42CF8
GetClientRect.USER32(00000000,?), ref: 00F42D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F42D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F42D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F42D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F42D80
GlobalLock.KERNEL32(00000000), ref: 00F42D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F42D98
GlobalUnlock.KERNEL32(00000000), ref: 00F42DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F42DA8
GlobalFree.KERNEL32(00000000), ref: 00F42DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F42DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00F5FC38,00000000), ref: 00F42DDB
GlobalFree.KERNEL32(00000000), ref: 00F42DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00F42E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00F42E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F42E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F4303F

Strings

DISPLAY, xrefs: 00F42EA2
, xrefs: 00F42FC5
AutoIt v3, xrefs: 00F42CF2
static, xrefs: 00F42D3A, 00F42E91

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 99fbbe1d9a549c763799d14849ea7069c13bfbb2bdf5e1e51e99ba93910c9ff1
Instruction ID: 3c754215363270813dd124fda249efe474c48756771af6de85a407b77cb66d19
Opcode Fuzzy Hash: 99fbbe1d9a549c763799d14849ea7069c13bfbb2bdf5e1e51e99ba93910c9ff1
Instruction Fuzzy Hash: D7025E71900209AFDB14DF64CD89EAE7BB9FB48711F048158F916AB2A1C775DD01DFA0

Function 00F570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00F5712F
GetSysColorBrush.USER32(0000000F), ref: 00F57160
GetSysColor.USER32(0000000F), ref: 00F5716C
SetBkColor.GDI32(?,000000FF), ref: 00F57186
SelectObject.GDI32(?,?), ref: 00F57195
InflateRect.USER32(?,000000FF,000000FF), ref: 00F571C0
GetSysColor.USER32(00000010), ref: 00F571C8
CreateSolidBrush.GDI32(00000000), ref: 00F571CF
FrameRect.USER32(?,?,00000000), ref: 00F571DE
DeleteObject.GDI32(00000000), ref: 00F571E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00F57230
FillRect.USER32(?,?,?), ref: 00F57262
GetWindowLongW.USER32(?,000000F0), ref: 00F57284

Part of subcall function 00F573E8: GetSysColor.USER32(00000012), ref: 00F57421
Part of subcall function 00F573E8: SetTextColor.GDI32(?,?), ref: 00F57425
Part of subcall function 00F573E8: GetSysColorBrush.USER32(0000000F), ref: 00F5743B
Part of subcall function 00F573E8: GetSysColor.USER32(0000000F), ref: 00F57446
Part of subcall function 00F573E8: GetSysColor.USER32(00000011), ref: 00F57463
Part of subcall function 00F573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F57471
Part of subcall function 00F573E8: SelectObject.GDI32(?,00000000), ref: 00F57482
Part of subcall function 00F573E8: SetBkColor.GDI32(?,00000000), ref: 00F5748B
Part of subcall function 00F573E8: SelectObject.GDI32(?,?), ref: 00F57498
Part of subcall function 00F573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00F574B7
Part of subcall function 00F573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F574CE
Part of subcall function 00F573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00F574DB

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: ec1fc7e4db1ee30ba79001d8e1ec9471476291a108c0a3e00a4e0e96b714fc44
Instruction ID: 0118a4fc52930d3c328ad63faf072410109320e1a44ebbb833f55df636afe650
Opcode Fuzzy Hash: ec1fc7e4db1ee30ba79001d8e1ec9471476291a108c0a3e00a4e0e96b714fc44
Instruction Fuzzy Hash: B5A19072408705AFD700AF60DC48A5B7BA9FB49332F140A19FB63961E1D770E944EB91

Function 00F42711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00F4273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F4286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00F428A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00F428B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00F42900
GetClientRect.USER32(00000000,?), ref: 00F4290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00F42955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F42964
GetStockObject.GDI32(00000011), ref: 00F42974
SelectObject.GDI32(00000000,00000000), ref: 00F42978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00F42988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F42991
DeleteDC.GDI32(00000000), ref: 00F4299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F429C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00F429DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00F42A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F42A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00F42A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00F42A77
GetStockObject.GDI32(00000011), ref: 00F42A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F42A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00F42A97

Strings

DISPLAY, xrefs: 00F4295A
msctls_progress32, xrefs: 00F42A13
AutoIt v3, xrefs: 00F428F8
static, xrefs: 00F4294F, 00F42A71

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 389053ea65c112ae87f4d61e44bdcb1d9cf9664ebc4e30fa2e3403bbd88fd865
Instruction ID: 5d765aac032d2139cfb9f8e5b51bf71ba05961e1326de972cdbf9bb86b71ead6
Opcode Fuzzy Hash: 389053ea65c112ae87f4d61e44bdcb1d9cf9664ebc4e30fa2e3403bbd88fd865
Instruction Fuzzy Hash: 85B14B71A00219AFEB14DF68DC8AFAE7BB9FB48711F004119FA15E7290D774AD40DB94

Function 00F34ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F34AED
GetDriveTypeW.KERNEL32(?,00F5CB68,?,\\.\,00F5CC08), ref: 00F34BCA
SetErrorMode.KERNEL32(00000000,00F5CB68,?,\\.\,00F5CC08), ref: 00F34D36

Strings

Unknown, xrefs: 00F34BED, 00F34C83
MMC, xrefs: 00F34CDE
Virtual, xrefs: 00F34CE5
RAMDisk, xrefs: 00F34BF4
1394, xrefs: 00F34C9F
SSD, xrefs: 00F34C4A
SSA, xrefs: 00F34CA6
RAID, xrefs: 00F34CBB
SATA, xrefs: 00F34CD0
SAS, xrefs: 00F34CC9
ATA, xrefs: 00F34C98
Removable, xrefs: 00F34C10, 00F34C15
SCSI, xrefs: 00F34C8A
CDROM, xrefs: 00F34BFB
PhysicalDrive, xrefs: 00F34B76
ATAPI, xrefs: 00F34C91
USB, xrefs: 00F34CB4
Network, xrefs: 00F34C02
Fibre, xrefs: 00F34CAD
\\.\, xrefs: 00F34B3F
iSCSI, xrefs: 00F34CC2
Fixed, xrefs: 00F34C09
FileBackedVirtual, xrefs: 00F34CEC

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 4bbe2b7f83653b34ee0ea696ed08d64196a05a1f65592dbe8ad920ba2d190998
Instruction ID: f53e3496c188c4bde92af552973bc54e0feada1d4db676e6da04f1083068056e
Opcode Fuzzy Hash: 4bbe2b7f83653b34ee0ea696ed08d64196a05a1f65592dbe8ad920ba2d190998
Instruction Fuzzy Hash: 306195326052059BCB04EF24CA81EADB7A1EB447A5F249415F806EB692DB36FD41FB42

Function 00F573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00F57421
SetTextColor.GDI32(?,?), ref: 00F57425
GetSysColorBrush.USER32(0000000F), ref: 00F5743B
GetSysColor.USER32(0000000F), ref: 00F57446
CreateSolidBrush.GDI32(?), ref: 00F5744B
GetSysColor.USER32(00000011), ref: 00F57463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F57471
SelectObject.GDI32(?,00000000), ref: 00F57482
SetBkColor.GDI32(?,00000000), ref: 00F5748B
SelectObject.GDI32(?,?), ref: 00F57498
InflateRect.USER32(?,000000FF,000000FF), ref: 00F574B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F574CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00F574DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F5752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F57554
InflateRect.USER32(?,000000FD,000000FD), ref: 00F57572
DrawFocusRect.USER32(?,?), ref: 00F5757D
GetSysColor.USER32(00000011), ref: 00F5758E
SetTextColor.GDI32(?,00000000), ref: 00F57596
DrawTextW.USER32(?,00F570F5,000000FF,?,00000000), ref: 00F575A8
SelectObject.GDI32(?,?), ref: 00F575BF
DeleteObject.GDI32(?), ref: 00F575CA
SelectObject.GDI32(?,?), ref: 00F575D0
DeleteObject.GDI32(?), ref: 00F575D5
SetTextColor.GDI32(?,?), ref: 00F575DB
SetBkColor.GDI32(?,?), ref: 00F575E5

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 5a319b8140997281601ad75acb8ca5b2444001d73952e16715f302739e8d7ab0
Instruction ID: e29289d1913d024afb1c82db53c874cf25bd526b46b024d20e0fb7daed258a44
Opcode Fuzzy Hash: 5a319b8140997281601ad75acb8ca5b2444001d73952e16715f302739e8d7ab0
Instruction Fuzzy Hash: 32616F72D00318AFDF019FA4DC49EAE7FB9EB08721F154115FA16AB2A1D7719940EF90

Function 00F50FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F51128
GetDesktopWindow.USER32 ref: 00F5113D
GetWindowRect.USER32(00000000), ref: 00F51144
GetWindowLongW.USER32(?,000000F0), ref: 00F51199
DestroyWindow.USER32(?), ref: 00F511B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F511ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F5120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F5121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00F51232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00F51245
IsWindowVisible.USER32(00000000), ref: 00F512A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00F512BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00F512D0
GetWindowRect.USER32(00000000,?), ref: 00F512E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00F5130E
GetMonitorInfoW.USER32(00000000,?), ref: 00F51328
CopyRect.USER32(?,?), ref: 00F5133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00F513AA

Strings

(, xrefs: 00F5131B
0, xrefs: 00F510D3
tooltips_class32, xrefs: 00F511E6

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: dbb563c1a0d3e6382d91960fedb2378aa650cea5d7f26b1e76c4697acf8be0fd
Instruction ID: ec9f8b670be8c9d433a6d4ddb52903950f3cecf5d23dd545f6eac43ddd305197
Opcode Fuzzy Hash: dbb563c1a0d3e6382d91960fedb2378aa650cea5d7f26b1e76c4697acf8be0fd
Instruction Fuzzy Hash: 04B18B71604341AFD700DF64C985B6ABBE4FF84351F00891CFA9AAB2A1C771E849DB91

Function 00F50241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F502E5
_wcslen.LIBCMT ref: 00F5031F
_wcslen.LIBCMT ref: 00F50389
_wcslen.LIBCMT ref: 00F503F1
_wcslen.LIBCMT ref: 00F50475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00F504C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F50504

Part of subcall function 00EDF9F2: _wcslen.LIBCMT ref: 00EDF9FD

Part of subcall function 00F2223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F22258
Part of subcall function 00F2223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F2228A

Strings

FINDITEM, xrefs: 00F50627
GETTEXT, xrefs: 00F503EC, 00F50407
GETSUBITEMCOUNT, xrefs: 00F50384, 00F5039F
SELECTINVERT, xrefs: 00F5057E
DESELECT, xrefs: 00F5059C
GETSELECTEDCOUNT, xrefs: 00F50470, 00F5048B
VIEWCHANGE, xrefs: 00F50675
ISSELECTED, xrefs: 00F504DD
SELECT, xrefs: 00F50548
SELECTALL, xrefs: 00F50515
SELECTCLEAR, xrefs: 00F5052D
GETITEMCOUNT, xrefs: 00F50316, 00F50337
GETSELECTED, xrefs: 00F505E1

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: ec203fba48f95a448a8979d3775320a4a175b9e01fe9be620373d41cab32afa8
Instruction ID: 2c77dc542a3a02bc9acf5079834dab780c91d8ea987d0a79c417683d9c1cbe53
Opcode Fuzzy Hash: ec203fba48f95a448a8979d3775320a4a175b9e01fe9be620373d41cab32afa8
Instruction Fuzzy Hash: DEE1C1326083018FC714EF24C551A2AB3E6BFC8315F14456DF996AB3A2DB31ED4AEB41

Function 00ED8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00ED8968
GetSystemMetrics.USER32(00000007), ref: 00ED8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00ED899B
GetSystemMetrics.USER32(00000008), ref: 00ED89A3
GetSystemMetrics.USER32(00000004), ref: 00ED89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00ED89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00ED89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00ED8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00ED8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00ED8A5A
GetStockObject.GDI32(00000011), ref: 00ED8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00ED8A81

Part of subcall function 00ED912D: GetCursorPos.USER32(?), ref: 00ED9141
Part of subcall function 00ED912D: ScreenToClient.USER32(00000000,?), ref: 00ED915E
Part of subcall function 00ED912D: GetAsyncKeyState.USER32(00000001), ref: 00ED9183
Part of subcall function 00ED912D: GetAsyncKeyState.USER32(00000002), ref: 00ED919D

SetTimer.USER32(00000000,00000000,00000028,00ED90FC), ref: 00ED8AA8

Strings

AutoIt v3 GUI, xrefs: 00ED8A20

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: cd40a2e494d81c67bfa962680f8c2020d602927f3cb60f38408d9964200cfb94
Instruction ID: 283d342e9cffec708f63a2d57fbf972e9a261dc498088b75dabf02021105e389
Opcode Fuzzy Hash: cd40a2e494d81c67bfa962680f8c2020d602927f3cb60f38408d9964200cfb94
Instruction Fuzzy Hash: 56B16E75A0030A9FDB14DFA8CD55BEE3BB5FB48315F10422AFA16E7290DB34A941EB50

Function 00F20D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F21114
Part of subcall function 00F210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F20B9B,?,?,?), ref: 00F21120
Part of subcall function 00F210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F20B9B,?,?,?), ref: 00F2112F
Part of subcall function 00F210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F20B9B,?,?,?), ref: 00F21136
Part of subcall function 00F210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F2114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F20DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F20E29
GetLengthSid.ADVAPI32(?), ref: 00F20E40
GetAce.ADVAPI32(?,00000000,?), ref: 00F20E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F20E96
GetLengthSid.ADVAPI32(?), ref: 00F20EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F20EB5
HeapAlloc.KERNEL32(00000000), ref: 00F20EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F20EDD
CopySid.ADVAPI32(00000000), ref: 00F20EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F20F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F20F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F20F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F20F6E
HeapFree.KERNEL32(00000000), ref: 00F20F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F20F7E
HeapFree.KERNEL32(00000000), ref: 00F20F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F20F8E
HeapFree.KERNEL32(00000000), ref: 00F20F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00F20FA1
HeapFree.KERNEL32(00000000), ref: 00F20FA8

Part of subcall function 00F21193: GetProcessHeap.KERNEL32(00000008,00F20BB1,?,00000000,?,00F20BB1,?), ref: 00F211A1
Part of subcall function 00F21193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F20BB1,?), ref: 00F211A8
Part of subcall function 00F21193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F20BB1,?), ref: 00F211B7

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 0ffaadbff2934bd9376fa662cd6aa195b6e097009296c9403630acd8bdec04af
Instruction ID: 3da9a2192d8327addd9dfced14909339289ef96e8d10d82584393fa52ef0d30a
Opcode Fuzzy Hash: 0ffaadbff2934bd9376fa662cd6aa195b6e097009296c9403630acd8bdec04af
Instruction Fuzzy Hash: 22715C7290031AAFDF209FA5ED44FAEBBB8FF04311F144115FA19E6192DB719905DBA0

Function 00F4C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F4C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00F5CC08,00000000,?,00000000,?,?), ref: 00F4C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00F4C5A4
_wcslen.LIBCMT ref: 00F4C5F4
_wcslen.LIBCMT ref: 00F4C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00F4C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00F4C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00F4C84D
RegCloseKey.ADVAPI32(?), ref: 00F4C881
RegCloseKey.ADVAPI32(00000000), ref: 00F4C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00F4C960

Strings

REG_SZ, xrefs: 00F4C644
REG_EXPAND_SZ, xrefs: 00F4C5CD
REG_BINARY, xrefs: 00F4C913
REG_QWORD, xrefs: 00F4C8C3
REG_DWORD, xrefs: 00F4C804
REG_MULTI_SZ, xrefs: 00F4C6F5

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 17e89cc2fa456bd0199e561a2f8ce4dacdabf38d93ebaa18ad6d5f2aa9f50bf6
Instruction ID: 2ae7ab1c0eb1a9f8bf5395fab3fc3d0807ae2ef0b106f8f7a54399dd0cd8af4c
Opcode Fuzzy Hash: 17e89cc2fa456bd0199e561a2f8ce4dacdabf38d93ebaa18ad6d5f2aa9f50bf6
Instruction Fuzzy Hash: 53125A356042019FD754DF14C981F2ABBE5EF88724F14985CF89AAB3A2DB31ED42DB81

Function 00F5091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F509C6
_wcslen.LIBCMT ref: 00F50A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F50A54
_wcslen.LIBCMT ref: 00F50A8A
_wcslen.LIBCMT ref: 00F50B06
_wcslen.LIBCMT ref: 00F50B81

Part of subcall function 00EDF9F2: _wcslen.LIBCMT ref: 00EDF9FD

Part of subcall function 00F22BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F22BFA

Strings

SELECT, xrefs: 00F50D11
EXISTS, xrefs: 00F50B7C, 00F50B97
ISCHECKED, xrefs: 00F50CE1
GETTEXT, xrefs: 00F50C97
UNCHECK, xrefs: 00F50D3E
EXPAND, xrefs: 00F50BF8
GETTOTALCOUNT, xrefs: 00F509F2, 00F50A17
CHECK, xrefs: 00F50A85, 00F50AA0
GETITEMCOUNT, xrefs: 00F50C1E
COLLAPSE, xrefs: 00F50B01, 00F50B1C
GETSELECTED, xrefs: 00F50C4E

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: bb8ad66f55687b88b881bc0dc40a9a1fe36fc11794f4fd824610a46f705855a2
Instruction ID: d29e3216f3743b5b688d4b599bf278f45af32ef8b57859fa70d87a0ac1d71cf0
Opcode Fuzzy Hash: bb8ad66f55687b88b881bc0dc40a9a1fe36fc11794f4fd824610a46f705855a2
Instruction Fuzzy Hash: 1BE1A1326083019FC714EF24C490A6AB7E2FFD4315B14495DF996AB362DB31ED4AEB81

Function 00F4C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F4B6AE,?,?), ref: 00F4C9B5
_wcslen.LIBCMT ref: 00F4C9F1
_wcslen.LIBCMT ref: 00F4CA68
_wcslen.LIBCMT ref: 00F4CA9E
_wcslen.LIBCMT ref: 00F4CAF9
_wcslen.LIBCMT ref: 00F4CB2F
_wcslen.LIBCMT ref: 00F4CB7F

Strings

HKCR, xrefs: 00F4CB29, 00F4CB2E
HKU, xrefs: 00F4CBF0
HKEY_LOCAL_MACHINE, xrefs: 00F4CA62, 00F4CA67
HKEY_CURRENT_CONFIG, xrefs: 00F4CB79, 00F4CB7E
HKCC, xrefs: 00F4CBAC
HKEY_USERS, xrefs: 00F4CBDF
HKEY_CURRENT_USER, xrefs: 00F4CBBD
HKEY_CLASSES_ROOT, xrefs: 00F4CAF3, 00F4CAF8
HKCU, xrefs: 00F4CBCE
HKLM, xrefs: 00F4CA98, 00F4CA9D

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 37cb06c1414e7a67947495700cfe6e644b3b44f2590690d1af6b55054985b1ac
Instruction ID: edc485ed2f2b7a44d1da2cd63821ecbeccb2445c03ce509c6ec7c1848cd00a18
Opcode Fuzzy Hash: 37cb06c1414e7a67947495700cfe6e644b3b44f2590690d1af6b55054985b1ac
Instruction Fuzzy Hash: F7714833E0116A8BCB10EE7CC9516BF3B91EFA0764B212528FC56A7281EA35CD45E3D0

Function 00F5833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F5835A
_wcslen.LIBCMT ref: 00F5836E
_wcslen.LIBCMT ref: 00F58391
_wcslen.LIBCMT ref: 00F583B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F583F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00F55BF2), ref: 00F5844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F58487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F584CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F58501
FreeLibrary.KERNEL32(?), ref: 00F5850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F5851D
DestroyIcon.USER32(?,?,?,?,?,00F55BF2), ref: 00F5852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F58549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F58555

Strings

.icl, xrefs: 00F58368
.exe, xrefs: 00F58388
.dll, xrefs: 00F583AB

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 300a192d335b8ec60142ee56764a0498e88331297516f18424a74d695e857c22
Instruction ID: ace2692892ef09148d245907767fbe17b360f594392007619d87646b7ce72058
Opcode Fuzzy Hash: 300a192d335b8ec60142ee56764a0498e88331297516f18424a74d695e857c22
Instruction Fuzzy Hash: E761D071900309BEEB14DF64CC81BBE77A8BF04762F104509FE16E61D1EB75A985EBA0

Function 00EC7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include-once, xrefs: 00EC782F
#notrayicon, xrefs: 00EC77E7
#requireadmin, xrefs: 00EC77FF
#cs, xrefs: 00EC7873, 00EC78C5
", xrefs: 00F05153
#include, xrefs: 00EC7847
Bad directive syntax error, xrefs: 00F0519A
#pragma compile, xrefs: 00EC77D3
#ce, xrefs: 00EC78ED
', xrefs: 00F05169
#comments-start, xrefs: 00EC785F, 00EC78B1
Unterminated group of comments, xrefs: 00F0528C
#OnAutoItStartRegister, xrefs: 00EC7817
#comments-end, xrefs: 00EC78D9
Cannot parse #include, xrefs: 00F05279

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 0f75772dd1b479867f437d9c38e08ac736c568b20a0c35f126f792ba7a503bf1
Instruction ID: fdc7bd34bf26a4262038393b5fb90259365515e71bc9dd8b807a10f2984e15c0
Opcode Fuzzy Hash: 0f75772dd1b479867f437d9c38e08ac736c568b20a0c35f126f792ba7a503bf1
Instruction Fuzzy Hash: C481F671A04209BBDB20AF60CE42FAF37A8AF15710F045029FD45BA1D6EB71D916EB91

Function 00F33E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00F33EF8
_wcslen.LIBCMT ref: 00F33F03
_wcslen.LIBCMT ref: 00F33F5A
_wcslen.LIBCMT ref: 00F33F98
GetDriveTypeW.KERNEL32(?), ref: 00F33FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F3401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F34059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F34087

Strings

wait, xrefs: 00F34044
open, xrefs: 00F33F54, 00F33F59
close, xrefs: 00F33EFE, 00F33F18
open , xrefs: 00F33FE5
closed, xrefs: 00F33F08, 00F33F2D, 00F33F46, 00F33F7E, 00F33F97
set cd door , xrefs: 00F34028
type cdaudio alias cd wait, xrefs: 00F34001
close cd wait, xrefs: 00F34072

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: a4566cee4e20627da72ddbc68681b80b9638bb537c696632ac10a3bc59d65c29
Instruction ID: fea20a6dd2c197378bcd51ab1013602ad848d6252af7314fe860c8ec4433e6d3
Opcode Fuzzy Hash: a4566cee4e20627da72ddbc68681b80b9638bb537c696632ac10a3bc59d65c29
Instruction Fuzzy Hash: 8371E072A043029FC314EF34C98096AB7F4EF94768F50492DF896A7251EB31ED46DB92

Function 00F25A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00F25A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F25A40
SetWindowTextW.USER32(?,?), ref: 00F25A57
GetDlgItem.USER32(?,000003EA), ref: 00F25A6C
SetWindowTextW.USER32(00000000,?), ref: 00F25A72
GetDlgItem.USER32(?,000003E9), ref: 00F25A82
SetWindowTextW.USER32(00000000,?), ref: 00F25A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F25AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F25AC3
GetWindowRect.USER32(?,?), ref: 00F25ACC
_wcslen.LIBCMT ref: 00F25B33
SetWindowTextW.USER32(?,?), ref: 00F25B6F
GetDesktopWindow.USER32 ref: 00F25B75
GetWindowRect.USER32(00000000), ref: 00F25B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00F25BD3
GetClientRect.USER32(?,?), ref: 00F25BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00F25C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F25C2F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: dd687e3e30023387aeb52e741faf729b69b52b4ebbdef0e148c58901d8ce3c6d
Instruction ID: 367d94c50f89f3651bb0e6b68fd79cdb473fc3b8fd620ff82353d9e9347fae72
Opcode Fuzzy Hash: dd687e3e30023387aeb52e741faf729b69b52b4ebbdef0e148c58901d8ce3c6d
Instruction Fuzzy Hash: FA719C31900B19AFCB20DFA8DE85BAEBBF5FF48B15F104518E146A25A0D774E944EF50

Function 00F3FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00F3FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00F3FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00F3FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00F3FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00F3FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00F3FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00F3FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00F3FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00F3FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00F3FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00F3FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00F3FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00F3FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00F3FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00F3FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00F3FECC
GetCursorInfo.USER32(?), ref: 00F3FEDC
GetLastError.KERNEL32 ref: 00F3FF1E

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 3078d1890c0062ca81a2c82b0fa284728ee4bb604545b066f48f566da541a90e
Instruction ID: 536af2ac0e12c46a9743c149148fea8332e8cfcb66ee71b5abc7e9f4b9907769
Opcode Fuzzy Hash: 3078d1890c0062ca81a2c82b0fa284728ee4bb604545b066f48f566da541a90e
Instruction Fuzzy Hash: AF4144B0D043196ADB109FBA8C85C5EBFE8FF04764B54452AE51DEB281DB78D901CF91

Function 00EE00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00EE00C6

Part of subcall function 00EE00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00F9070C,00000FA0,31CE775D,?,?,?,?,00F023B3,000000FF), ref: 00EE011C
Part of subcall function 00EE00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00F023B3,000000FF), ref: 00EE0127
Part of subcall function 00EE00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00F023B3,000000FF), ref: 00EE0138
Part of subcall function 00EE00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00EE014E
Part of subcall function 00EE00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00EE015C
Part of subcall function 00EE00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00EE016A
Part of subcall function 00EE00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00EE0195
Part of subcall function 00EE00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00EE01A0

___scrt_fastfail.LIBCMT ref: 00EE00E7

Part of subcall function 00EE00A3: __onexit.LIBCMT ref: 00EE00A9

Strings

WakeAllConditionVariable, xrefs: 00EE0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00EE0122
SleepConditionVariableCS, xrefs: 00EE0154
InitializeConditionVariable, xrefs: 00EE0148
kernel32.dll, xrefs: 00EE0133

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 815fc25d5d5fd474ee7df09b4f07227ae580b2f495ef717b6bad9ce8289e7a22
Instruction ID: f4441e7834b56f2b985a46906f87ad0e65fa7b7613184cdb69098fd3a4cd3929
Opcode Fuzzy Hash: 815fc25d5d5fd474ee7df09b4f07227ae580b2f495ef717b6bad9ce8289e7a22
Instruction Fuzzy Hash: AB21293264575D6FE7105BB5AC05B6A33E4DB05B66F001126FE02F72D1DFB09C40AAD2

Function 00F230F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F2318D
_wcslen.LIBCMT ref: 00F231F8

Strings

NAME, xrefs: 00F23335, 00F23346
TEXT, xrefs: 00F2347C
REGEXPCLASS, xrefs: 00F23255, 00F23266
CLASSNN, xrefs: 00F231F3, 00F23204
INSTANCE, xrefs: 00F23453
CLASS, xrefs: 00F23188, 00F231A5

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 7f9c601b6eef35ee277ff06fc4654751f690ef7efdf96e9ecf5735ee88f71f33
Instruction ID: 6e17817096943224ab1ef3305ffe2d1177e22e8b65c9b9302ecc02515ec024fe
Opcode Fuzzy Hash: 7f9c601b6eef35ee277ff06fc4654751f690ef7efdf96e9ecf5735ee88f71f33
Instruction Fuzzy Hash: 41E1F5B2E005369BCB18DFB4D452BEDBBB0BF54720F54811AE456B7240DB34AF85A790

Function 00F344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00F5CC08), ref: 00F34527
_wcslen.LIBCMT ref: 00F3453B
_wcslen.LIBCMT ref: 00F34599
_wcslen.LIBCMT ref: 00F345F4
_wcslen.LIBCMT ref: 00F3463F
_wcslen.LIBCMT ref: 00F346A7

Part of subcall function 00EDF9F2: _wcslen.LIBCMT ref: 00EDF9FD

GetDriveTypeW.KERNEL32(?,00F86BF0,00000061), ref: 00F34743

Strings

network, xrefs: 00F3469D, 00F346A2
removable, xrefs: 00F345EA, 00F345EF
cdrom, xrefs: 00F3458F, 00F34594
ramdisk, xrefs: 00F346F1
fixed, xrefs: 00F34635, 00F3463A
unknown, xrefs: 00F34708
all, xrefs: 00F34531, 00F34536

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 45279e7439d974c18d474f946563ac10e09f72bce4364f0d7cc907f1d29650bc
Instruction ID: a84810630e66d4f0255163ba32999f745cb0ebc412cc153fc2c02dfcc42a83bf
Opcode Fuzzy Hash: 45279e7439d974c18d474f946563ac10e09f72bce4364f0d7cc907f1d29650bc
Instruction Fuzzy Hash: 67B10E71A083029FC310DF28C891A6EB7E5AFA5734F10491DF496D7292E731F845DBA2

Function 00F43FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F5CC08), ref: 00F440BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F440CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00F5CC08), ref: 00F440F2
FreeLibrary.KERNEL32(00000000,?,00F5CC08), ref: 00F4413E
StringFromGUID2.OLE32(?,?,00000028,?,00F5CC08), ref: 00F441A8
SysFreeString.OLEAUT32(00000009), ref: 00F44262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F442C8
SysFreeString.OLEAUT32(?), ref: 00F442F2

Strings

GetModuleHandleExW, xrefs: 00F440C7
kernel32.dll, xrefs: 00F440B6

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: d62eb80af28223654ea7bb7cc30994ee70099746799719313ba61c60830765d0
Instruction ID: 4348403ca944473eb86d60f50d847421f92fe9ce7cad74f62fe5062811c04604
Opcode Fuzzy Hash: d62eb80af28223654ea7bb7cc30994ee70099746799719313ba61c60830765d0
Instruction Fuzzy Hash: 12123C75A00219EFDB14CF94C884FAEBBB5FF45315F248098E905AB261D731EE46DBA0

Function 00EC326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00F91990), ref: 00F02F8D
GetMenuItemCount.USER32(00F91990), ref: 00F0303D
GetCursorPos.USER32(?), ref: 00F03081
SetForegroundWindow.USER32(00000000), ref: 00F0308A
TrackPopupMenuEx.USER32(00F91990,00000000,?,00000000,00000000,00000000), ref: 00F0309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F030A9

Strings

0, xrefs: 00EC327D

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: beed2a55d2b03f525000f50ba847e270b0b32f16f3d711f3b3aa856ed31f3ad9
Instruction ID: e1a0f0c506a91c359af28f182248df8750bdb85b058f55b4fd9458593d7146f6
Opcode Fuzzy Hash: beed2a55d2b03f525000f50ba847e270b0b32f16f3d711f3b3aa856ed31f3ad9
Instruction Fuzzy Hash: 90711A71A44316BEFB258F64DD49F9ABF68FF04364F204216FA156A1E0C7B1A910F790

Function 00F56CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00F56DEB

Part of subcall function 00EC6B57: _wcslen.LIBCMT ref: 00EC6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F56E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F56E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F56E94
DestroyWindow.USER32(?), ref: 00F56EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00EC0000,00000000), ref: 00F56EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F56EFD
GetDesktopWindow.USER32 ref: 00F56F16
GetWindowRect.USER32(00000000), ref: 00F56F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F56F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F56F4D

Part of subcall function 00ED9944: GetWindowLongW.USER32(?,000000EB), ref: 00ED9952

Strings

0, xrefs: 00F56D98
tooltips_class32, xrefs: 00F56E58, 00F56EDD

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 6e5a9b45c33357b88ae5b605f28e71417c99b176a31dea28cb1169af0b3925cb
Instruction ID: 250a90b7dc057e95143582ba35d5e18c1e84f12a9178b935a66ec1b3a8d889e9
Opcode Fuzzy Hash: 6e5a9b45c33357b88ae5b605f28e71417c99b176a31dea28cb1169af0b3925cb
Instruction Fuzzy Hash: 65718870904344AFDB21CF18D844FAABBE9FB89315F44051EFA99D7260D730E90AEB11

Function 00F5911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00ED9BB2

DragQueryPoint.SHELL32(?,?), ref: 00F59147

Part of subcall function 00F57674: ClientToScreen.USER32(?,?), ref: 00F5769A
Part of subcall function 00F57674: GetWindowRect.USER32(?,?), ref: 00F57710
Part of subcall function 00F57674: PtInRect.USER32(?,?,00F58B89), ref: 00F57720

SendMessageW.USER32(?,000000B0,?,?), ref: 00F591B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F591BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F591DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F59225
SendMessageW.USER32(?,000000B0,?,?), ref: 00F5923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00F59255
SendMessageW.USER32(?,000000B1,?,?), ref: 00F59277
DragFinish.SHELL32(?), ref: 00F5927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F59371

Strings

@GUI_DRAGID, xrefs: 00F592E9
@GUI_DRAGFILE, xrefs: 00F59320
@GUI_DROPID, xrefs: 00F5929E

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 2237b263d853d630216ed973eb2b5a5a569178037542a9bc8945f1dce094e608
Instruction ID: 2a9313c2fc25a720b97a39b60e76da5d3084ecbd576809ce2aa8b040eff1da58
Opcode Fuzzy Hash: 2237b263d853d630216ed973eb2b5a5a569178037542a9bc8945f1dce094e608
Instruction Fuzzy Hash: E861A071108305AFD705DF50DC85EAFBBE8EF89350F10092DF696931A1DB719A09DB92

Function 00F3C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F3C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00F3C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00F3C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F3C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00F3C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F3C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F3C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F3C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00F3C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00F3C5F0
InternetCloseHandle.WININET(00000000), ref: 00F3C5FB

Strings

, xrefs: 00F3C575

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 6238fe2b8ba240b3303696f04507e13908e550f243c4fbc2e8df3bc69835faa4
Instruction ID: a81f56986d2cd08595b071504c4652c9abcb49ace3406de5c06c594c18d351d7
Opcode Fuzzy Hash: 6238fe2b8ba240b3303696f04507e13908e550f243c4fbc2e8df3bc69835faa4
Instruction Fuzzy Hash: D6514AB1500309BFDB219F60DD88AAB7BBCFF08765F044419FA46A6610DB34E944EBA0

Function 00F5856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00F58592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F585A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F585AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F585BA
GlobalLock.KERNEL32(00000000), ref: 00F585C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F585D7
GlobalUnlock.KERNEL32(00000000), ref: 00F585E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F585E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F585F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00F5FC38,?), ref: 00F58611
GlobalFree.KERNEL32(00000000), ref: 00F58621
GetObjectW.GDI32(?,00000018,?), ref: 00F58641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00F58671
DeleteObject.GDI32(?), ref: 00F58699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F586AF

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 78e92b29ac9b40b60227dfa112ec9fafa32ac4e7ce2489febbc893055341ec1c
Instruction ID: d1c2bc9493d6512ca2111bd0fc704791251250330a59a4789cf2365fd6615691
Opcode Fuzzy Hash: 78e92b29ac9b40b60227dfa112ec9fafa32ac4e7ce2489febbc893055341ec1c
Instruction Fuzzy Hash: 5A41FC75600308AFDB11DF65DC48EAA7BB8EF89762F144058FA06E7250DB309D45EF60

Function 00F314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00F31502
VariantCopy.OLEAUT32(?,?), ref: 00F3150B
VariantClear.OLEAUT32(?), ref: 00F31517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00F315FB
VarR8FromDec.OLEAUT32(?,?), ref: 00F31657
VariantInit.OLEAUT32(?), ref: 00F31708
SysFreeString.OLEAUT32(?), ref: 00F3178C
VariantClear.OLEAUT32(?), ref: 00F317D8
VariantClear.OLEAUT32(?), ref: 00F317E7
VariantInit.OLEAUT32(00000000), ref: 00F31823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00F31625
Default, xrefs: 00F316AF

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 36dc26b860e90871e33dfeb955cfe8c3cd0e8854b8a2b415f35e61030b1f50c9
Instruction ID: 531a95886d1cbbba70525d4a2ef2202145ad8ddc361dc7462dcc5d6ecfba6cd0
Opcode Fuzzy Hash: 36dc26b860e90871e33dfeb955cfe8c3cd0e8854b8a2b415f35e61030b1f50c9
Instruction Fuzzy Hash: 59D1F132A00205DBDB50DF65E885B7DB7F5FF44720F18845AE806AB280DB30DD46EBA1

Function 00F4B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F4C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F4B6AE,?,?), ref: 00F4C9B5
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4C9F1
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4CA68
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F4B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F4B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00F4B80A
RegCloseKey.ADVAPI32(?), ref: 00F4B87E
RegCloseKey.ADVAPI32(?), ref: 00F4B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00F4B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F4B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00F4B922
FreeLibrary.KERNEL32(00000000), ref: 00F4B983
RegCloseKey.ADVAPI32(00000000), ref: 00F4B994

Strings

advapi32.dll, xrefs: 00F4B8ED
RegDeleteKeyExW, xrefs: 00F4B8FE

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: f7c806e7a816b0954cdececaea8b5c3c90759fc5e25ca9416125b1006f41de9e
Instruction ID: a025ad6fc889d6ef7de30cd4841014bbf459b0ac742f06f4251bc18308164ca6
Opcode Fuzzy Hash: f7c806e7a816b0954cdececaea8b5c3c90759fc5e25ca9416125b1006f41de9e
Instruction Fuzzy Hash: D5C19C31608301AFD714DF14C494F2ABBE5BF84318F18945CE99A9B2A3CB36EC46DB81

Function 00F4255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F425D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00F425E8
CreateCompatibleDC.GDI32(?), ref: 00F425F4
SelectObject.GDI32(00000000,?), ref: 00F42601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00F4266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00F426AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00F426D0
SelectObject.GDI32(?,?), ref: 00F426D8
DeleteObject.GDI32(?), ref: 00F426E1
DeleteDC.GDI32(?), ref: 00F426E8
ReleaseDC.USER32(00000000,?), ref: 00F426F3

Strings

(, xrefs: 00F4268D

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: fec4f89ffe0dad3574a51802cac3f8e090a8988f72b68e26917c70e1f34151b1
Instruction ID: 7438fc6a9b7dbc3c6f3ed848a05dd92a9cd93da3a283876f41c977f061514911
Opcode Fuzzy Hash: fec4f89ffe0dad3574a51802cac3f8e090a8988f72b68e26917c70e1f34151b1
Instruction Fuzzy Hash: 9761D175D00219EFCF04CFA8D884AAEBBB5FF48310F208529EA56A7250D774A951DF90

Function 00EFDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00EFDAA1

Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD659
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD66B
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD67D
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD68F
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD6A1
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD6B3
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD6C5
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD6D7
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD6E9
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD6FB
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD70D
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD71F
Part of subcall function 00EFD63C: _free.LIBCMT ref: 00EFD731

_free.LIBCMT ref: 00EFDA96

Part of subcall function 00EF29C8: HeapFree.KERNEL32(00000000,00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000), ref: 00EF29DE
Part of subcall function 00EF29C8: GetLastError.KERNEL32(00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000,00000000), ref: 00EF29F0

_free.LIBCMT ref: 00EFDAB8
_free.LIBCMT ref: 00EFDACD
_free.LIBCMT ref: 00EFDAD8
_free.LIBCMT ref: 00EFDAFA
_free.LIBCMT ref: 00EFDB0D
_free.LIBCMT ref: 00EFDB1B
_free.LIBCMT ref: 00EFDB26
_free.LIBCMT ref: 00EFDB5E
_free.LIBCMT ref: 00EFDB65
_free.LIBCMT ref: 00EFDB82
_free.LIBCMT ref: 00EFDB9A

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: fc1dcdc13bf40d8c9f39d5f3955807bbbcdc9494d7137152dc43b76e4d006ad7
Instruction ID: 01a991948c193e4fe60bdc537c67ee51afc55b46b258cd3e7c2ba84e5e031e72
Opcode Fuzzy Hash: fc1dcdc13bf40d8c9f39d5f3955807bbbcdc9494d7137152dc43b76e4d006ad7
Instruction Fuzzy Hash: 82315A3164860E9FEB22AE38EC45B7A7BEAFF40315F11651DE648E7191DB71EC408724

Function 00F2365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F2369C
_wcslen.LIBCMT ref: 00F236A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F23797
GetClassNameW.USER32(?,?,00000400), ref: 00F2380C
GetDlgCtrlID.USER32(?), ref: 00F2385D
GetWindowRect.USER32(?,?), ref: 00F23882
GetParent.USER32(?), ref: 00F238A0
ScreenToClient.USER32(00000000), ref: 00F238A7
GetClassNameW.USER32(?,?,00000100), ref: 00F23921
GetWindowTextW.USER32(?,?,00000400), ref: 00F2395D

Strings

%s%u, xrefs: 00F23734

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 7a558765d8e8bdad8162ced7337f7f93dd3c76928994ea1c0a135ebc1ee3b92f
Instruction ID: ed6d6f2267884f78d8d981bb4acc27e1bc7add0cecc7911ff94f1246ce01fdb5
Opcode Fuzzy Hash: 7a558765d8e8bdad8162ced7337f7f93dd3c76928994ea1c0a135ebc1ee3b92f
Instruction Fuzzy Hash: B591E3B160431AAFD708DF24D884FEAB7E9FF44310F004529F99AD6190DB38EA45DB91

Function 00F24954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00F24994
GetWindowTextW.USER32(?,?,00000400), ref: 00F249DA
_wcslen.LIBCMT ref: 00F249EB
CharUpperBuffW.USER32(?,00000000), ref: 00F249F7
_wcsstr.LIBVCRUNTIME ref: 00F24A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00F24A64
GetWindowTextW.USER32(?,?,00000400), ref: 00F24A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00F24AE6
GetClassNameW.USER32(?,?,00000400), ref: 00F24B20
GetWindowRect.USER32(?,?), ref: 00F24B8B

Strings

ThumbnailClass, xrefs: 00F24A6F, 00F24AF1

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: b70e75bae5d3492d135c6fbb86301cf3f90d7a44dd590c343a4e12d19254717b
Instruction ID: 67afce746b2e96ff11d6bc5118996294cbc56e98c535248ad430edccd795d696
Opcode Fuzzy Hash: b70e75bae5d3492d135c6fbb86301cf3f90d7a44dd590c343a4e12d19254717b
Instruction Fuzzy Hash: FF91D0324043199FDB04CF14E985FAA77E8FF84324F048469FD859A096DBB4ED45DBA1

Function 00F58D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00ED9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F58D5A
GetFocus.USER32 ref: 00F58D6A
GetDlgCtrlID.USER32(00000000), ref: 00F58D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00F58E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00F58ECF
GetMenuItemCount.USER32(?), ref: 00F58EEC
GetMenuItemID.USER32(?,00000000), ref: 00F58EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00F58F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00F58F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F58FA1

Strings

0, xrefs: 00F58E9F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: e210e4efda3eee0a6fd16683f6a0e91753b9859c9f7870448cc18a5193d6743d
Instruction ID: f36dae0cd848223b5e96b9a614cf2e8e99bc58d801fce4c1160c6a5e6c8c57a8
Opcode Fuzzy Hash: e210e4efda3eee0a6fd16683f6a0e91753b9859c9f7870448cc18a5193d6743d
Instruction Fuzzy Hash: 5681AF719043059FDB10CF14D885AAB7BE9FB883A5F040919FE85A7291DB70D90AEBA1

Function 00F2BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00F91990,000000FF,00000000,00000030), ref: 00F2BFAC
SetMenuItemInfoW.USER32(00F91990,00000004,00000000,00000030), ref: 00F2BFE1
Sleep.KERNEL32(000001F4), ref: 00F2BFF3
GetMenuItemCount.USER32(?), ref: 00F2C039
GetMenuItemID.USER32(?,00000000), ref: 00F2C056
GetMenuItemID.USER32(?,-00000001), ref: 00F2C082
GetMenuItemID.USER32(?,?), ref: 00F2C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F2C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F2C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F2C145

Strings

0, xrefs: 00F2BF3D

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: fdda4934d92059ea7702c7194f313bdb541643cd3b0ab11f7eb2e4081afb8ce8
Instruction ID: 48bbce8590cb4dab03dbbb99a64269593586a8af018331436661f7be7b7cffc0
Opcode Fuzzy Hash: fdda4934d92059ea7702c7194f313bdb541643cd3b0ab11f7eb2e4081afb8ce8
Instruction Fuzzy Hash: 8861ADB090036AAFDF11CFA4ED89AAE7BB8FF05354F140055E912A3291D735AD14EBE0

Function 00F2DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00F2DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00F2DC46
_wcslen.LIBCMT ref: 00F2DC50
_wcsstr.LIBVCRUNTIME ref: 00F2DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00F2DCBC

Strings

StringFileInfo\, xrefs: 00F2DC8F
DefaultLangCodepage, xrefs: 00F2DD1F
\VarFileInfo\Translation, xrefs: 00F2DCB4
04090000, xrefs: 00F2DCF2
%u.%u.%u.%u, xrefs: 00F2DD9A

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: eed26fdedae969ff6f293656642ed07126890db16e74d0ec062ae7588f247470
Instruction ID: a6682b30532b566d29262b741a8fe0f24735b0335d96b8976f6f16e422676fc4
Opcode Fuzzy Hash: eed26fdedae969ff6f293656642ed07126890db16e74d0ec062ae7588f247470
Instruction Fuzzy Hash: BB4122329403197ADB00E761AC07EFF37ECEF45720F50106AFA01B6182EB21DA01A7A5

Function 00F4CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F4CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00F4CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F4CD48

Part of subcall function 00F4CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00F4CCAA
Part of subcall function 00F4CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00F4CCBD
Part of subcall function 00F4CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F4CCCF
Part of subcall function 00F4CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F4CD05
Part of subcall function 00F4CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F4CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00F4CCF3

Strings

advapi32.dll, xrefs: 00F4CCB8
RegDeleteKeyExW, xrefs: 00F4CCC9

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f1cee007af8c95daf1b87077b7ab3386aa076a9b4edd393c6a65828b3c6721e6
Instruction ID: 0f05d4fc46e881cae8d56da5f47e5b4b49d04654d80c4314da135674944bb188
Opcode Fuzzy Hash: f1cee007af8c95daf1b87077b7ab3386aa076a9b4edd393c6a65828b3c6721e6
Instruction Fuzzy Hash: 6C316B71D02229BBDB209B51DC88EEFBF7CEF05751F000165AA16E2250DA349A45EAE0

Function 00F33D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F33D40
_wcslen.LIBCMT ref: 00F33D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F33D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F33DBE
RemoveDirectoryW.KERNEL32(?), ref: 00F33DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F33E55
CloseHandle.KERNEL32(00000000), ref: 00F33E60
CloseHandle.KERNEL32(00000000), ref: 00F33E6B

Strings

\??\%s, xrefs: 00F33D5B
\, xrefs: 00F33D77
:, xrefs: 00F33D82

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 9dcb918af4a0152061b4a475d5a9e6ffc9bfee106cded63d0a6b3f0b8b410608
Instruction ID: ae20f880e05c9c2b4228cd8f6851e6c1d6c49d85e3b3a01b9db7be9f26fe4a0c
Opcode Fuzzy Hash: 9dcb918af4a0152061b4a475d5a9e6ffc9bfee106cded63d0a6b3f0b8b410608
Instruction Fuzzy Hash: A031837290025DABDB21DBA0DC49FEB37BCEF88711F1041A5F605E6160E77497849B64

Function 00F2E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F2E6B4

Part of subcall function 00EDE551: timeGetTime.WINMM(?,?,00F2E6D4), ref: 00EDE555

Sleep.KERNEL32(0000000A), ref: 00F2E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00F2E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F2E727
SetActiveWindow.USER32 ref: 00F2E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F2E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00F2E773
Sleep.KERNEL32(000000FA), ref: 00F2E77E
IsWindow.USER32 ref: 00F2E78A
EndDialog.USER32(00000000), ref: 00F2E79B

Strings

BUTTON, xrefs: 00F2E719

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 31973de2dcaf9df866807d1d5afc2542bd7bb174cda469a8b65999d2a02d456c
Instruction ID: e49a5794e25ad54d4b5b9faebf6d39db1bcc2bac50cc37c9c93b4c31fa71f55c
Opcode Fuzzy Hash: 31973de2dcaf9df866807d1d5afc2542bd7bb174cda469a8b65999d2a02d456c
Instruction Fuzzy Hash: 9821C3B020431DBFEB105F60FC89E253B69F75575AF200426F617826A2DB75AC00BB64

Function 00F2E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F2EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F2EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F2EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F2EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F2EAA7

Strings

play PlayMe wait, xrefs: 00F2EA91
play PlayMe, xrefs: 00F2EAA2
open , xrefs: 00F2EA0C
alias PlayMe, xrefs: 00F2EA36
close PlayMe, xrefs: 00F2EA6E, 00F2EA9B
status PlayMe mode, xrefs: 00F2EA58

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 2ff3be7469a837f915f21314907cbe363ece0a5b388d2636ad72bedcfc52612e
Instruction ID: bf8d73d23cef0dc4975110f67acee19c4ab6e986d761dc684793c1643a501759
Opcode Fuzzy Hash: 2ff3be7469a837f915f21314907cbe363ece0a5b388d2636ad72bedcfc52612e
Instruction Fuzzy Hash: 0211A331B5026979D720B7A1ED4AEFF6ABCEBD1B10F100429B411E20D1EE704906DAB1

Function 00F29F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F2A012
SetKeyboardState.USER32(?), ref: 00F2A07D
GetAsyncKeyState.USER32(000000A0), ref: 00F2A09D
GetKeyState.USER32(000000A0), ref: 00F2A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00F2A0E3
GetKeyState.USER32(000000A1), ref: 00F2A0F4
GetAsyncKeyState.USER32(00000011), ref: 00F2A120
GetKeyState.USER32(00000011), ref: 00F2A12E
GetAsyncKeyState.USER32(00000012), ref: 00F2A157
GetKeyState.USER32(00000012), ref: 00F2A165
GetAsyncKeyState.USER32(0000005B), ref: 00F2A18E
GetKeyState.USER32(0000005B), ref: 00F2A19C

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7b75fbaf0f41b483e5e9831332546a9ebaf484b469815bf5d6b7b61e03f4c118
Instruction ID: 75c00030d1a286ae8cb2144e0c658bfc7d6015f44e7c4cc567b57e8422d7dd5c
Opcode Fuzzy Hash: 7b75fbaf0f41b483e5e9831332546a9ebaf484b469815bf5d6b7b61e03f4c118
Instruction Fuzzy Hash: 0A510C30D087A82BFB35DBB0A9107EABFB49F01360F084599D5C2571C2DA949A4CDB63

Function 00F25CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00F25CE2
GetWindowRect.USER32(00000000,?), ref: 00F25CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00F25D59
GetDlgItem.USER32(?,00000002), ref: 00F25D69
GetWindowRect.USER32(00000000,?), ref: 00F25D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00F25DCF
GetDlgItem.USER32(?,000003E9), ref: 00F25DDD
GetWindowRect.USER32(00000000,?), ref: 00F25DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00F25E31
GetDlgItem.USER32(?,000003EA), ref: 00F25E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F25E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00F25E67

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 30202f862763775b1ce9e72f81adf54aec043b3829d33bc3f0da0aa5d678d52e
Instruction ID: 0e7e8b0fb4b8a00bfb526843438b34088f5419c6dbbf19ba4d4b15418a9591b0
Opcode Fuzzy Hash: 30202f862763775b1ce9e72f81adf54aec043b3829d33bc3f0da0aa5d678d52e
Instruction Fuzzy Hash: 83511D71E00719AFDF18CF68DD89AAEBBB5EB48711F508129F516E7290D7709E00DB50

Function 00ED8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00ED8BE8,?,00000000,?,?,?,?,00ED8BBA,00000000,?), ref: 00ED8FC5

DestroyWindow.USER32(?), ref: 00ED8C81
KillTimer.USER32(00000000,?,?,?,?,00ED8BBA,00000000,?), ref: 00ED8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00F16973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00ED8BBA,00000000,?), ref: 00F169A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00ED8BBA,00000000,?), ref: 00F169B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00ED8BBA,00000000), ref: 00F169D4
DeleteObject.GDI32(00000000), ref: 00F169E6

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 0ff0d5dbdc353eeab871b7a1b35e5594b227d613085fa489564f2a23669c8ce5
Instruction ID: f70cb1daa6010fd24483d9ca8887abcc5c42a3ce22edb721eaa69515dfa98adf
Opcode Fuzzy Hash: 0ff0d5dbdc353eeab871b7a1b35e5594b227d613085fa489564f2a23669c8ce5
Instruction Fuzzy Hash: 0861BF30511709DFDB359F14DA48B69B7F1FF40326F14552AE042A66A0CB35ACC2EF91

Function 00ED9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00ED9944: GetWindowLongW.USER32(?,000000EB), ref: 00ED9952

GetSysColor.USER32(0000000F), ref: 00ED9862

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3dea19cafd4b59b59513ff703620a9da02d064fb53d834777ea2873fcb1c98ee
Instruction ID: 53ca3bbdba15cb09b3e8dadc6f2017d2251c62ab00e38658cdcfd933886637d5
Opcode Fuzzy Hash: 3dea19cafd4b59b59513ff703620a9da02d064fb53d834777ea2873fcb1c98ee
Instruction Fuzzy Hash: 0F41F5355047049FDB245F389C84BB937A5EB06731F185606FAA6972E2C7319C43FB50

Function 00EF8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

., xrefs: 00EF903A, 00EF8FD0, 00EF8FF2

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-3963672497
Opcode ID: bd60ea5abfd54c72babe4890365be6f13604965dae302d7c002a60f8a564a3f3
Instruction ID: 1c153bca2385c8c6dd6b0b80e742894e351a15edb218536bc8b709bd64d6441b
Opcode Fuzzy Hash: bd60ea5abfd54c72babe4890365be6f13604965dae302d7c002a60f8a564a3f3
Instruction Fuzzy Hash: 2AC1E075A0424DAFCB11DFA8D841BBDBBF0AF49314F086199EA55B73A2CB318941CB61

Function 00F296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00F0F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00F29717
LoadStringW.USER32(00000000,?,00F0F7F8,00000001), ref: 00F29720

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00F0F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00F29742
LoadStringW.USER32(00000000,?,00F0F7F8,00000001), ref: 00F29745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00F29866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F2984A
Line %d (File "%s"):, xrefs: 00F2978F
Line %d:, xrefs: 00F297A0
Error: , xrefs: 00F2981D
^ ERROR, xrefs: 00F297FB

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 098e92484d8494397b9e0052e465743a59927719d7c43449d02e7b0d4279d3f8
Instruction ID: 10068133b0e84b5e2786a3fd4f0a41e309bc01861b598739792fa3e4cd7affbe
Opcode Fuzzy Hash: 098e92484d8494397b9e0052e465743a59927719d7c43449d02e7b0d4279d3f8
Instruction Fuzzy Hash: BA416172904219AACF04FBE0DE46EEE73B8AF54300F501029F60673092EB765F49DB61

Function 00F206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC6B57: _wcslen.LIBCMT ref: 00EC6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F207A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F207BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F207DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F20804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00F2082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F20837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F2083C

Strings

\CLSID, xrefs: 00F20724
SOFTWARE\Classes\, xrefs: 00F2070E
\IPC$, xrefs: 00F20784

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 4ee5c92cc1a66c5c242807a99d590092cf793c951eeef17be08db825237efe2e
Instruction ID: ea8d82556d89c9fa0a3e3386b1ab839b5d44314fbc8e17d42a99e13071136ddc
Opcode Fuzzy Hash: 4ee5c92cc1a66c5c242807a99d590092cf793c951eeef17be08db825237efe2e
Instruction Fuzzy Hash: AD411872D1022DABCF15EBA4EC85DEEB7B8FF04754B044129E901B31A1EB319E05DB90

Function 00F53F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F5403B
CreateCompatibleDC.GDI32(00000000), ref: 00F54042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F54055
SelectObject.GDI32(00000000,00000000), ref: 00F5405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F54068
DeleteDC.GDI32(00000000), ref: 00F54072
GetWindowLongW.USER32(?,000000EC), ref: 00F5407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00F54092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00F5409E

Strings

static, xrefs: 00F53FD3

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: e510502b03aff64d31b26785807164b49c491e2d381031874f260dfd576eb276
Instruction ID: bd027adbd3ea0169f5581c0a7ddab91cf26198929934d1022f7bd2a2f2488fd2
Opcode Fuzzy Hash: e510502b03aff64d31b26785807164b49c491e2d381031874f260dfd576eb276
Instruction Fuzzy Hash: CE315A32500319AFDF219FA4DC49FDA3BA8EF09366F110211FB19E60A0C735D855EBA0

Function 00F43C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F43C5C
CoInitialize.OLE32(00000000), ref: 00F43C8A
CoUninitialize.OLE32 ref: 00F43C94
_wcslen.LIBCMT ref: 00F43D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00F43DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00F43ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00F43F0E
CoGetObject.OLE32(?,00000000,00F5FB98,?), ref: 00F43F2D
SetErrorMode.KERNEL32(00000000), ref: 00F43F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F43FC4
VariantClear.OLEAUT32(?), ref: 00F43FD8

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 9c212d3f04252dd3695485a8c5d2db41289053211ad1cd16ddb5d2d7a39e2a02
Instruction ID: 6727495f67096851644edb5cca023efc78b1a5a272fb14941ac7dc7d9064177c
Opcode Fuzzy Hash: 9c212d3f04252dd3695485a8c5d2db41289053211ad1cd16ddb5d2d7a39e2a02
Instruction Fuzzy Hash: 1DC14771A083059FD700DF68C88492BBBE9FF89754F10491DF98A9B251D731EE0ADB92

Function 00F37A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F37AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F37B8F
SHGetDesktopFolder.SHELL32(?), ref: 00F37BA3
CoCreateInstance.OLE32(00F5FD08,00000000,00000001,00F86E6C,?), ref: 00F37BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F37C74
CoTaskMemFree.OLE32(?,?), ref: 00F37CCC
SHBrowseForFolderW.SHELL32(?), ref: 00F37D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F37D7A
CoTaskMemFree.OLE32(00000000), ref: 00F37D81
CoTaskMemFree.OLE32(00000000), ref: 00F37DD6
CoUninitialize.OLE32 ref: 00F37DDC

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 433ff6d5dc95bbb4cc55627176d78c0925befa5abf7fbe8b55c8f8a7943358f4
Instruction ID: ce399797d46cfbd38311e2281e722c906ff9bc1cec21b349e332fd1cbd0e0369
Opcode Fuzzy Hash: 433ff6d5dc95bbb4cc55627176d78c0925befa5abf7fbe8b55c8f8a7943358f4
Instruction Fuzzy Hash: 61C13B75A04209AFCB14DF64C884DAEBBF9FF48314F148499E916AB361D731ED42DB90

Function 00F5541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F55504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F55515
CharNextW.USER32(00000158), ref: 00F55544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F55585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F5559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F555AC

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 36b80a2a59de6c29c862fa62c481e16ee326c00e5032b292c91cae65664720de
Instruction ID: 56841d27a6171af5638ce170c987e336222ba269518da9b03979710f6cfc3d41
Opcode Fuzzy Hash: 36b80a2a59de6c29c862fa62c481e16ee326c00e5032b292c91cae65664720de
Instruction Fuzzy Hash: B4617131900609EFDF10DF54CCA4AFE7B79FB06B26F144145FB15A6290D7748A49EB60

Function 00F1FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F1FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00F1FB08
VariantInit.OLEAUT32(?), ref: 00F1FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F1FB3A
VariantCopy.OLEAUT32(?,?), ref: 00F1FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F1FBA1
VariantClear.OLEAUT32(?), ref: 00F1FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00F1FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F1FBCC
VariantClear.OLEAUT32(?), ref: 00F1FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F1FBE9

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 287279d69a872586adee25b894182c1a9a2e285d5a8d73c6bf8284bd00eb6ace
Instruction ID: 680e21905682dbd88e6e6fc84297daa42e2834d7fa4490a83c9c77d14ab6e540
Opcode Fuzzy Hash: 287279d69a872586adee25b894182c1a9a2e285d5a8d73c6bf8284bd00eb6ace
Instruction Fuzzy Hash: D5414E75A00319DFCB00DF64CC54DEEBBB9FF48355F048069E956A7261CB34A986EBA0

Function 00F29C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F29CA1
GetAsyncKeyState.USER32(000000A0), ref: 00F29D22
GetKeyState.USER32(000000A0), ref: 00F29D3D
GetAsyncKeyState.USER32(000000A1), ref: 00F29D57
GetKeyState.USER32(000000A1), ref: 00F29D6C
GetAsyncKeyState.USER32(00000011), ref: 00F29D84
GetKeyState.USER32(00000011), ref: 00F29D96
GetAsyncKeyState.USER32(00000012), ref: 00F29DAE
GetKeyState.USER32(00000012), ref: 00F29DC0
GetAsyncKeyState.USER32(0000005B), ref: 00F29DD8
GetKeyState.USER32(0000005B), ref: 00F29DEA

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 3b07bc2a409f40c70d8628408d8b0cb411fba5aaa5a8fe3b871dd4039bd8cf78
Instruction ID: 25426eefef1ce35f1fe4810eb892f22dab3cb87e9c251ca07ee143a27279074c
Opcode Fuzzy Hash: 3b07bc2a409f40c70d8628408d8b0cb411fba5aaa5a8fe3b871dd4039bd8cf78
Instruction Fuzzy Hash: F441D834D0CBDA6DFF308760A4043B5BEA0AF11364F48805ADAC6575C2EBE499C4F7A2

Function 00F4055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F405BC
inet_addr.WSOCK32(?), ref: 00F4061C
gethostbyname.WSOCK32(?), ref: 00F40628
IcmpCreateFile.IPHLPAPI ref: 00F40636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F406C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F406E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00F407B9
WSACleanup.WSOCK32 ref: 00F407BF

Strings

Ping, xrefs: 00F40676

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: a3bd509f219bbca219a26938e76ecd0f1c29c0bdcffa23d3f6202c9c50f2271f
Instruction ID: cebf978b92b1d0f3ff12c20babc538a1b280bbbc4fca42718c75cf01a724b890
Opcode Fuzzy Hash: a3bd509f219bbca219a26938e76ecd0f1c29c0bdcffa23d3f6202c9c50f2271f
Instruction Fuzzy Hash: CB916D359043019FD720DF15C588F1ABBE0EF44328F158599EA6A9B7A2CB31ED41DF92

Function 00F48CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00F48CF3

Part of subcall function 00F28E54: _wcslen.LIBCMT ref: 00F28E77

_wcslen.LIBCMT ref: 00F48D4E
_wcslen.LIBCMT ref: 00F48D9C
_wcslen.LIBCMT ref: 00F48DDC
_wcslen.LIBCMT ref: 00F48E6E

Strings

none, xrefs: 00F48E65, 00F48E6A
stdcall, xrefs: 00F48DD6, 00F48DDB
winapi, xrefs: 00F48D96, 00F48D9B
cdecl, xrefs: 00F48D48, 00F48D4D

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 1ba0d69d7965ce322a5d7ec218003940973af62d45400ad78a0b91a870aecaa9
Instruction ID: aa9a511ba76c6f79d8b03a040ac4d8bb1276f01866997efe8c1ac45ba5079ffe
Opcode Fuzzy Hash: 1ba0d69d7965ce322a5d7ec218003940973af62d45400ad78a0b91a870aecaa9
Instruction Fuzzy Hash: 9451A632E001169BCB14DFACC9409BEBBF5BF64364B244229E826E72C5DB35DD42E790

Function 00F4372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00F43774
CoUninitialize.OLE32 ref: 00F4377F
CoCreateInstance.OLE32(?,00000000,00000017,00F5FB78,?), ref: 00F437D9
IIDFromString.OLE32(?,?), ref: 00F4384C
VariantInit.OLEAUT32(?), ref: 00F438E4
VariantClear.OLEAUT32(?), ref: 00F43936

Strings

Invalid parameter, xrefs: 00F43865
NULL Pointer assignment, xrefs: 00F4381E
Failed to create object, xrefs: 00F437E4, 00F4389A

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 585a6fc52741091cfa5e5e0b1d248d26a6d1f6a52c73dddd781bbf3be60bb979
Instruction ID: 3fa7b0280fb6b383be215441cbe091253cbd06786ef82683aaf8a4af18035d4e
Opcode Fuzzy Hash: 585a6fc52741091cfa5e5e0b1d248d26a6d1f6a52c73dddd781bbf3be60bb979
Instruction Fuzzy Hash: 5661B272608311AFD310EF54C889F6ABBE8EF48715F10081DF9859B291D774EE49EB92

Function 00F33388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00F333CF

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00F333F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00F33522
Line %d (File "%s"):, xrefs: 00F33443, 00F3345C
Incorrect parameters to object property !, xrefs: 00F334AB
^ ERROR , xrefs: 00F3349E
Error: , xrefs: 00F334D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00F33504

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 13d04deb0aedcc3ab67f9b46db3a9520e77a9105f6344a97f451ef6e2f48534e
Instruction ID: 40fdb66595b717cc70a19021b0f0622ac5761ea7df2f0bf95365ce284ccfa17c
Opcode Fuzzy Hash: 13d04deb0aedcc3ab67f9b46db3a9520e77a9105f6344a97f451ef6e2f48534e
Instruction Fuzzy Hash: 9B519032D0020AAADF15EBE0DE46EEEB7B8AF04340F145169F50573052EB366F59EB61

Function 00F2B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F2B5FC
_wcslen.LIBCMT ref: 00F2B608
_wcslen.LIBCMT ref: 00F2B64D
_wcslen.LIBCMT ref: 00F2B68C
_wcslen.LIBCMT ref: 00F2B6C7

Strings

EXISTS, xrefs: 00F2B686, 00F2B68B
REMOVE, xrefs: 00F2B602, 00F2B607
APPEND, xrefs: 00F2B6C1, 00F2B6C6
KEYS, xrefs: 00F2B647, 00F2B64C

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 99d93543552ede2ba237652c15cf741c36d12e3343e96d2a85b0fd3099fedd83
Instruction ID: 6db4d3ea7f0b0e1ecec233833bc61509b5fa11a56bc91f514c68ffbd57740a45
Opcode Fuzzy Hash: 99d93543552ede2ba237652c15cf741c36d12e3343e96d2a85b0fd3099fedd83
Instruction Fuzzy Hash: 3141E832E0013B9BCB106F7D98905BE7BA5FFA0764B244169EC22E7285E735CD81E790

Function 00F35393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F353A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F35416
GetLastError.KERNEL32 ref: 00F35420
SetErrorMode.KERNEL32(00000000,READY), ref: 00F354A7

Strings

UNKNOWN, xrefs: 00F35444
READONLY, xrefs: 00F35452
INVALID, xrefs: 00F35459
READY, xrefs: 00F35460, 00F35468
NOTREADY, xrefs: 00F3544B

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: fb4c156fedba5e99e00a1e06c69b856bdcdd882b4befb8825316ad03ec69d36b
Instruction ID: b1aff74ee17ec81fab88c78914058ff48c0f40bce69f364241248b98f47116ce
Opcode Fuzzy Hash: fb4c156fedba5e99e00a1e06c69b856bdcdd882b4befb8825316ad03ec69d36b
Instruction Fuzzy Hash: 1C31B276E006049FD714DF68C894FEABBB4EF84725F148069E906DB292D731DD82EB90

Function 00F53C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00F53C79
SetMenu.USER32(?,00000000), ref: 00F53C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F53D10
IsMenu.USER32(?), ref: 00F53D24
CreatePopupMenu.USER32 ref: 00F53D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F53D5B
DrawMenuBar.USER32 ref: 00F53D63

Strings

F, xrefs: 00F53D4E
0, xrefs: 00F53C54

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 08abe82897db05c9f5183d9fb8aa21a30b3745134c1a3602fdb8f792a751ba21
Instruction ID: a3527d560f39b714a3e0a026252bebfac49a0fca2780458ea60fbe7e29a3faf9
Opcode Fuzzy Hash: 08abe82897db05c9f5183d9fb8aa21a30b3745134c1a3602fdb8f792a751ba21
Instruction Fuzzy Hash: 12414C75A01309AFDB14CFA4D844B9A77B5FF49391F140029FE46A7360D770AA14EF94

Function 00F21EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F23CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00F21F64
GetDlgCtrlID.USER32 ref: 00F21F6F
GetParent.USER32 ref: 00F21F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F21F8E
GetDlgCtrlID.USER32(?), ref: 00F21F97
GetParent.USER32(?), ref: 00F21FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F21FAE

Strings

ListBox, xrefs: 00F21F21
ComboBox, xrefs: 00F21EEC

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 0ccc71264215cea540a7974165bc9ab6412575b3176ab059b5cc04bf8fead28a
Instruction ID: 052b78df98263daf4b9f7de38aed0a019171bede434d602be096d01071a49599
Opcode Fuzzy Hash: 0ccc71264215cea540a7974165bc9ab6412575b3176ab059b5cc04bf8fead28a
Instruction Fuzzy Hash: 8621C571D00318BFCF04AFA0DD55EEEBBB4EF16310B100115F96567291CB395A15EB64

Function 00F21FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F23CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00F22043
GetDlgCtrlID.USER32 ref: 00F2204E
GetParent.USER32 ref: 00F2206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F2206D
GetDlgCtrlID.USER32(?), ref: 00F22076
GetParent.USER32(?), ref: 00F2208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F2208D

Strings

ListBox, xrefs: 00F22002
ComboBox, xrefs: 00F21FCD

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 5f4bc5be13e68eb1ade4f628441cad595e06f5112a049324cd562d7779afcfde
Instruction ID: 3eff006d27b11d8d5312aedc54688fde562433159e8062217e73d26a162b447b
Opcode Fuzzy Hash: 5f4bc5be13e68eb1ade4f628441cad595e06f5112a049324cd562d7779afcfde
Instruction Fuzzy Hash: 5E21C2B1D00318BFCF14EFA0DC85EEEBBB8EF15300F100415B956A71A1CA799915EB60

Function 00F53A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F53A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F53AA0
GetWindowLongW.USER32(?,000000F0), ref: 00F53AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F53AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F53B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00F53BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00F53BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00F53BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00F53BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00F53C13

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b2b5266ba18e7ebe82d5ddc1f6c1dc8f5b152937b0894082fccd811d8386a52c
Instruction ID: 8587e49bb9c2f1e6b6c99c3b882dfeb825f87c333a943352cc6fa9c9b47ab9e9
Opcode Fuzzy Hash: b2b5266ba18e7ebe82d5ddc1f6c1dc8f5b152937b0894082fccd811d8386a52c
Instruction Fuzzy Hash: CE617B75900248AFDB11DFA8CC81EEE77F8EB49710F1001AAFA15E72A1C774AE45EB50

Function 00EF2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EF2C94

Part of subcall function 00EF29C8: HeapFree.KERNEL32(00000000,00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000), ref: 00EF29DE
Part of subcall function 00EF29C8: GetLastError.KERNEL32(00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000,00000000), ref: 00EF29F0

_free.LIBCMT ref: 00EF2CA0
_free.LIBCMT ref: 00EF2CAB
_free.LIBCMT ref: 00EF2CB6
_free.LIBCMT ref: 00EF2CC1
_free.LIBCMT ref: 00EF2CCC
_free.LIBCMT ref: 00EF2CD7
_free.LIBCMT ref: 00EF2CE2
_free.LIBCMT ref: 00EF2CED
_free.LIBCMT ref: 00EF2CFB

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 385f491af0d2376e655ecd9f2d793805919f25cee185eb837290746717f7d64a
Instruction ID: f5ee84a719fca758f5bf373979646722fccb63d39667a918663c0f6d21abf0cf
Opcode Fuzzy Hash: 385f491af0d2376e655ecd9f2d793805919f25cee185eb837290746717f7d64a
Instruction Fuzzy Hash: FA11937654010DAFCB02EF94D882CED3BA5FF45350F4154A9FB48AB222DB71EE509B90

Function 00F37DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F37FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00F37FC1
GetFileAttributesW.KERNEL32(?), ref: 00F37FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00F38005
SetCurrentDirectoryW.KERNEL32(?), ref: 00F38017
SetCurrentDirectoryW.KERNEL32(?), ref: 00F38060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F380B0

Strings

*.*, xrefs: 00F38066

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 40cdb44aeecf285d0552c174fcfdfcdb251fa45b6d5e57a33b1899242e9c378e
Instruction ID: 89c828a8a8ceb48b1e06d902859cd02eca43c2ed438442c253780740191ab5ca
Opcode Fuzzy Hash: 40cdb44aeecf285d0552c174fcfdfcdb251fa45b6d5e57a33b1899242e9c378e
Instruction Fuzzy Hash: AE8191B29083459BCB34EF14C844AAEB3E8BF88370F14485EF885D7250DB75DD85AB92

Function 00EC5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00EC5C7A

Part of subcall function 00EC5D0A: GetClientRect.USER32(?,?), ref: 00EC5D30
Part of subcall function 00EC5D0A: GetWindowRect.USER32(?,?), ref: 00EC5D71
Part of subcall function 00EC5D0A: ScreenToClient.USER32(?,?), ref: 00EC5D99

GetDC.USER32 ref: 00F046F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F04708
SelectObject.GDI32(00000000,00000000), ref: 00F04716
SelectObject.GDI32(00000000,00000000), ref: 00F0472B
ReleaseDC.USER32(?,00000000), ref: 00F04733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F047C4

Strings

U, xrefs: 00F04693

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: e42766ff12b75b9037c4ebf7eb97c3486266b996365850bd05cddad5967a1d90
Instruction ID: 579c910a9f199fdb00317aca4021f3b50d4ff3c901c6644f3ec2003162724b6b
Opcode Fuzzy Hash: e42766ff12b75b9037c4ebf7eb97c3486266b996365850bd05cddad5967a1d90
Instruction Fuzzy Hash: 7771E471900209DFCF218F64C984EFA7BB1FF4A365F144269EE556A1A6D331A881FF50

Function 00F3359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00F335E4

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

LoadStringW.USER32(00F92390,?,00000FFF,?), ref: 00F3360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00F33742
Line %d (File "%s"):, xrefs: 00F3366B
Error: , xrefs: 00F336EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00F33724
^ ERROR, xrefs: 00F336C9

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 0962553ec983c772149db26254e1db3163358824fe4e24634dac65b8e4e31459
Instruction ID: 8d2ea06876dcadc0547f4c7a20be051e7f5d9788f3bd802e09bcf799b449cbd9
Opcode Fuzzy Hash: 0962553ec983c772149db26254e1db3163358824fe4e24634dac65b8e4e31459
Instruction Fuzzy Hash: 08519272C0021ABADF14EBA0DD46FEDBB74AF04310F145129F105721A2DB365B99EFA1

Function 00F58B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00ED9BB2

Part of subcall function 00ED912D: GetCursorPos.USER32(?), ref: 00ED9141
Part of subcall function 00ED912D: ScreenToClient.USER32(00000000,?), ref: 00ED915E
Part of subcall function 00ED912D: GetAsyncKeyState.USER32(00000001), ref: 00ED9183
Part of subcall function 00ED912D: GetAsyncKeyState.USER32(00000002), ref: 00ED919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00F58B6B
ImageList_EndDrag.COMCTL32 ref: 00F58B71
ReleaseCapture.USER32 ref: 00F58B77
SetWindowTextW.USER32(?,00000000), ref: 00F58C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00F58C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00F58CFF

Strings

@GUI_DRAGFILE, xrefs: 00F58C9A
@GUI_DROPID, xrefs: 00F58C51

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 3390d3429852ac4ce3582259b9bc45eacb83f682de32314261bc05baf2646f6b
Instruction ID: b6c394880efcc714f1f10d22e1bb339261d1473651394e0d2e641c5c89a1110f
Opcode Fuzzy Hash: 3390d3429852ac4ce3582259b9bc45eacb83f682de32314261bc05baf2646f6b
Instruction Fuzzy Hash: AD51B071504304AFD704EF10DC5AFAA77E4FB88755F00062DFA56672E2CB719909DBA2

Function 00F3C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F3C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F3C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F3C2CA
GetLastError.KERNEL32 ref: 00F3C322
SetEvent.KERNEL32(?), ref: 00F3C336
InternetCloseHandle.WININET(00000000), ref: 00F3C341

Strings

, xrefs: 00F3C2BB

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: f8316fcf5f7fab3987befd0e718365913f50cc8bf0d8a36be8e186d45af49f6d
Instruction ID: 59db41e6f42b75774a0278c5708dd581897487d7e5488cf75f308a44e6b446b3
Opcode Fuzzy Hash: f8316fcf5f7fab3987befd0e718365913f50cc8bf0d8a36be8e186d45af49f6d
Instruction Fuzzy Hash: 1A316BB1A00308AFD7219F64DC88AAB7BFCEB49764F14851EF546A3200DB34DD05ABA1

Function 00F2989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F03AAF,?,?,Bad directive syntax error,00F5CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F298BC
LoadStringW.USER32(00000000,?,00F03AAF,?), ref: 00F298C3

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F29987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00F298F1
Line %d (File "%s"):, xrefs: 00F2992D
Line %d:, xrefs: 00F29912
Error: , xrefs: 00F29955
., xrefs: 00F2996D

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 27128c0f668970d0561ff1deb769339bf3355377d76dbfafbe19514c1c42b614
Instruction ID: 34bbc648adcf335925c2b5a8427e31994cdc27dcf11cad524e53467b61d9472f
Opcode Fuzzy Hash: 27128c0f668970d0561ff1deb769339bf3355377d76dbfafbe19514c1c42b614
Instruction Fuzzy Hash: 52218D3290031AABCF15EF90DC0AEEE7775FF18300F04542AF515720A2EB719658EB51

Function 00F2209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00F220AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00F220C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F2214D

Strings

smallicons, xrefs: 00F22115
details, xrefs: 00F220FB
SHELLDLL_DefView, xrefs: 00F220CC
largeicons, xrefs: 00F220E1
list, xrefs: 00F2212F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: d563f0c3743ddf78b69df71962de28c604f6dafdaa7f655e947638024731755a
Instruction ID: 4e0ceb516e1dbb598b2502d98b69d54b6cc594e35fbba9e8f7f6f5e3948b7f39
Opcode Fuzzy Hash: d563f0c3743ddf78b69df71962de28c604f6dafdaa7f655e947638024731755a
Instruction Fuzzy Hash: AC11067BA8871ABAF6017621EC06DE637DCDF15734F201126FB09B50E1FE61A8217658

Function 00EFCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00EFCEB7
_free.LIBCMT ref: 00EFCF22
_free.LIBCMT ref: 00EFCF48
_free.LIBCMT ref: 00EFCF71
_free.LIBCMT ref: 00EFCFA9
_free.LIBCMT ref: 00EFCFDA
_free.LIBCMT ref: 00EFD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00EFD09C
_free.LIBCMT ref: 00EFD0B5

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 23eb51a5ba0a8641f0032e4faaf659763f6e3fc74dc88c990e1de86610df06e5
Instruction ID: 25b81410075c16f9d5abc049a14ae0a05ef4568982ae0a01a5b264cbe73ffdee
Opcode Fuzzy Hash: 23eb51a5ba0a8641f0032e4faaf659763f6e3fc74dc88c990e1de86610df06e5
Instruction Fuzzy Hash: 4F615672A0420DAFDB25AFB49D81A7ABBE6EF05314F34516EFB05B7281DB319D009790

Function 00F550D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00F55186
ShowWindow.USER32(?,00000000), ref: 00F551C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00F551CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00F551D1

Part of subcall function 00F56FBA: DeleteObject.GDI32(00000000), ref: 00F56FE6

GetWindowLongW.USER32(?,000000F0), ref: 00F5520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F5521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F5524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00F55287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00F55296

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 9459a1a8bae6170402b22847dc4c66d80184d100a35ac75fff82954aedc2acac
Instruction ID: 32d4b20c2dfe6dbd97c81c81eb56404579a120692377f2c85ced15457a3064f7
Opcode Fuzzy Hash: 9459a1a8bae6170402b22847dc4c66d80184d100a35ac75fff82954aedc2acac
Instruction Fuzzy Hash: 91519131A50A08BEEF209F64CC66BD93BA5FB05B22F144012FF15966E1C775A988FF41

Function 00ED8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00F16890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00F168A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F168B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00F168D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F168F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00ED8874,00000000,00000000,00000000,000000FF,00000000), ref: 00F16901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F1691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00ED8874,00000000,00000000,00000000,000000FF,00000000), ref: 00F1692D

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: f95d35fa637ade4aeedaf83d91183c24b26800a557ec2de8cb6da23b758bb2e5
Instruction ID: a616e813aee2d1a4ae99cc6423e4237ad25941a20b0a34847c999c2ab2bdc2ec
Opcode Fuzzy Hash: f95d35fa637ade4aeedaf83d91183c24b26800a557ec2de8cb6da23b758bb2e5
Instruction Fuzzy Hash: EB516974A00309AFDB20CF24CC55BAA7BB5FB48761F10452AF956A72A0DB70A991EB50

Function 00F3C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F3C182
GetLastError.KERNEL32 ref: 00F3C195
SetEvent.KERNEL32(?), ref: 00F3C1A9

Part of subcall function 00F3C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F3C272
Part of subcall function 00F3C253: GetLastError.KERNEL32 ref: 00F3C322
Part of subcall function 00F3C253: SetEvent.KERNEL32(?), ref: 00F3C336
Part of subcall function 00F3C253: InternetCloseHandle.WININET(00000000), ref: 00F3C341

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 48137cd4888709a9a5ff863bb70bb2260d7aab6d8a8cf7db3ed2f8ad4630634a
Instruction ID: 3723df76bfb88cf60e1030ee2e7a74f9580e7c8420debf5fd98af85f34ef6398
Opcode Fuzzy Hash: 48137cd4888709a9a5ff863bb70bb2260d7aab6d8a8cf7db3ed2f8ad4630634a
Instruction Fuzzy Hash: 4A317A71600709AFDB219FA5DC44A67BBE8FF18321F00441DFA5AA6610D730E814FBE0

Function 00F225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F23A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F23A57
Part of subcall function 00F23A3D: GetCurrentThreadId.KERNEL32 ref: 00F23A5E
Part of subcall function 00F23A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F225B3), ref: 00F23A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00F225BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F225DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00F225DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F225E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F22601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00F22605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F2260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F22623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00F22627

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 14e082943a31e8095bc0e6a421efa787fbaf1a5eb1946a5540477a4b39de32d6
Instruction ID: 3462e957e3ddbaf344ffd2ab3a787bf574b74b9bb1e98da19086f0496bf021a5
Opcode Fuzzy Hash: 14e082943a31e8095bc0e6a421efa787fbaf1a5eb1946a5540477a4b39de32d6
Instruction Fuzzy Hash: 5001D431390724BBFB1067699C8AF593F99DB4EB12F100012F319AE1D1C9F62444AAA9

Function 00F21803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00F21449,?,?,00000000), ref: 00F2180C
HeapAlloc.KERNEL32(00000000,?,00F21449,?,?,00000000), ref: 00F21813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F21449,?,?,00000000), ref: 00F21828
GetCurrentProcess.KERNEL32(?,00000000,?,00F21449,?,?,00000000), ref: 00F21830
DuplicateHandle.KERNEL32(00000000,?,00F21449,?,?,00000000), ref: 00F21833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F21449,?,?,00000000), ref: 00F21843
GetCurrentProcess.KERNEL32(00F21449,00000000,?,00F21449,?,?,00000000), ref: 00F2184B
DuplicateHandle.KERNEL32(00000000,?,00F21449,?,?,00000000), ref: 00F2184E
CreateThread.KERNEL32(00000000,00000000,00F21874,00000000,00000000,00000000), ref: 00F21868

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 1bdc46515ad6a9159601dddf5473644b9afdbeaf2a94a9aff583547bfaafbf52
Instruction ID: c3721aac3e414ac086aa5448a6bea51bcce6cfe63f456b40924daeb43d04b699
Opcode Fuzzy Hash: 1bdc46515ad6a9159601dddf5473644b9afdbeaf2a94a9aff583547bfaafbf52
Instruction Fuzzy Hash: F601BBB5640708BFE710ABB5DC4DF6B3BACEB89B11F004411FB06DB1A2CA709840DB61

Function 00EF3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00EF3F0B
__alldvrm.LIBCMT ref: 00EF410C
__alldvrm.LIBCMT ref: 00EF412E

Strings

}}, xrefs: 00EF40CD
}}, xrefs: 00EF3E96, 00EF3EF1, 00EF3F0A, 00EF4090
}}, xrefs: 00EF3E8A

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}$}}$}}
API String ID: 1036877536-1495402609
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 7ec35f4b16fb6d42ccdd16033d56096401dec84ad32d4765bd1eaf10a45124a1
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 6EA148B2E0138A9FDB25CF28C8917BFBBE5EF61354F14416DE685AB2C1C6388A41C751

Function 00F4A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00F2D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00F2D501
Part of subcall function 00F2D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00F2D50F
Part of subcall function 00F2D4DC: CloseHandle.KERNELBASE(00000000), ref: 00F2D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F4A16D
GetLastError.KERNEL32 ref: 00F4A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F4A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F4A268
GetLastError.KERNEL32(00000000), ref: 00F4A273
CloseHandle.KERNEL32(00000000), ref: 00F4A2C4

Strings

SeDebugPrivilege, xrefs: 00F4A18F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 9a82625cd052ffdea7b54f9b986ecfd49095533b92b5b82a7b1017870a11a9a5
Instruction ID: d1a225930489c0b2ce352247164c147a308b6b1405c4dac87371ca27fa4b88ab
Opcode Fuzzy Hash: 9a82625cd052ffdea7b54f9b986ecfd49095533b92b5b82a7b1017870a11a9a5
Instruction Fuzzy Hash: AA6191316443429FD710DF18C494F1ABBE1AF54318F18849CE8664B7A3C7B6ED46EB92

Function 00F53886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F53925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00F5393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F53954
_wcslen.LIBCMT ref: 00F53999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00F539C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F539F4

Strings

SysListView32, xrefs: 00F538F7

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 781e1b07b2ce411c2594d2d74c7c44ebc090d4ddea514f9cc985d1853f260954
Instruction ID: b89093ca1cea4b8a6e5821369011062fa8920d8c1b80cd345f809f6d3a2fa847
Opcode Fuzzy Hash: 781e1b07b2ce411c2594d2d74c7c44ebc090d4ddea514f9cc985d1853f260954
Instruction Fuzzy Hash: B541C671E00319ABEF219F64CC45BEA77A9FF083A1F100526FA59E7181D771DA84EB90

Function 00F2BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F2BCFD
IsMenu.USER32(00000000), ref: 00F2BD1D
CreatePopupMenu.USER32 ref: 00F2BD53
GetMenuItemCount.USER32(010351A8), ref: 00F2BDA4
InsertMenuItemW.USER32(010351A8,?,00000001,00000030), ref: 00F2BDCC

Strings

0, xrefs: 00F2BCA8
2, xrefs: 00F2BD37

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: c1eb2cd3ba60d579e528f94f9deb021bbe1a60cec533336742061630ada344ea
Instruction ID: 0a02e113dc7095337eada478e3ee34e33e7de51f743adba3e7c34b51093e48a8
Opcode Fuzzy Hash: c1eb2cd3ba60d579e528f94f9deb021bbe1a60cec533336742061630ada344ea
Instruction Fuzzy Hash: 8951BF70A003299BDB10CFA8E888BEEBBF4FF45324F544119ED5197291E7709941EB91

Function 00EE2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00EE2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00EE2D53
_ValidateLocalCookies.LIBCMT ref: 00EE2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00EE2E0C
_ValidateLocalCookies.LIBCMT ref: 00EE2E61

Strings

csm, xrefs: 00EE2DF6
&H, xrefs: 00EE2DFE, 00EE2E07, 00EE2E18

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H$csm
API String ID: 1170836740-1242228090
Opcode ID: fded00eaf2f852888cb8d93c4f1c6348035246e635b762ba90a675133c9718b8
Instruction ID: 07283871ae6726d477e72c69f34004008ee3155af748d48af09262cbe3c8e741
Opcode Fuzzy Hash: fded00eaf2f852888cb8d93c4f1c6348035246e635b762ba90a675133c9718b8
Instruction Fuzzy Hash: 7141A434E0024D9BCF14DF6ACC45A9EBBB9BF44318F149159EA14BB392D7719A01CBD1

Function 00F2C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00F2C913

Strings

stop, xrefs: 00F2C8E4
warning, xrefs: 00F2C8FC
question, xrefs: 00F2C8CC
info, xrefs: 00F2C8B4
blank, xrefs: 00F2C895

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e0a6b70510baf988c465caed899c379ea32bf55cce6147f08306a8c17be8eaca
Instruction ID: 936b91ccaf35c9d4602fec098aec2f5fd39596afde07a27a206862437e0c56a1
Opcode Fuzzy Hash: e0a6b70510baf988c465caed899c379ea32bf55cce6147f08306a8c17be8eaca
Instruction Fuzzy Hash: 21110B32A8931ABAA7006754AC82DDE3BDCDF15734B10002AF504E62C1E7A49D4072E9

Function 00F2DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F2DE42
gethostname.WSOCK32(?,00000100), ref: 00F2DE5C
gethostbyname.WSOCK32(?), ref: 00F2DE69
inet_ntoa.WSOCK32(?), ref: 00F2DEAB
_strcat.LIBCMT ref: 00F2DEB9
WSACleanup.WSOCK32 ref: 00F2DEDE

Strings

0.0.0.0, xrefs: 00F2DE87

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 2941904173e89f65d21a95afa54651ef59fa2b5a6721f7fa9110b1ec212e9f83
Instruction ID: fb92fe92ae31c6f1585753330d5981964b4a1479184def7ece7237805066929d
Opcode Fuzzy Hash: 2941904173e89f65d21a95afa54651ef59fa2b5a6721f7fa9110b1ec212e9f83
Instruction Fuzzy Hash: BB110A71904319AFDB20AB60EC0AEEE77BCDF54721F010169F546B6091EF718A81AA91

Function 00F59F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00ED9BB2

GetSystemMetrics.USER32(0000000F), ref: 00F59FC7
GetSystemMetrics.USER32(0000000F), ref: 00F59FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F5A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F5A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F5A263
ShowWindow.USER32(00000003,00000000), ref: 00F5A282
InvalidateRect.USER32(?,00000000,00000001), ref: 00F5A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00F5A2CA

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 3fbc9d571a86e78ffa5a85fc53f9b11b529270abdcc3f19eddbf2bc9b29283eb
Instruction ID: f538d08d77dd805a477b635ee120ca096aed568fdd6fa5bc2035acadf975970d
Opcode Fuzzy Hash: 3fbc9d571a86e78ffa5a85fc53f9b11b529270abdcc3f19eddbf2bc9b29283eb
Instruction Fuzzy Hash: DFB1FC31A00219DFCF14CF68C9857AE3BF2FF44312F088169EE899B295D731A954EB51

Function 00F2ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00F2ED2A
_wcslen.LIBCMT ref: 00F2ED3B
_wcslen.LIBCMT ref: 00F2ED79
_wcslen.LIBCMT ref: 00F2EDAF
_wcslen.LIBCMT ref: 00F2EDDF
_wcslen.LIBCMT ref: 00F2EDEF
_wcslen.LIBCMT ref: 00F2EE2B
_wcslen.LIBCMT ref: 00F2EE5A

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 0c5dcc2ad7209e9639ec0a0bcc8b6148de3387e4b099a74f92b85c5bc0d059e0
Instruction ID: 8c3a7438b59d638c95716fe6a4cbc2fe3994ae028681ee5b73b7dc234073d2dd
Opcode Fuzzy Hash: 0c5dcc2ad7209e9639ec0a0bcc8b6148de3387e4b099a74f92b85c5bc0d059e0
Instruction Fuzzy Hash: FA41BF65C1026C65CB11EBF59C8A9CFB3ECAF49310F509462E618F3162EB34E245C3E6

Function 00EDF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F1682C,00000004,00000000,00000000), ref: 00EDF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00F1682C,00000004,00000000,00000000), ref: 00F1F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F1682C,00000004,00000000,00000000), ref: 00F1F454

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: cd646d577ae8161a8d4d756d131a110fa62f93de4177ae70fefbcd06655c0684
Instruction ID: b578b17d53d3cd4253e452bda352140b3dfaa6078891f7b6289a7287993db93a
Opcode Fuzzy Hash: cd646d577ae8161a8d4d756d131a110fa62f93de4177ae70fefbcd06655c0684
Instruction Fuzzy Hash: E1414C31D04780BED739CB69C8A87AA7B91EBD5314F14603EE18B76760C631D8C6EB50

Function 00F52D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F52D1B
GetDC.USER32(00000000), ref: 00F52D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F52D2E
ReleaseDC.USER32(00000000,00000000), ref: 00F52D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F52D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F52D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F55A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00F52DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F52DE1

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d60949413e993f00663b27e1f78d4e1851d240856372902f03105e31d9b2ff90
Instruction ID: 8c1764f640b6298b98132117908ddb90c8e441e58090e1f93e5426b16c419dd5
Opcode Fuzzy Hash: d60949413e993f00663b27e1f78d4e1851d240856372902f03105e31d9b2ff90
Instruction Fuzzy Hash: 69316B72201314BFEB118F549C8AFEB3BA9EF0A726F044055FF099A291C6759C51DBA4

Function 00F25622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00F25637
_memcmp.LIBVCRUNTIME ref: 00F25659
_memcmp.LIBVCRUNTIME ref: 00F25671
_memcmp.LIBVCRUNTIME ref: 00F25684
_memcmp.LIBVCRUNTIME ref: 00F2569E
_memcmp.LIBVCRUNTIME ref: 00F256B1
_memcmp.LIBVCRUNTIME ref: 00F256C9
_memcmp.LIBVCRUNTIME ref: 00F256E4

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e46dc8f56bf797a6a0dc5bf0042fae35c6fa2e1e36b701ba44c713179912493e
Instruction ID: 6ea7a3db20dab77f87d296533a6ef27e335ab3f0daf71d7f9a5b33e42f8a62e5
Opcode Fuzzy Hash: e46dc8f56bf797a6a0dc5bf0042fae35c6fa2e1e36b701ba44c713179912493e
Instruction Fuzzy Hash: 00210B72F41A6D77D2149521AE82FFB379CAF20B95F440070FE05AA581F730EE18A1A6

Function 00F44FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00F4502E, 00F45383
Not an Object type, xrefs: 00F45007

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 46979ea71bc5981b2b46027750ff16c40cc96819268b2b8b0b7c7e67d4b1299e
Instruction ID: 5a2ec8c6372f4b174e900aa27dbc08fbb46eb8a131bbd60a023abadb29bea1f3
Opcode Fuzzy Hash: 46979ea71bc5981b2b46027750ff16c40cc96819268b2b8b0b7c7e67d4b1299e
Instruction Fuzzy Hash: 8ED1C275E0060AAFDF10DF98C880BAEBBB5BF48754F148069ED15AB282D770DD45DB90

Function 00F01522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00F017FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00F015CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F01651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00F017FB,?,00F017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F016E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F016FB

Part of subcall function 00EF3820: RtlAllocateHeap.NTDLL(00000000,?,00F91444,?,00EDFDF5,?,?,00ECA976,00000010,00F91440,00EC13FC,?,00EC13C6,?,00EC1129), ref: 00EF3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00F017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F01777
__freea.LIBCMT ref: 00F017A2
__freea.LIBCMT ref: 00F017AE

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: b05f5f67271dfc47606cf8c01b4345b6adbc951eb8aacf7d696321538f6f2d30
Instruction ID: a2049921a373f87115e69f2e9862aec800f7478131345ef18b5c178237d26655
Opcode Fuzzy Hash: b05f5f67271dfc47606cf8c01b4345b6adbc951eb8aacf7d696321538f6f2d30
Instruction Fuzzy Hash: 73918272E0021A9EDB208F64CC81AFEBBB5BF49720F584659E905EB1C1D725DD44FBA0

Function 00F44523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F44648
VariantInit.OLEAUT32(?), ref: 00F44749
VariantClear.OLEAUT32(?), ref: 00F44753
VariantClear.OLEAUT32(?), ref: 00F447B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00F445D8, 00F44706, 00F447BE
Incorrect Object type in FOR..IN loop, xrefs: 00F4472C

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 3b9519360fcc92b1f8e05adf2fecf7167da0d13d35f545b0c76fb207f698b7ae
Instruction ID: e3a31d92193bab2395a21e5bc8356e7bcbfef059e9e5415deb002650f5ae71d5
Opcode Fuzzy Hash: 3b9519360fcc92b1f8e05adf2fecf7167da0d13d35f545b0c76fb207f698b7ae
Instruction Fuzzy Hash: 1C919271E00219ABDF20DFA4C844FAEBBB8EF46724F108559F915BB280D770A941DFA0

Function 00F31187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00F3125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00F31284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00F312A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F312D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F3135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F313C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F31430

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 5fa0c1214a053e4d4b2d0aea7585baea5f806e81fb1526f4825d1f3711de6943
Instruction ID: 6e32b03f1b0ac405aa27503a81e2cfa10ebdd5abe6d769638a293f39968945f8
Opcode Fuzzy Hash: 5fa0c1214a053e4d4b2d0aea7585baea5f806e81fb1526f4825d1f3711de6943
Instruction Fuzzy Hash: CD91BE72A002089FDB00DF94C885BBEB7B5FF45335F104129E911EB291DB79E942EBA0

Function 00ED948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ed36f1b87e24aeb5e4b3bf32176b836500ad5b0033c114a59acd081200cd37af
Instruction ID: f780d64a7b1a185c03eb9f7a0c3d16e1a1339510303d016aa21fad8625f465b8
Opcode Fuzzy Hash: ed36f1b87e24aeb5e4b3bf32176b836500ad5b0033c114a59acd081200cd37af
Instruction Fuzzy Hash: 0F913871D00219EFCB10CFA9CC84AEEBBB8FF49320F145556E515B7292D375AA42DBA0

Function 00F43947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F4396B
CharUpperBuffW.USER32(?,?), ref: 00F43A7A
_wcslen.LIBCMT ref: 00F43A8A
VariantClear.OLEAUT32(?), ref: 00F43C1F

Part of subcall function 00F30CDF: VariantInit.OLEAUT32(00000000), ref: 00F30D1F
Part of subcall function 00F30CDF: VariantCopy.OLEAUT32(?,?), ref: 00F30D28
Part of subcall function 00F30CDF: VariantClear.OLEAUT32(?), ref: 00F30D34

Strings

AUTOIT.ERROR, xrefs: 00F43A80, 00F43A85
Incorrect Parameter format, xrefs: 00F439A6, 00F43BA1

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 461b3bcdaa87e5bc07bc212d797781b052f18ca4223935def18f199649995e6a
Instruction ID: 0ee4e9531b93e9161dc4677daa8ca6b5cf87d4c0a4499a65de2c1f1a1d33aa66
Opcode Fuzzy Hash: 461b3bcdaa87e5bc07bc212d797781b052f18ca4223935def18f199649995e6a
Instruction Fuzzy Hash: E1918B75A083059FC704EF24C580A6ABBE5FF88314F14892DF88A97351DB35EE06DB92

Function 00F44BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00F2000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F1FF41,80070057,?,?,?,00F2035E), ref: 00F2002B
Part of subcall function 00F2000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F1FF41,80070057,?,?), ref: 00F20046
Part of subcall function 00F2000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F1FF41,80070057,?,?), ref: 00F20054
Part of subcall function 00F2000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F1FF41,80070057,?), ref: 00F20064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00F44C51
_wcslen.LIBCMT ref: 00F44D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00F44DCF
CoTaskMemFree.OLE32(?), ref: 00F44DDA

Strings

NULL Pointer assignment, xrefs: 00F44E23, 00F44E52

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 00e8daac412edac550c0db312d5075565d38b18678e1ce8bd5547586d26cc31e
Instruction ID: 61549c040663b65880399ec3cf2181e8bb91a331778f50ac20cc801a77b2dcac
Opcode Fuzzy Hash: 00e8daac412edac550c0db312d5075565d38b18678e1ce8bd5547586d26cc31e
Instruction Fuzzy Hash: 11912672D0021DAFDF14DFA4D891EEEBBB8BF08314F104169E915B7291DB34AA459FA0

Function 00F520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00F52183
GetMenuItemCount.USER32(00000000), ref: 00F521B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F521DD
_wcslen.LIBCMT ref: 00F52213
GetMenuItemID.USER32(?,?), ref: 00F5224D
GetSubMenu.USER32(?,?), ref: 00F5225B

Part of subcall function 00F23A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F23A57
Part of subcall function 00F23A3D: GetCurrentThreadId.KERNEL32 ref: 00F23A5E
Part of subcall function 00F23A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F225B3), ref: 00F23A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F522E3

Part of subcall function 00F2E97B: Sleep.KERNEL32 ref: 00F2E9F3

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 3b250e114f174571319f4a46e8caee049040e417a157ad919eb9bc0692210438
Instruction ID: be0e3abfc1cbc80f12b21c50112f34bac212f6f42d118ce3ce37dc2c93bf8ccb
Opcode Fuzzy Hash: 3b250e114f174571319f4a46e8caee049040e417a157ad919eb9bc0692210438
Instruction Fuzzy Hash: 53719E75E00205AFCB50DF64C881AAEB7F1EF49321F148559EA16FB341DB34EE429B90

Function 00F57E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01035108), ref: 00F57F37
IsWindowEnabled.USER32(01035108), ref: 00F57F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00F5801E
SendMessageW.USER32(01035108,000000B0,?,?), ref: 00F58051
IsDlgButtonChecked.USER32(?,?), ref: 00F58089
GetWindowLongW.USER32(01035108,000000EC), ref: 00F580AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F580C3

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 3703f6863898d4bc22dae4b568c957688e1802ab4357666e3e05d28616d907ea
Instruction ID: 5522dd0910f612c629a3ef819f90ccca08e0c11ed389d11f1bac5324969b4b35
Opcode Fuzzy Hash: 3703f6863898d4bc22dae4b568c957688e1802ab4357666e3e05d28616d907ea
Instruction Fuzzy Hash: 5371B134A08344AFEB21EF54DC84FAA7BF5EF09352F140459EE55572A1CB31A849EB90

Function 00F2AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00F2AEF9
GetKeyboardState.USER32(?), ref: 00F2AF0E
SetKeyboardState.USER32(?), ref: 00F2AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00F2AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00F2AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00F2AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F2B020

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 81ad68bde4f5deb35398c02af42031778139e230e27711703564149944ad0fa3
Instruction ID: 7b5ea0d69f3bcf292433a91e757f653a65d486d0206b7fa33e8aa4a2d940cf53
Opcode Fuzzy Hash: 81ad68bde4f5deb35398c02af42031778139e230e27711703564149944ad0fa3
Instruction Fuzzy Hash: 2551D3A0A047E53EFB3782349D45BBABFE95B06314F088489E6E9558C2D3D8ACC4E751

Function 00F2ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00F2AD19
GetKeyboardState.USER32(?), ref: 00F2AD2E
SetKeyboardState.USER32(?), ref: 00F2AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F2ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F2ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F2AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F2AE38

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bcc881d3c7deca10748a4caa985645b235eec2a7fd0009cceecf57f2c9d1a45e
Instruction ID: 980e6c9591cfcb0f5a2c8dd72188e011b06ab7ac49a0ea19f71a56149dc559ba
Opcode Fuzzy Hash: bcc881d3c7deca10748a4caa985645b235eec2a7fd0009cceecf57f2c9d1a45e
Instruction Fuzzy Hash: 9C51E5A1904BE53EFB3383359C55B7ABEA85B46310F088488E1D9568C3D294EC99F752

Function 00EF542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00F03CD6,?,?,?,?,?,?,?,?,00EF5BA3,?,?,00F03CD6,?,?), ref: 00EF5470
__fassign.LIBCMT ref: 00EF54EB
__fassign.LIBCMT ref: 00EF5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00F03CD6,00000005,00000000,00000000), ref: 00EF552C
WriteFile.KERNEL32(?,00F03CD6,00000000,00EF5BA3,00000000,?,?,?,?,?,?,?,?,?,00EF5BA3,?), ref: 00EF554B
WriteFile.KERNEL32(?,?,00000001,00EF5BA3,00000000,?,?,?,?,?,?,?,?,?,00EF5BA3,?), ref: 00EF5584

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 52130719d1dfad292173ee148c2c2bcd9a6b20b92d2893507a8db2983009bb7f
Instruction ID: 55721b1bd3da9f05250274001b4f80abbe0a16d3985b0a9258dea358918f4a2e
Opcode Fuzzy Hash: 52130719d1dfad292173ee148c2c2bcd9a6b20b92d2893507a8db2983009bb7f
Instruction Fuzzy Hash: E451AF72A0064D9FDB11CFA8D845AEEBBF9EF19300F14511AE656F7291E6309A41CBA0

Function 00F410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F4307A
Part of subcall function 00F4304E: _wcslen.LIBCMT ref: 00F4309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F41112
WSAGetLastError.WSOCK32 ref: 00F41121
WSAGetLastError.WSOCK32 ref: 00F411C9
closesocket.WSOCK32(00000000), ref: 00F411F9

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 846255654e0fcba2429c1012f705f44159bb79bd2543959d1841219cbb2219a0
Instruction ID: b0926e17747d120d98e2b9e50f05cfc507762d3fd824a4be8db2671f713c1e7e
Opcode Fuzzy Hash: 846255654e0fcba2429c1012f705f44159bb79bd2543959d1841219cbb2219a0
Instruction Fuzzy Hash: 89410731600208AFDB109F24CC44BA9BBE9FF85325F148059FE069B291D775ED81DBE0

Function 00F2CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F2CF22,?), ref: 00F2DDFD

Part of subcall function 00F2DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F2CF22,?), ref: 00F2DE16

lstrcmpiW.KERNEL32(?,?), ref: 00F2CF45
MoveFileW.KERNEL32(?,?), ref: 00F2CF7F
_wcslen.LIBCMT ref: 00F2D005
_wcslen.LIBCMT ref: 00F2D01B
SHFileOperationW.SHELL32(?), ref: 00F2D061

Strings

\*.*, xrefs: 00F2CFF3

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 31d8b443c168ff4c90104296f9d67f52fab74e25316e945fe63701e3c3a454a5
Instruction ID: f9bdcc308bdf101bcded1b2b5ff4a42d44335cb376d1019c2b006f81bbf7d2da
Opcode Fuzzy Hash: 31d8b443c168ff4c90104296f9d67f52fab74e25316e945fe63701e3c3a454a5
Instruction Fuzzy Hash: C3415571D4522D5EDF12EBA4DE81EDDB7F8AF08380F1000E6E545EB142EA34A644DB50

Function 00F52DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00F52E1C
GetWindowLongW.USER32(?,000000F0), ref: 00F52E4F
GetWindowLongW.USER32(?,000000F0), ref: 00F52E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00F52EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00F52EE0
GetWindowLongW.USER32(?,000000F0), ref: 00F52EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F52F0B

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 811f0acb8e3fca9d9da937b65e759f054e29f950df9dae6b77d2d9704e92f689
Instruction ID: 663e8d59ee2d3908818b6c9b981ff694261e71fbc0b120033bb7a369d900ab76
Opcode Fuzzy Hash: 811f0acb8e3fca9d9da937b65e759f054e29f950df9dae6b77d2d9704e92f689
Instruction Fuzzy Hash: BF312631A042499FEB61CF58DC86F6537E0FB4A722F150265FA058F2B1CB71AC44EB40

Function 00F27726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F27769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F2778F
SysAllocString.OLEAUT32(00000000), ref: 00F27792
SysAllocString.OLEAUT32(?), ref: 00F277B0
SysFreeString.OLEAUT32(?), ref: 00F277B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00F277DE
SysAllocString.OLEAUT32(?), ref: 00F277EC

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7e6bf8c16d58deeb50463ff42ea4e1ef44da3375e7b66564fdeb6effff6c4753
Instruction ID: f3fb37d7985550227218357be30ca04d4fe84a82a9183d9de7549744bcd96043
Opcode Fuzzy Hash: 7e6bf8c16d58deeb50463ff42ea4e1ef44da3375e7b66564fdeb6effff6c4753
Instruction Fuzzy Hash: 01219076A04329AFDB10EFA8DC88DBB77ACEB097647048025FA15DB290D670DC4197A0

Function 00F277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F27842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F27868
SysAllocString.OLEAUT32(00000000), ref: 00F2786B
SysAllocString.OLEAUT32 ref: 00F2788C
SysFreeString.OLEAUT32 ref: 00F27895
StringFromGUID2.OLE32(?,?,00000028), ref: 00F278AF
SysAllocString.OLEAUT32(?), ref: 00F278BD

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 4527a2d692670ce7905d7e8571b8eae1bc05e9bac0e58e3f5cd1ff9a59bf92a4
Instruction ID: 87e7045910f9dc87f0441563b39d3d3e8caff0b8f207573fa7249d77bb394d8a
Opcode Fuzzy Hash: 4527a2d692670ce7905d7e8571b8eae1bc05e9bac0e58e3f5cd1ff9a59bf92a4
Instruction Fuzzy Hash: 9F217735604318AFDB10EFA9DC88DAA77ECEB097607108125FA15CB2A5D670DC41DB64

Function 00F304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00F304F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F3052E

Strings

nul, xrefs: 00F30567

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 79c7cd3c6598d4f97e8d96f22567475c54d7a6b4912199733f95fbe0b3ac74a5
Instruction ID: b80c4d8e42f4cee1f923d03ee1a387eed3bdcbd01a628b86ab151c877f70b2dd
Opcode Fuzzy Hash: 79c7cd3c6598d4f97e8d96f22567475c54d7a6b4912199733f95fbe0b3ac74a5
Instruction Fuzzy Hash: C9216D75900309EFDB209F29DC54A9A77A4AF44734F244A1AF9A2D62E0DB709940EF60

Function 00F305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00F305C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F30601

Strings

nul, xrefs: 00F30639

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 10fbb1a489be3188be5702f9857749aa7b1b133096c91555d1911c4c16465543
Instruction ID: 67c33992531518daf799bc2920fdbb0b229c6b65bb22398ca00520ae0ebd06bd
Opcode Fuzzy Hash: 10fbb1a489be3188be5702f9857749aa7b1b133096c91555d1911c4c16465543
Instruction Fuzzy Hash: 0521A9759003059FDB209F69CC15A9A77E8BF95730F200B1AF9A1D72D4DF709850EB50

Function 00F540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00EC604C
Part of subcall function 00EC600E: GetStockObject.GDI32(00000011), ref: 00EC6060
Part of subcall function 00EC600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EC606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F54112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F5411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F5412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F54139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F54145

Strings

Msctls_Progress32, xrefs: 00F540E3

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 12c75234c8ab13944237ab4111270870d5a4d258124de075a0a0c26d14bd1796
Instruction ID: 2c54518a9f5b1a6e72f27796abc5da60fca773e99dea7c60ebae7066c10e4e4e
Opcode Fuzzy Hash: 12c75234c8ab13944237ab4111270870d5a4d258124de075a0a0c26d14bd1796
Instruction Fuzzy Hash: E811B6B214021D7EEF119F64CC86EE77F9DEF08798F104111BB18A2090C672DC61EBA4

Function 00EFD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EFD7A3: _free.LIBCMT ref: 00EFD7CC

_free.LIBCMT ref: 00EFD82D

Part of subcall function 00EF29C8: HeapFree.KERNEL32(00000000,00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000), ref: 00EF29DE
Part of subcall function 00EF29C8: GetLastError.KERNEL32(00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000,00000000), ref: 00EF29F0

_free.LIBCMT ref: 00EFD838
_free.LIBCMT ref: 00EFD843
_free.LIBCMT ref: 00EFD897
_free.LIBCMT ref: 00EFD8A2
_free.LIBCMT ref: 00EFD8AD
_free.LIBCMT ref: 00EFD8B8

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 7438619a9132326736b2f1c34b3f225de08b584d160b4824bda1395112fa2189
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 6D111C71584B0CAAD621BFB0CC47FEB7FDDAF44700F40582AB399BA4E2DB65B5058660

Function 00F2DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F2DA74
LoadStringW.USER32(00000000), ref: 00F2DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F2DA91
LoadStringW.USER32(00000000), ref: 00F2DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F2DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F2DAB9

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: eb1af3c398c1f4a4761933f2e362c0aec7943f19cba45d339a58c2b1f55710cb
Instruction ID: a2fa2a19f2c7c3bfca6804fd6745af01264774f4c5a9e72f0c20a8ee853aa9b2
Opcode Fuzzy Hash: eb1af3c398c1f4a4761933f2e362c0aec7943f19cba45d339a58c2b1f55710cb
Instruction Fuzzy Hash: FC0162F290031C7FE710EBA09D89EEB366CE708706F404491B706E2042EA749E849FB4

Function 00F3096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0102E3D8,0102E3D8), ref: 00F3097B
EnterCriticalSection.KERNEL32(0102E3B8,00000000), ref: 00F3098D
TerminateThread.KERNEL32(?,000001F6), ref: 00F3099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00F309A9
CloseHandle.KERNEL32(?), ref: 00F309B8
InterlockedExchange.KERNEL32(0102E3D8,000001F6), ref: 00F309C8
LeaveCriticalSection.KERNEL32(0102E3B8), ref: 00F309CF

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 39e205eb7c505574d784d135e417b1e3e41fcc9d149b17045c1b093da02d0779
Instruction ID: beeaa63b5a748daa026cb595557cf773a302b7e7129cb5dfbfec4ddccfd99989
Opcode Fuzzy Hash: 39e205eb7c505574d784d135e417b1e3e41fcc9d149b17045c1b093da02d0779
Instruction Fuzzy Hash: AEF01D31442B06BFD7415B94EE88BDA7A35FF01712F401016F203508A0CB749465EFD0

Function 00F41C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F41DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F41DE1
WSAGetLastError.WSOCK32 ref: 00F41DF2
htons.WSOCK32(?,?,?,?,?), ref: 00F41EDB
inet_ntoa.WSOCK32(?), ref: 00F41E8C

Part of subcall function 00F239E8: _strlen.LIBCMT ref: 00F239F2

Part of subcall function 00F43224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00F3EC0C), ref: 00F43240

_strlen.LIBCMT ref: 00F41F35

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 4ac33f33fb34ab53e59757e42b2c74259560da16f62e349c0a938fea5c11c638
Instruction ID: 609175848c2018c1d9e09618579eac0c35b7ec21096002efea0aaecd8eaf1412
Opcode Fuzzy Hash: 4ac33f33fb34ab53e59757e42b2c74259560da16f62e349c0a938fea5c11c638
Instruction Fuzzy Hash: 1BB1BE71604340AFC324DF24C885F2A7BE5BF84328F54854CF9566B2A2DB32ED86CB91

Function 00EC5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00EC5D30
GetWindowRect.USER32(?,?), ref: 00EC5D71
ScreenToClient.USER32(?,?), ref: 00EC5D99
GetClientRect.USER32(?,?), ref: 00EC5ED7
GetWindowRect.USER32(?,?), ref: 00EC5EF8

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: df6df3a84b92d6019f861a8b33a250cd13e5779146f7846b5a435a5cc00359ad
Instruction ID: 4f86f3ff1a889bdcac420ccdb0ff29511825caae8b86044844c9edcbd644e3c2
Opcode Fuzzy Hash: df6df3a84b92d6019f861a8b33a250cd13e5779146f7846b5a435a5cc00359ad
Instruction Fuzzy Hash: FCB15A75A0074ADFDB14CFA8C540BEAB7F1BF44310F14941EE9A9E7290D730AA91EB54

Function 00EF01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00EF00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EF00D6
__allrem.LIBCMT ref: 00EF00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EF010B
__allrem.LIBCMT ref: 00EF0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EF0140

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: c7fca3bba2df07d8298e6ae85daa9d2c47a72a357fb60b62053e3ea2d318762a
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 6A81E672B01B0E9BE724AF69CC41B7A73E9AF45724F24563AF651F62C2EB70D9008750

Function 00EF61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00EE82D9,00EE82D9,?,?,?,00EF644F,00000001,00000001,?), ref: 00EF6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00EF644F,00000001,00000001,?,?,?,?), ref: 00EF62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00EF63D8
__freea.LIBCMT ref: 00EF63E5

Part of subcall function 00EF3820: RtlAllocateHeap.NTDLL(00000000,?,00F91444,?,00EDFDF5,?,?,00ECA976,00000010,00F91440,00EC13FC,?,00EC13C6,?,00EC1129), ref: 00EF3852

__freea.LIBCMT ref: 00EF63EE
__freea.LIBCMT ref: 00EF6413

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a525a2439207765bd2ae4584b663d63ad1e69cbed7eefcc8b21a2662e7caba6f
Instruction ID: fd30a6726ad5d3b69261c73eac825913750bbfb2bf9bb13a5221e0a167c976d7
Opcode Fuzzy Hash: a525a2439207765bd2ae4584b663d63ad1e69cbed7eefcc8b21a2662e7caba6f
Instruction Fuzzy Hash: 53512172A0021EABEB258F60CC81EBF77AAEB90714F155269FE05F7080DB34DC44D6A0

Function 00F4BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F4C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F4B6AE,?,?), ref: 00F4C9B5
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4C9F1
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4CA68
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F4BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F4BD25
RegCloseKey.ADVAPI32(00000000), ref: 00F4BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F4BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F4BDF3
RegCloseKey.ADVAPI32(?), ref: 00F4BDFF

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 12dd9dafdb177d5a4dceb55ef791dcdda909b825743503792c87ec996c1b2d17
Instruction ID: 6f33310bc2a67dddb4dcd601288dc0486069a1668e57659d43cd64f491563b96
Opcode Fuzzy Hash: 12dd9dafdb177d5a4dceb55ef791dcdda909b825743503792c87ec996c1b2d17
Instruction Fuzzy Hash: 95818D31508241AFD714DF24C885E2ABBF5FF84318F14859CF9568B2A2DB32ED46DB92

Function 00F1F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00F1F7B9
SysAllocString.OLEAUT32(00000001), ref: 00F1F860
VariantCopy.OLEAUT32(00F1FA64,00000000), ref: 00F1F889
VariantClear.OLEAUT32(00F1FA64), ref: 00F1F8AD
VariantCopy.OLEAUT32(00F1FA64,00000000), ref: 00F1F8B1
VariantClear.OLEAUT32(?), ref: 00F1F8BB

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 5cd666b91a8e3dbf86abbe9138e94dca723248a227fdcdaf9de223db3105fc29
Instruction ID: 29c65f245fd27e52a96d5471edf46a19cd795c848a19b3b6a083dc4de7bb6ebb
Opcode Fuzzy Hash: 5cd666b91a8e3dbf86abbe9138e94dca723248a227fdcdaf9de223db3105fc29
Instruction Fuzzy Hash: E851E931500310BBCF10BB65DC95BA9B3E5EF45320F64946BE906EF291DB748C84EB96

Function 00F3910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00EC7620: _wcslen.LIBCMT ref: 00EC7625

Part of subcall function 00EC6B57: _wcslen.LIBCMT ref: 00EC6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00F394E5
_wcslen.LIBCMT ref: 00F39506
_wcslen.LIBCMT ref: 00F3952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00F39585

Strings

X, xrefs: 00F39412

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 29ab1cb0df205a710128f29290dcbcfd3e0e77e6f9c4a8a8bb370a8f15145e83
Instruction ID: 55c004820f6ae2867d1b254ecca9288192fbe34e4c2ca2b68d62a124f277e975
Opcode Fuzzy Hash: 29ab1cb0df205a710128f29290dcbcfd3e0e77e6f9c4a8a8bb370a8f15145e83
Instruction Fuzzy Hash: 70E18F719083409FD714DF24C981F6EB7E5BF84324F04896DE889AB2A2DBB1DD45CB92

Function 00ED920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00ED9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00ED9BB2

BeginPaint.USER32(?,?,?), ref: 00ED9241
GetWindowRect.USER32(?,?), ref: 00ED92A5
ScreenToClient.USER32(?,?), ref: 00ED92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00ED92D3
EndPaint.USER32(?,?,?,?,?), ref: 00ED9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F171EA

Part of subcall function 00ED9339: BeginPath.GDI32(00000000), ref: 00ED9357

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 37fe68a6fb6a37ac81539da129ae1f1966b07995b446cb94d00efb219b577d79
Instruction ID: fa3413d8070a8a16309a55673863f4b701b5e54cc47bed53c9f0740d848d9a35
Opcode Fuzzy Hash: 37fe68a6fb6a37ac81539da129ae1f1966b07995b446cb94d00efb219b577d79
Instruction Fuzzy Hash: D041CF30104305AFD711DF24DC84FAA7BB8FB45761F14062AFA69A72E2C7319846EB61

Function 00F307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00F3080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00F30847
EnterCriticalSection.KERNEL32(?), ref: 00F30863
LeaveCriticalSection.KERNEL32(?), ref: 00F308DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00F308F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00F30921

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: a88b01a6d6326fdfd1b5163d624c9f82fe8cc86a0c0ae08dc5728dcc94e09ecd
Instruction ID: 4e79ade59dbd870104297801edb6d2296073959bb0361e7bcad93c420a639c05
Opcode Fuzzy Hash: a88b01a6d6326fdfd1b5163d624c9f82fe8cc86a0c0ae08dc5728dcc94e09ecd
Instruction Fuzzy Hash: 2B416D71900209EFDF14DF54DC85AAA77B9FF04320F1440A6ED05AA297DB30DE65EBA4

Function 00F581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00F1F3AB,00000000,?,?,00000000,?,00F1682C,00000004,00000000,00000000), ref: 00F5824C
EnableWindow.USER32(?,00000000), ref: 00F58272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00F582D1
ShowWindow.USER32(?,00000004), ref: 00F582E5
EnableWindow.USER32(?,00000001), ref: 00F5830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00F5832F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: fa9359be8a4a1e78d54c1211028240dd2f90b48b97096b3b36270f802b4c8683
Instruction ID: 08edf728f5a7247bb80275c5f64967c63c56fbc66cb61dbb50003f55f9f17e75
Opcode Fuzzy Hash: fa9359be8a4a1e78d54c1211028240dd2f90b48b97096b3b36270f802b4c8683
Instruction Fuzzy Hash: 5441C630A01744AFDB12CF14C895BE47FE0BB0A766F184165EB099B662C731684BEF40

Function 00F24C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00F24C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F24CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F24CEA
_wcslen.LIBCMT ref: 00F24D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F24D10
_wcsstr.LIBVCRUNTIME ref: 00F24D1A

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 05200747a57a717d89ef20026cde51cae9ee5e17b3eb99eced72a1eb6292f8f3
Instruction ID: a75dd7498181341bb92c11c93508b956c68583ce714d3288797019d9868d037b
Opcode Fuzzy Hash: 05200747a57a717d89ef20026cde51cae9ee5e17b3eb99eced72a1eb6292f8f3
Instruction Fuzzy Hash: 4E213B326043147FEB159B39FC09E7B7BDCDF45760F10403AF90ADA192DAA1ED01A6A0

Function 00F3581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EC3A97,?,?,00EC2E7F,?,?,?,00000000), ref: 00EC3AC2

_wcslen.LIBCMT ref: 00F3587B
CoInitialize.OLE32(00000000), ref: 00F35995
CoCreateInstance.OLE32(00F5FCF8,00000000,00000001,00F5FB68,?), ref: 00F359AE
CoUninitialize.OLE32 ref: 00F359CC

Strings

.lnk, xrefs: 00F35876, 00F358C1, 00F35985

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: c201ca979ba999286b3585e5951a17123dd8fff73ac1068765c44441146452af
Instruction ID: 0db2b0b4b0c6ee6ae8b37f51992893bf946d783e7b17a01b54197d26c7da49d9
Opcode Fuzzy Hash: c201ca979ba999286b3585e5951a17123dd8fff73ac1068765c44441146452af
Instruction Fuzzy Hash: 18D16571A047019FC714DF24C584A2ABBE5EFC9B20F14885DF889AB361D732ED46DB92

Function 00F2175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F20FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F20FCA
Part of subcall function 00F20FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F20FD6
Part of subcall function 00F20FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F20FE5
Part of subcall function 00F20FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F20FEC
Part of subcall function 00F20FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F21002

GetLengthSid.ADVAPI32(?,00000000,00F21335), ref: 00F217AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F217BA
HeapAlloc.KERNEL32(00000000), ref: 00F217C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00F217DA
GetProcessHeap.KERNEL32(00000000,00000000,00F21335), ref: 00F217EE
HeapFree.KERNEL32(00000000), ref: 00F217F5

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 9493dafa633bb566a3c740a703373f9a57f806e522775294e108db179fa92da7
Instruction ID: b8280285e69ae3c0dc95ecee0d4904d4341645eabba610b59c0756d5b8f33905
Opcode Fuzzy Hash: 9493dafa633bb566a3c740a703373f9a57f806e522775294e108db179fa92da7
Instruction Fuzzy Hash: 4D11BE32900719FFDB109FA4EC49BAF7BA9FB95366F104018F54297212C739A940EBA4

Function 00F214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F214FF
OpenProcessToken.ADVAPI32(00000000), ref: 00F21506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F21515
CloseHandle.KERNEL32(00000004), ref: 00F21520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F2154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00F21563

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 90daa19d723af4fb2f2f3952d069dbdf436b34687392ed88ce657639aa69c979
Instruction ID: 2e439c7e52b684d7371c70ddd2d0b38828b4bec34686d04603823bf41a893f32
Opcode Fuzzy Hash: 90daa19d723af4fb2f2f3952d069dbdf436b34687392ed88ce657639aa69c979
Instruction Fuzzy Hash: CC11447250020DAFDF11CFA8ED49BDA7BA9FB48715F044064FA06A20A0C3718E60EBA0

Function 00EE3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00EE3379,00EE2FE5), ref: 00EE3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EE339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EE33B7
SetLastError.KERNEL32(00000000,?,00EE3379,00EE2FE5), ref: 00EE3409

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 48cc94ab64d5abcd15e71928ab9ae24fd20d99a6b556794cd92e26c839e9e379
Instruction ID: b2fd846fcb9b17c4c54db39bbd7cc554aef7839b05a5200486ec20e51850458a
Opcode Fuzzy Hash: 48cc94ab64d5abcd15e71928ab9ae24fd20d99a6b556794cd92e26c839e9e379
Instruction Fuzzy Hash: 0801F53260835EAEA72627777C8D9B63E94DB053B97302229F520A31F0EF614E0166A4

Function 00EF2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00EF5686,00F03CD6,?,00000000,?,00EF5B6A,?,?,?,?,?,00EEE6D1,?,00F88A48), ref: 00EF2D78
_free.LIBCMT ref: 00EF2DAB
_free.LIBCMT ref: 00EF2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00EEE6D1,?,00F88A48,00000010,00EC4F4A,?,?,00000000,00F03CD6), ref: 00EF2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00EEE6D1,?,00F88A48,00000010,00EC4F4A,?,?,00000000,00F03CD6), ref: 00EF2DEC
_abort.LIBCMT ref: 00EF2DF2

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ec5f24660187f3816d6a86f156223227cfa442b34a4e58e35d47fc7e010dddd6
Instruction ID: c9b8839cf5cfa1fece295de2e6f08ad9e1da9ce513a9c2fe6d5285f316a62ffb
Opcode Fuzzy Hash: ec5f24660187f3816d6a86f156223227cfa442b34a4e58e35d47fc7e010dddd6
Instruction Fuzzy Hash: 3AF02831545B0C2BD2122734BC0AE7F35D9AFC1BA5F20201DFB24B21E2EF36890161A0

Function 00F58A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00ED9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00ED9693
Part of subcall function 00ED9639: SelectObject.GDI32(?,00000000), ref: 00ED96A2
Part of subcall function 00ED9639: BeginPath.GDI32(?), ref: 00ED96B9
Part of subcall function 00ED9639: SelectObject.GDI32(?,00000000), ref: 00ED96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00F58A4E
LineTo.GDI32(?,00000003,00000000), ref: 00F58A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00F58A70
LineTo.GDI32(?,00000000,00000003), ref: 00F58A80
EndPath.GDI32(?), ref: 00F58A90
StrokePath.GDI32(?), ref: 00F58AA0

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b715dee71eddfed18b55e1a1b74b5a5fa4e50ac948b4f153046e8a8a69c963c5
Instruction ID: 6aa5e565b3628d40785152aaafd7abe19d895f1c2ee901c9d980633a00c14b25
Opcode Fuzzy Hash: b715dee71eddfed18b55e1a1b74b5a5fa4e50ac948b4f153046e8a8a69c963c5
Instruction Fuzzy Hash: EB11DE7640024DFFDF119F94DC88EAA7F6DEF043A5F048022BA15951A1C7719D55EFA0

Function 00F251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F25218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00F25229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F25230
ReleaseDC.USER32(00000000,00000000), ref: 00F25238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F2524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00F25261

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 45ca3230c9ef56217bfda84c34289cb3692e4992d275c46a2cccd0a2719a9302
Instruction ID: d269fe11fbc53014464fad7e3b52383430e80f9e17e880f3ceab950ba348d115
Opcode Fuzzy Hash: 45ca3230c9ef56217bfda84c34289cb3692e4992d275c46a2cccd0a2719a9302
Instruction Fuzzy Hash: A4014F75E00718BFEB109BA59C49A5EBFB8EB48752F044065FB05A72C1D6709900DBA0

Function 00EC1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EC1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00EC1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EC1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EC1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00EC1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EC1C22

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 45a07a47275070d49a093862c90e223553bdd720eeb9171aad2fb99c2677e685
Instruction ID: d45401938b740e72f420e6b590a1d81252976f438db565f3793fe23f48bc8242
Opcode Fuzzy Hash: 45a07a47275070d49a093862c90e223553bdd720eeb9171aad2fb99c2677e685
Instruction Fuzzy Hash: 170167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00F2EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F2EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F2EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00F2EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F2EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F2EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F2EB75

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: da50fa60a88f599146bd38292c5fa343a28126e161ede527a1157ab86ef465bf
Instruction ID: a423a044859564f1e6e5bae443526cb7d957cc6fdea1191bb0b408e15fb31e99
Opcode Fuzzy Hash: da50fa60a88f599146bd38292c5fa343a28126e161ede527a1157ab86ef465bf
Instruction Fuzzy Hash: 1EF0177264075CBFE6215B629C0EEAB3A7CEBCAB12F000158F702D109196A05A01AAF5

Function 00F17439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00F17452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00F17469
GetWindowDC.USER32(?), ref: 00F17475
GetPixel.GDI32(00000000,?,?), ref: 00F17484
ReleaseDC.USER32(?,00000000), ref: 00F17496
GetSysColor.USER32(00000005), ref: 00F174B0

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: c3ceeeb8460c33b3f9fee2e28f4fc60ad0b355b354616ffd18158637830dbdb3
Instruction ID: 08ed0195cc503970c2a278c69f3786e91ce9deed45d8c5a17ba5251d25cebf4c
Opcode Fuzzy Hash: c3ceeeb8460c33b3f9fee2e28f4fc60ad0b355b354616ffd18158637830dbdb3
Instruction Fuzzy Hash: 81014B31400719EFEB51AFA4DC48BEA7BB5FB04722F650164FA1AA31A1CB311E51FB90

Function 00F21874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F2187F
UnloadUserProfile.USERENV(?,?), ref: 00F2188B
CloseHandle.KERNEL32(?), ref: 00F21894
CloseHandle.KERNEL32(?), ref: 00F2189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00F218A5
HeapFree.KERNEL32(00000000), ref: 00F218AC

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6a500cc8adb5cba65733febc1a6730acce43cf93dd36fdb5e31331e5e8146adc
Instruction ID: 1ef32064c4b9cccc5283fecd76cee6dc5c6cf2d9a1281c65f581e52fe06eb766
Opcode Fuzzy Hash: 6a500cc8adb5cba65733febc1a6730acce43cf93dd36fdb5e31331e5e8146adc
Instruction Fuzzy Hash: 9DE05976104709BFDA015BA6ED0C945BB69FB497227508625F36681471CB325461EB90

Function 00F2C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC7620: _wcslen.LIBCMT ref: 00EC7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F2C6EE
_wcslen.LIBCMT ref: 00F2C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F2C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F2C7CA

Strings

0, xrefs: 00F2C6AF

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: e1cc325e041773e6db32aff7651445a9a91355571b218000b0cf0bc8739656ec
Instruction ID: 3ec1fed90ed3e7f85231a6a8e37f6f553e59505bc24252eac92000b87ee9eee5
Opcode Fuzzy Hash: e1cc325e041773e6db32aff7651445a9a91355571b218000b0cf0bc8739656ec
Instruction Fuzzy Hash: A351D071A043219BD7149F28E885B6F7BE8EF89320F040A2DF995E31D1DB64D904EBD2

Function 00F4AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00F4AEA3

Part of subcall function 00EC7620: _wcslen.LIBCMT ref: 00EC7625

GetProcessId.KERNEL32(00000000), ref: 00F4AF38
CloseHandle.KERNEL32(00000000), ref: 00F4AF67

Strings

@, xrefs: 00F4AE72
<, xrefs: 00F4AE6B

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 80905d4614c74bfd2ad2dfd1f42f1cb10d96d8fff2ff16c9685a4130c19a303d
Instruction ID: 6e02f5f6dbdad4ebbd4f5fa5a8b095efac3678ec811bdfed844cd8d7f79a5fd2
Opcode Fuzzy Hash: 80905d4614c74bfd2ad2dfd1f42f1cb10d96d8fff2ff16c9685a4130c19a303d
Instruction Fuzzy Hash: 71717771A00619DFCB14DF55C584A9EBBF1EF08310F04849DE856AB392C771ED46DB91

Function 00F2719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F27206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F2723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F2724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F272CF

Strings

DllGetClassObject, xrefs: 00F27242

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: fd1bf90a7acc18d62baea2b4f604d37f81dc4f9cb0ad5ee5ba97a97e9d24b97c
Instruction ID: 4a3e6efa293f24447b1f3040e68b0a74b4b261e907c57153cdf7fc6158be8533
Opcode Fuzzy Hash: fd1bf90a7acc18d62baea2b4f604d37f81dc4f9cb0ad5ee5ba97a97e9d24b97c
Instruction Fuzzy Hash: CA415972A04314EFDB15EF94D884A9A7BA9EF44310F1580A9FD059F28AD7B0D944EBA0

Function 00F53D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F53E35
IsMenu.USER32(?), ref: 00F53E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F53E92
DrawMenuBar.USER32 ref: 00F53EA5

Strings

0, xrefs: 00F53D89

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 9b9886321d65e27971a1ee4720312b696288ba556d92506199cf0c38a5cc2489
Instruction ID: 0f097f98466cec3a736322d6cce7ca01f733b5cdd72a7c8ce4c473b37cf9af1f
Opcode Fuzzy Hash: 9b9886321d65e27971a1ee4720312b696288ba556d92506199cf0c38a5cc2489
Instruction Fuzzy Hash: 9F414C75A00209AFDB10DF54D885EDAB7F5FF443A5F044129EE05A7250D730AE49EF60

Function 00F21DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F23CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F21E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F21E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00F21EA9

Part of subcall function 00EC6B57: _wcslen.LIBCMT ref: 00EC6B6A

Strings

ListBox, xrefs: 00F21E25
ComboBox, xrefs: 00F21DF0

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: dfe4d267318e00c0a09fe8c17986dafd1e64d89747ec86ea0b3d50f21d6a72db
Instruction ID: 63458785a0e569e2a8de6b3f81409730fa0910ee39f6125029c5c3b935893342
Opcode Fuzzy Hash: dfe4d267318e00c0a09fe8c17986dafd1e64d89747ec86ea0b3d50f21d6a72db
Instruction Fuzzy Hash: 56214C71900208BFDB14ABA0ED45DFFB7F8EF51360B104119F826B71D1DB395D0AA660

Function 00F52F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F52F8D
LoadLibraryW.KERNEL32(?), ref: 00F52F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F52FA9
DestroyWindow.USER32(?), ref: 00F52FB1

Strings

SysAnimate32, xrefs: 00F52F68

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 6fd11b568ee512cf0264fab625ad5d1d836076d5da726e390f95a2f01fecdce7
Instruction ID: 97bffd604498c7d0886cb9715c512939230c6db587f5c1b8659861e0d0e0c281
Opcode Fuzzy Hash: 6fd11b568ee512cf0264fab625ad5d1d836076d5da726e390f95a2f01fecdce7
Instruction Fuzzy Hash: F1218B72604209ABEB504F64AC80EBB37F9EB5A376F100318FE50A6190D771DC55ABA0

Function 00EE4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00EE4D1E,00EF28E9,(,00EE4CBE,00000000,00F888B8,0000000C,00EE4E15,(,00000002), ref: 00EE4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EE4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00EE4D1E,00EF28E9,(,00EE4CBE,00000000,00F888B8,0000000C,00EE4E15,(,00000002,00000000), ref: 00EE4DC3

Strings

mscoree.dll, xrefs: 00EE4D86
CorExitProcess, xrefs: 00EE4D98

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5ab5f6ecd4c50300561f024ede424008954c2b7344679de904e3b9025f44844e
Instruction ID: ead1dfc6e4b5bc34cd7fed0745166e5c4b780449a874443e2b949fc8d3a6c1ea
Opcode Fuzzy Hash: 5ab5f6ecd4c50300561f024ede424008954c2b7344679de904e3b9025f44844e
Instruction Fuzzy Hash: A9F03C34A4030CAFDB119F91DC49BAEBBA5EB44756F0001A5E90AA22A0DB709940EBD1

Function 00EC4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EC4EDD,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00EC4EAE
FreeLibrary.KERNEL32(00000000,?,?,00EC4EDD,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4EC0

Strings

kernel32.dll, xrefs: 00EC4E94
Wow64DisableWow64FsRedirection, xrefs: 00EC4EA8

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: fff0e62f357452d97968fe5948af4a353790625ac190278beaba289212d7d4b6
Instruction ID: 9d4ae57c0df11d03caa264eabb787455cc9862b30b1be9043270f0b14b79512c
Opcode Fuzzy Hash: fff0e62f357452d97968fe5948af4a353790625ac190278beaba289212d7d4b6
Instruction Fuzzy Hash: 6FE0CD35A01B225FD23117256C28F5F7654AFC2F677060119FE02F7150DF60CD0291E1

Function 00EC4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F03CDE,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00EC4E74
FreeLibrary.KERNEL32(00000000,?,?,00F03CDE,?,00F91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EC4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00EC4E6E
kernel32.dll, xrefs: 00EC4E5B

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 30263aac4416ae2185e7c529a44c3e4482229027298f077c491528589914ed1a
Instruction ID: 8c19fc53c95c0ba3ea17e05b96e99fd5f063c2a3a522a30061a0c501508ea052
Opcode Fuzzy Hash: 30263aac4416ae2185e7c529a44c3e4482229027298f077c491528589914ed1a
Instruction Fuzzy Hash: 73D01235502B226F57221B297C2CE8B7A18AF86F5A3060519BE06BA155CF61CD02E5D1

Function 00F32947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F32C05
DeleteFileW.KERNEL32(?), ref: 00F32C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F32C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F32CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F32CC0

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 81cb0449330f906cdf8904376a10eb5e57e516bde34345274da2833938257ba4
Instruction ID: dbe1e00e6846cd5ce0ca5d90c09acacb54777e6c7d0ed2ac4b8b68991a8f9b1f
Opcode Fuzzy Hash: 81cb0449330f906cdf8904376a10eb5e57e516bde34345274da2833938257ba4
Instruction Fuzzy Hash: 73B17D72D0012DABDF11DBA4CC85EDEB7BDEF48360F0040A6F609F6151EA35AA449FA1

Function 00F4A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00F4A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F4A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F4A468
CloseHandle.KERNEL32(?), ref: 00F4A63D

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 4af54a97f36046c5514b069ade7333ec2cb7e1628c0b485da8f52bda7c437580
Instruction ID: 7112abec326f8de2b257bac103b9433156eebf7128b131222d7dd0782c87c82a
Opcode Fuzzy Hash: 4af54a97f36046c5514b069ade7333ec2cb7e1628c0b485da8f52bda7c437580
Instruction Fuzzy Hash: 1DA1B0716043009FD720DF24C986F2ABBE5AF84714F18981DF99A9B3D2D771EC428B82

Function 00EFBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00F63700), ref: 00EFBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00F9121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00EFBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00F91270,000000FF,?,0000003F,00000000,?), ref: 00EFBC36
_free.LIBCMT ref: 00EFBB7F

Part of subcall function 00EF29C8: HeapFree.KERNEL32(00000000,00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000), ref: 00EF29DE
Part of subcall function 00EF29C8: GetLastError.KERNEL32(00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000,00000000), ref: 00EF29F0

_free.LIBCMT ref: 00EFBD4B

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: ad37769fa5d3c12c446fff3901d9d1d9ecb2d34e9f7fd9dba49bdb8f62b40a81
Instruction ID: f0bdfb390cd60063c28a76ee2e38f1f206fbd50810bf9d2cb59fc74c7ffc5699
Opcode Fuzzy Hash: ad37769fa5d3c12c446fff3901d9d1d9ecb2d34e9f7fd9dba49bdb8f62b40a81
Instruction Fuzzy Hash: C351C37190020EEFDB20EF65DC819BEB7B8FF41354B10526AE664F71A1EB709E419B90

Function 00F2E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F2CF22,?), ref: 00F2DDFD

Part of subcall function 00F2DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F2CF22,?), ref: 00F2DE16

Part of subcall function 00F2E199: GetFileAttributesW.KERNEL32(?,00F2CF95), ref: 00F2E19A

lstrcmpiW.KERNEL32(?,?), ref: 00F2E473
MoveFileW.KERNEL32(?,?), ref: 00F2E4AC
_wcslen.LIBCMT ref: 00F2E5EB
_wcslen.LIBCMT ref: 00F2E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00F2E650

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: dbe7db2db9bdf14f8a83cd0df6b45c440b9d6316d4dfbb8e52e1b2087be2e25f
Instruction ID: c168ac9f875ea6d0b8df2922ba697beedec6e66015428730921485f0b1c44650
Opcode Fuzzy Hash: dbe7db2db9bdf14f8a83cd0df6b45c440b9d6316d4dfbb8e52e1b2087be2e25f
Instruction Fuzzy Hash: 2C51B5B24083955BC724EB90DC81DDFB3ECAF84350F10092EF689D3192EF35A6889766

Function 00F4B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F4C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F4B6AE,?,?), ref: 00F4C9B5
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4C9F1
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4CA68
Part of subcall function 00F4C998: _wcslen.LIBCMT ref: 00F4CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F4BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F4BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F4BB63
RegCloseKey.ADVAPI32(?,?), ref: 00F4BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00F4BBB3

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f535d682a620d50c85188c2b4566a046b9bd725d5291f12011dc638cb46343b7
Instruction ID: 2b3eb77e75aa1732b33922ac3da887bd80d05d497c7415485460e6529e14ace7
Opcode Fuzzy Hash: f535d682a620d50c85188c2b4566a046b9bd725d5291f12011dc638cb46343b7
Instruction Fuzzy Hash: 6361A031608241AFD314DF14C895F2ABBE5FF84318F14855CF89A8B2A2CB35ED46DB92

Function 00F28BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F28BCD
VariantClear.OLEAUT32 ref: 00F28C3E
VariantClear.OLEAUT32 ref: 00F28C9D
VariantClear.OLEAUT32(?), ref: 00F28D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F28D3B

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 7e14e3e13d77290c9d6dc6a8b8b5af61189578466d9137f64a9fc08840e41f71
Instruction ID: da32877ab49212857583e344c895b167dbcffaa9ec797424c6c8c2cc96839e2a
Opcode Fuzzy Hash: 7e14e3e13d77290c9d6dc6a8b8b5af61189578466d9137f64a9fc08840e41f71
Instruction Fuzzy Hash: C75169B5A01219EFDB10CF68D884EAAB7F8FF89350B158559E906DB350E730E912CF90

Function 00F38AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F38BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00F38BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F38C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F38C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F38C5F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 3216ecfcf347d32beae78670c05f4f5b841b9d2b6479c2967bece41156fbc236
Instruction ID: 2846c8dee8548185483769fd2692212b3fac6fab7f3d43b81ded8cc72339a569
Opcode Fuzzy Hash: 3216ecfcf347d32beae78670c05f4f5b841b9d2b6479c2967bece41156fbc236
Instruction Fuzzy Hash: 5A513935A002199FCB04DF64C881E69BBF5FF49364F088459F84AAB362CB35ED52DB90

Function 00F48EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00F48F40
GetProcAddress.KERNEL32(00000000,?), ref: 00F48FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00F48FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00F49032
FreeLibrary.KERNEL32(00000000), ref: 00F49052

Part of subcall function 00EDF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00F31043,?,7644E610), ref: 00EDF6E6
Part of subcall function 00EDF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00F1FA64,00000000,00000000,?,?,00F31043,?,7644E610,?,00F1FA64), ref: 00EDF70D

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 4b62d5b5c2e8760cb19856f6e6a9ca60fa8f3e45d18029c86a6656349ae2d89f
Instruction ID: 1906576c4353b46be960da956651569d1ebdb772cb17eb481982f1abb61fb7af
Opcode Fuzzy Hash: 4b62d5b5c2e8760cb19856f6e6a9ca60fa8f3e45d18029c86a6656349ae2d89f
Instruction Fuzzy Hash: C0513935A04205DFC715DF68C484DADBBF1FF49324B048099E806AB362DB32ED86DB90

Function 00F56B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00F56C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00F56C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00F56C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00F3AB79,00000000,00000000), ref: 00F56C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00F56CC7

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 4aaf89a68bc3f73305bb1f211fa5c14f9266c4c64ae3d56aacbe18deba4cd3e6
Instruction ID: da0d71ec2cb5e0aeed5e9a95ddd1d111f4f07ca3f9625cf7d26c675a8edfc199
Opcode Fuzzy Hash: 4aaf89a68bc3f73305bb1f211fa5c14f9266c4c64ae3d56aacbe18deba4cd3e6
Instruction Fuzzy Hash: 6E41DC35A04204AFD724CF28CC59FA57FA5EB09362F550124FEA5E73E1C371AD45E640

Function 00EF2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EF20C3
_free.LIBCMT ref: 00EF20E3

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 86c95a403fddccf1023c134db182a49c80fd42cfb555ee016f34833174305bc8
Instruction ID: b4856085109f5bb444204c8fc9dbf2d3fd483e4cb1631c89b716d701760e42eb
Opcode Fuzzy Hash: 86c95a403fddccf1023c134db182a49c80fd42cfb555ee016f34833174305bc8
Instruction Fuzzy Hash: 2A41D132A002089FCB24DF78C880AAEB7E5EF89714B1545ADE715FB391DB31AD01CB81

Function 00ED912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00ED9141
ScreenToClient.USER32(00000000,?), ref: 00ED915E
GetAsyncKeyState.USER32(00000001), ref: 00ED9183
GetAsyncKeyState.USER32(00000002), ref: 00ED919D

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 03feef34aedd59f337ad0f4cde2ba7bc3f493d02d289f7d50093f5548da80e59
Instruction ID: fc9b0946d83f6659c80619dd27e9411a1b0e3028d3d88b3c553307f1aefb83c1
Opcode Fuzzy Hash: 03feef34aedd59f337ad0f4cde2ba7bc3f493d02d289f7d50093f5548da80e59
Instruction Fuzzy Hash: 0D41607190861AFBDF19AF64CC48BEEB774FB05324F204216E429B3291C7346995DF91

Function 00F33874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00F338CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00F33922
TranslateMessage.USER32(?), ref: 00F3394B
DispatchMessageW.USER32(?), ref: 00F33955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F33966

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 7ecd5439772c0fe37bdcce8395c36d6ca44747872b8e371a51d0447bde0777d5
Instruction ID: aae5d2360edb309de8dc6ed87ce04e220575e748ee17ee21e90d8482fa200bab
Opcode Fuzzy Hash: 7ecd5439772c0fe37bdcce8395c36d6ca44747872b8e371a51d0447bde0777d5
Instruction Fuzzy Hash: C031D371D0634ADEFB35CB349C49FB637A9EB05335F04056AE462C21A0E3B49A85FB61

Function 00F3CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00F3C21E,00000000), ref: 00F3CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00F3CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00F3C21E,00000000), ref: 00F3CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00F3C21E,00000000), ref: 00F3CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00F3C21E,00000000), ref: 00F3CFF2

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: dacc00f61c45e7a2de68677a16483e8875f4373267f208251e5c410dc1c78c08
Instruction ID: 4be62efcbbc254f60ee7ec56d4fa51bf892228b018d9d60b07cdab4c7e76805a
Opcode Fuzzy Hash: dacc00f61c45e7a2de68677a16483e8875f4373267f208251e5c410dc1c78c08
Instruction Fuzzy Hash: 22312D71904709AFDB20DFA5D884AABBBF9EB14365F10442EF516E2151D730ED41EBB0

Function 00F21901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F21915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00F219C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00F219C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00F219DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00F219E2

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 99764ada36655dfdf99dff057ecfed1fbb369eb9a77dedc71bc6185b86492382
Instruction ID: f58005cbd7ef9467475ab7cb3da8eff566d464fb0ea21e084aa598d3e195a66c
Opcode Fuzzy Hash: 99764ada36655dfdf99dff057ecfed1fbb369eb9a77dedc71bc6185b86492382
Instruction Fuzzy Hash: 3E31D37190022DEFCB10CFA8DD58ADE3BB5FB14325F104225FA22A72D1C3709944EB90

Function 00F55706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F55745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00F5579D
_wcslen.LIBCMT ref: 00F557AF
_wcslen.LIBCMT ref: 00F557BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F55816

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e76221594622526222a2a1b8fad3e9f81743052cb6ba8ece5734786af98d25e9
Instruction ID: b19d692df9e65e2ba0373a99b8305292b385faad22fde9f516aa1cdf6a934369
Opcode Fuzzy Hash: e76221594622526222a2a1b8fad3e9f81743052cb6ba8ece5734786af98d25e9
Instruction Fuzzy Hash: 60219371D0461CDADB20DFA0DC94AED77B8FF45B22F108216EE19EA180D7708A89EF50

Function 00ED990E Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00ED98CC
SetTextColor.GDI32(?,?), ref: 00ED98D6
SetBkMode.GDI32(?,00000001), ref: 00ED98E9
GetStockObject.GDI32(00000005), ref: 00ED98F1
GetWindowLongW.USER32(?,000000EB), ref: 00ED9952

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 485c596e37b3feb2315d0598e2210a7484c181eb1d6cd211e83373510f4271c2
Instruction ID: f37955284465c72ca10716202747b3051fb3f9e82a054a4d2a8871d0ebd14331
Opcode Fuzzy Hash: 485c596e37b3feb2315d0598e2210a7484c181eb1d6cd211e83373510f4271c2
Instruction Fuzzy Hash: F6218B311453449FCB264B34EC65AFA3B60EB4233AF08416FE692A62E3C2310942EB41

Function 00F40930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00F40951
GetForegroundWindow.USER32 ref: 00F40968
GetDC.USER32(00000000), ref: 00F409A4
GetPixel.GDI32(00000000,?,00000003), ref: 00F409B0
ReleaseDC.USER32(00000000,00000003), ref: 00F409E8

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 0c466a09619c52c0954e9c63509bde3e98e8990d99cf8c7fe90766fe8013503a
Instruction ID: 2fe88067470fdda28fdf2598e3a25ebbcb4047fdcd598fbf98f5a2bf00958a2f
Opcode Fuzzy Hash: 0c466a09619c52c0954e9c63509bde3e98e8990d99cf8c7fe90766fe8013503a
Instruction Fuzzy Hash: 5021A135600214AFD714EF64CD85AAEBBE9EF48711F04842CFD4AA7352CB30AD04DB90

Function 00EFCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00EFCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EFCDE9

Part of subcall function 00EF3820: RtlAllocateHeap.NTDLL(00000000,?,00F91444,?,00EDFDF5,?,?,00ECA976,00000010,00F91440,00EC13FC,?,00EC13C6,?,00EC1129), ref: 00EF3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00EFCE0F
_free.LIBCMT ref: 00EFCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EFCE31

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 563c47b8df5608205404fa80dfe47276b1458213b3f5996bb070bfc3eb03e10b
Instruction ID: cb26ffca2b9677b09931e05fad6a9a1377d78ac2ad18936d2708be5f6cb2fbff
Opcode Fuzzy Hash: 563c47b8df5608205404fa80dfe47276b1458213b3f5996bb070bfc3eb03e10b
Instruction Fuzzy Hash: 3C01D472A0171D7F232116B66D88CBB7A6DDFC6BA53351129FB05E7200EA618D0191F0

Function 00ED9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00ED9693
SelectObject.GDI32(?,00000000), ref: 00ED96A2
BeginPath.GDI32(?), ref: 00ED96B9
SelectObject.GDI32(?,00000000), ref: 00ED96E2

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f9bf2273ef4590bc192716a195babf4b6c4ffab03aadb8cdd487f3f976325ed0
Instruction ID: fc50c3fdf91726b84882ad2af5f6322e7182fe00baa4a07df304189abdca5bb6
Opcode Fuzzy Hash: f9bf2273ef4590bc192716a195babf4b6c4ffab03aadb8cdd487f3f976325ed0
Instruction Fuzzy Hash: 0D21803080230AEFDB119F65DC047AD7BB8FB003A6F104227F525A62B1D3719896EB90

Function 00F25711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00F25726
_memcmp.LIBVCRUNTIME ref: 00F25744
_memcmp.LIBVCRUNTIME ref: 00F25757
_memcmp.LIBVCRUNTIME ref: 00F2576F
_memcmp.LIBVCRUNTIME ref: 00F25787

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8bb961eaa513416800907acdf15dfdfd68de95e20319b9d98bc447a950c2dda8
Instruction ID: 44aa8339c55f706dcba75d0ebf1ce3aa851756cbe268f1174d1d30e39a20a764
Opcode Fuzzy Hash: 8bb961eaa513416800907acdf15dfdfd68de95e20319b9d98bc447a950c2dda8
Instruction Fuzzy Hash: D101B972A8165DFBD2089511AD42FBB739C9B61BA5F004070FE04AE641F774ED54A2A1

Function 00EF2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00EEF2DE,00EF3863,00F91444,?,00EDFDF5,?,?,00ECA976,00000010,00F91440,00EC13FC,?,00EC13C6), ref: 00EF2DFD
_free.LIBCMT ref: 00EF2E32
_free.LIBCMT ref: 00EF2E59
SetLastError.KERNEL32(00000000,00EC1129), ref: 00EF2E66
SetLastError.KERNEL32(00000000,00EC1129), ref: 00EF2E6F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9ed71fcac669de88ab6f5e919dd91ca30417d06552778cb33a8ffa1eb058d463
Instruction ID: cf3e37d19c585112f3f7142c622be445877da8869c944a5c752d8b68d2cc9224
Opcode Fuzzy Hash: 9ed71fcac669de88ab6f5e919dd91ca30417d06552778cb33a8ffa1eb058d463
Instruction Fuzzy Hash: 9B01F432245B0C6BD61327756C89D7B2A99ABC17A9B30602DFB25B22E2EF708C016160

Function 00F2000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F1FF41,80070057,?,?,?,00F2035E), ref: 00F2002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F1FF41,80070057,?,?), ref: 00F20046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F1FF41,80070057,?,?), ref: 00F20054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F1FF41,80070057,?), ref: 00F20064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F1FF41,80070057,?,?), ref: 00F20070

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 2c5bf1a05f3ee929c98275600acfb23d8c51605e2037c9550abae91928a98b37
Instruction ID: b8635e41ff70ffba5de7a35a69f6ac8bc0a3b8ff01261c1587a8b57145c11ca3
Opcode Fuzzy Hash: 2c5bf1a05f3ee929c98275600acfb23d8c51605e2037c9550abae91928a98b37
Instruction Fuzzy Hash: 0301A773A00718BFEB108F64EC44BAA7AEDEF44753F144114F906D2221DB71DD40A7A0

Function 00F2E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00F2E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00F2E9A5
Sleep.KERNEL32(00000000), ref: 00F2E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00F2E9B7
Sleep.KERNEL32 ref: 00F2E9F3

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 36548b15958aeb1ca4462ff604605b769806357713dd541525fb0553c2e058f7
Instruction ID: f08c767c30fd93e856832c4bcbe783060f545e115f04e668f253ce5f69e9e275
Opcode Fuzzy Hash: 36548b15958aeb1ca4462ff604605b769806357713dd541525fb0553c2e058f7
Instruction Fuzzy Hash: 72011731D01A3DDBCF40ABE5EC59AEEBB78FB09711F100556E602B2241CB349594EBA2

Function 00F210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F21114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00F20B9B,?,?,?), ref: 00F21120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F20B9B,?,?,?), ref: 00F2112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F20B9B,?,?,?), ref: 00F21136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F2114D

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 22ca3b01a9ad4146b76fe66cde8df7751eed6139488cb239ec4fa8db213fb85e
Instruction ID: 85236ed00be721a78a016f94b1d2401a2924e07a12a02f542dc70210f5137f54
Opcode Fuzzy Hash: 22ca3b01a9ad4146b76fe66cde8df7751eed6139488cb239ec4fa8db213fb85e
Instruction Fuzzy Hash: D2016D75500319BFDB114F65EC49A6A3F6EFF89361B110414FA46D3360DA31DC10EAA0

Function 00F20FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F20FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F20FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F20FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F20FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F21002

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b32a174f25d78a63f074279e65bebe340bf252f1ff4094222247475f06888891
Instruction ID: 0381111a69bd8386799a3a2f3323a50aba83f2f674a53621d9ca072c00433eaf
Opcode Fuzzy Hash: b32a174f25d78a63f074279e65bebe340bf252f1ff4094222247475f06888891
Instruction Fuzzy Hash: B0F04935600319AFDB214FA5AC49F5A3BADFF89762F104414FA4AC6291CA70DC80AAA0

Function 00F21014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F2102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F21036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F21045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F2104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F21062

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: dcda9726a96eb08f6bc9a0f95d72badc831d8661903165ee1d6e03dfbfb5de32
Instruction ID: f2f8b95c0020c87ad265b6909a3017581d1733cd7eb8b0e34ce4f950eff44826
Opcode Fuzzy Hash: dcda9726a96eb08f6bc9a0f95d72badc831d8661903165ee1d6e03dfbfb5de32
Instruction Fuzzy Hash: 9AF06D35200359EFDB215FA5EC49F5A3BADFF89762F100414FA46C7291CA70D880EAA0

Function 00F3030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00F3017D,?,00F332FC,?,00000001,00F02592,?), ref: 00F30324
CloseHandle.KERNEL32(?,?,?,?,00F3017D,?,00F332FC,?,00000001,00F02592,?), ref: 00F30331
CloseHandle.KERNEL32(?,?,?,?,00F3017D,?,00F332FC,?,00000001,00F02592,?), ref: 00F3033E
CloseHandle.KERNEL32(?,?,?,?,00F3017D,?,00F332FC,?,00000001,00F02592,?), ref: 00F3034B
CloseHandle.KERNEL32(?,?,?,?,00F3017D,?,00F332FC,?,00000001,00F02592,?), ref: 00F30358
CloseHandle.KERNEL32(?,?,?,?,00F3017D,?,00F332FC,?,00000001,00F02592,?), ref: 00F30365

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b45d8a4f885e350ed0becda40cbe1574908f38b968e4f9302ab5af4f345d6977
Instruction ID: 8a8ee269a5f9244ef1c88937a3512d5f76f7a23aca92542a202b2c4447511b43
Opcode Fuzzy Hash: b45d8a4f885e350ed0becda40cbe1574908f38b968e4f9302ab5af4f345d6977
Instruction Fuzzy Hash: E6019072800B159FC7309F66D890412F7F9BF502253158A3FD19652931C771A954EE80

Function 00EFD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EFD752

Part of subcall function 00EF29C8: HeapFree.KERNEL32(00000000,00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000), ref: 00EF29DE
Part of subcall function 00EF29C8: GetLastError.KERNEL32(00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000,00000000), ref: 00EF29F0

_free.LIBCMT ref: 00EFD764
_free.LIBCMT ref: 00EFD776
_free.LIBCMT ref: 00EFD788
_free.LIBCMT ref: 00EFD79A

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2b055749232301c26c3954a9121ae57e8d91853a55a8990dcc545e14cdbad1ec
Instruction ID: 4e1e8f60474106499e5efe42cae7cab1af1c63510dc2e4d02b9daaaf591d7a67
Opcode Fuzzy Hash: 2b055749232301c26c3954a9121ae57e8d91853a55a8990dcc545e14cdbad1ec
Instruction Fuzzy Hash: 27F0EC3258820DAB8621FB64F9C5C7A7BDEBB447147A4280AF258FB551C770FC8096B4

Function 00F25C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00F25C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00F25C6F
MessageBeep.USER32(00000000), ref: 00F25C87
KillTimer.USER32(?,0000040A), ref: 00F25CA3
EndDialog.USER32(?,00000001), ref: 00F25CBD

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 1caae79a1ec1871359e258768ee143f7fc9b8d52e24a367df3a10aea9f26bd2a
Instruction ID: 8f1184ebd9d69cd92c4d3b1001206bba10974adcff8742b6bc40690a7a60b895
Opcode Fuzzy Hash: 1caae79a1ec1871359e258768ee143f7fc9b8d52e24a367df3a10aea9f26bd2a
Instruction Fuzzy Hash: DE018B705407149FEB215B20ED4EF9677B8BB04F06F001559A647614E1E7F06A459A90

Function 00EF22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EF22BE

Part of subcall function 00EF29C8: HeapFree.KERNEL32(00000000,00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000), ref: 00EF29DE
Part of subcall function 00EF29C8: GetLastError.KERNEL32(00000000,?,00EFD7D1,00000000,00000000,00000000,00000000,?,00EFD7F8,00000000,00000007,00000000,?,00EFDBF5,00000000,00000000), ref: 00EF29F0

_free.LIBCMT ref: 00EF22D0
_free.LIBCMT ref: 00EF22E3
_free.LIBCMT ref: 00EF22F4
_free.LIBCMT ref: 00EF2305

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b4612e0fc82173c533058836e6c1b98d94147bb174cc1459d73e03f298037c91
Instruction ID: 0d56717ad17fb62ba748f5d24e54b4ed0358f3fe3f47b734619ee42a9b33de4d
Opcode Fuzzy Hash: b4612e0fc82173c533058836e6c1b98d94147bb174cc1459d73e03f298037c91
Instruction Fuzzy Hash: E7F03A7188012E8B8613BF54BC018693BA4FB58764700151FF614E72B1CB700911BBE4

Function 00ED95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00ED95D4
StrokeAndFillPath.GDI32(?,?,00F171F7,00000000,?,?,?), ref: 00ED95F0
SelectObject.GDI32(?,00000000), ref: 00ED9603
DeleteObject.GDI32 ref: 00ED9616
StrokePath.GDI32(?), ref: 00ED9631

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: c56901f6717bbbefe18c02d0f0f0d90278514b06cebb59557496b0ac0c1f9a5a
Instruction ID: 83de13f11370fe9d42ab18c0ad4cb07b86f5c7bcc7391ab25fb7ced7f40218c3
Opcode Fuzzy Hash: c56901f6717bbbefe18c02d0f0f0d90278514b06cebb59557496b0ac0c1f9a5a
Instruction Fuzzy Hash: C8F03C3040570DEFDB125F65ED1C7643B61FB003A6F048226F626A51F1C7318996EF60

Function 00EF0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00EF10F9
__freea.LIBCMT ref: 00EF1117

Part of subcall function 00EF1537: _free.LIBCMT ref: 00EF154F

Strings

a/p, xrefs: 00EF11DE
am/pm, xrefs: 00EF117A

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: bf6330cdc1091d4913a08e511ffc7168e2fa5c3c95fb04c10419c08741e041d1
Instruction ID: 2129fc8b64ba7ef4d8257132075eed2499d406396339f0ef55fcf66d7b4f0616
Opcode Fuzzy Hash: bf6330cdc1091d4913a08e511ffc7168e2fa5c3c95fb04c10419c08741e041d1
Instruction Fuzzy Hash: 69D12331A0124ECADB288F68C845BFEB7B1FF05304F692199EB05BB650E7359D80DB91

Function 00F47B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00EE0242: EnterCriticalSection.KERNEL32(00F9070C,00F91884,?,?,00ED198B,00F92518,?,?,?,00EC12F9,00000000), ref: 00EE024D
Part of subcall function 00EE0242: LeaveCriticalSection.KERNEL32(00F9070C,?,00ED198B,00F92518,?,?,?,00EC12F9,00000000), ref: 00EE028A

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00EE00A3: __onexit.LIBCMT ref: 00EE00A9

__Init_thread_footer.LIBCMT ref: 00F47BFB

Part of subcall function 00EE01F8: EnterCriticalSection.KERNEL32(00F9070C,?,?,00ED8747,00F92514), ref: 00EE0202
Part of subcall function 00EE01F8: LeaveCriticalSection.KERNEL32(00F9070C,?,00ED8747,00F92514), ref: 00EE0235

Strings

Variable must be of type 'Object'., xrefs: 00F47C3A
5, xrefs: 00F47C78
G, xrefs: 00F47C7F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 5a8c998dcd261145e19908c71fb6d220c7aba4122de336cb43e2db0551517aae
Instruction ID: dd60609bd65563d8fd9d07c7a1ba675708d1c5dd4aa0f3b7b2afedb02914f1a5
Opcode Fuzzy Hash: 5a8c998dcd261145e19908c71fb6d220c7aba4122de336cb43e2db0551517aae
Instruction Fuzzy Hash: 93919B71A04309EFCB14EF94D881DADBBB1EF48314F148059FC06AB292DB71AE45EB51

Function 00EF5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO, xrefs: 00EF5BA8, 00EF5C6C

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-1663374661
Opcode ID: 63bd3081c8b6d5bff010ebb9413bff70b1541631f39aa7796268e2d25fde68ad
Instruction ID: edd6a6f91252f8d0b15ff1722c75f71257c72fdd0077049d9472e3c716fecd4f
Opcode Fuzzy Hash: 63bd3081c8b6d5bff010ebb9413bff70b1541631f39aa7796268e2d25fde68ad
Instruction Fuzzy Hash: BB51CF72900A0D9FCB119FA5C845EFEBBB8AF69314F14205AF706B7291D7319A019B61

Function 00EF8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00EF8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00EF8B7A
__dosmaperr.LIBCMT ref: 00EF8B81

Strings

., xrefs: 00EF8A63

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .
API String ID: 2434981716-3963672497
Opcode ID: 69d59bbf0a606db808e39fe7161636064e1f316655209e842f928327be298f41
Instruction ID: 4d8162c6b79dd543be4954b2769adbca358bc0679d825af34ce3dc1e4dde3c2c
Opcode Fuzzy Hash: 69d59bbf0a606db808e39fe7161636064e1f316655209e842f928327be298f41
Instruction Fuzzy Hash: 2241027560414DAFCB259F24DD81ABD7FE5DF85308F28A1AAFA84A7242DE31CD02D790

Function 00F22716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F221D0,?,?,00000034,00000800,?,00000034), ref: 00F2B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F22760

Part of subcall function 00F2B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00F2B3F8

Part of subcall function 00F2B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00F2B355
Part of subcall function 00F2B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F22194,00000034,?,?,00001004,00000000,00000000), ref: 00F2B365
Part of subcall function 00F2B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F22194,00000034,?,?,00001004,00000000,00000000), ref: 00F2B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F227CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F2281A

Strings

@, xrefs: 00F22832

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 2bf734e5cffa4cb1091aa172d47564aa012f1ae86e35b6f19d0412dde620f5fb
Instruction ID: 3a7711afa447ab0d4aefa9d4feb7683cbb85499781361e13a8bff191e98cdff0
Opcode Fuzzy Hash: 2bf734e5cffa4cb1091aa172d47564aa012f1ae86e35b6f19d0412dde620f5fb
Instruction Fuzzy Hash: 28413D72900228BFDB10DFA4DD85ADEBBB8EF09310F004095FA55B7181DB706E45DBA0

Function 00EF172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00EF1769
_free.LIBCMT ref: 00EF1834
_free.LIBCMT ref: 00EF183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00EF1760, 00EF1767, 00EF1796, 00EF17CE

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: c4503ee0ffc5cc262d1a70f8b4051b7c172e570fe09556ef97b5c32e758a57d3
Instruction ID: 7217ee3bc047e3e7e44e75af47ab22a99c5e0b118a24c038531d45758d90cd4d
Opcode Fuzzy Hash: c4503ee0ffc5cc262d1a70f8b4051b7c172e570fe09556ef97b5c32e758a57d3
Instruction Fuzzy Hash: 74319D71A0024CEFDB25EF999981DAEBBFCEB85350F1051ABEA04A7211D7708A40DB90

Function 00F2C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F2C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00F2C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F91990,010351A8), ref: 00F2C395

Strings

0, xrefs: 00F2C2DF

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 3780e3280b3de1a6f1f8cff59fad677902e76d11e197406529d75e722016304a
Instruction ID: 047aff61d28cc7a82329194c151f713b25908ec31099467271acd3e08cdde479
Opcode Fuzzy Hash: 3780e3280b3de1a6f1f8cff59fad677902e76d11e197406529d75e722016304a
Instruction Fuzzy Hash: D8419D316053519FD720DF29EC84B5EBBE8AF85320F048A1DF9A5972D1D734AD04EB92

Function 00F54416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F5CC08,00000000,?,?,?,?), ref: 00F544AA
GetWindowLongW.USER32 ref: 00F544C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F544D7

Strings

SysTreeView32, xrefs: 00F5447C

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: f469a57122f9dcdffa13e7468890defe63a67692d1b4c3c9b549869cde3b344d
Instruction ID: 495287d34323d336af6b6b47e44c103a7c0737c7894961e44e9775753f565e31
Opcode Fuzzy Hash: f469a57122f9dcdffa13e7468890defe63a67692d1b4c3c9b549869cde3b344d
Instruction Fuzzy Hash: 6831CF31650205AFDF208E38DC45BDA7BA9EB08339F244315FE79A21D0D770EC95A750

Function 00F4304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00F43077,?,?), ref: 00F43378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F4307A
_wcslen.LIBCMT ref: 00F4309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00F43106

Strings

255.255.255.255, xrefs: 00F43095, 00F4309A

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: c6ba79d9b6371d6f822006693f02231cb0ac971d4645c888cd2fc120f7542d42
Instruction ID: 05675a57972d96ff486c183441e96f8b115f01b3a5e2883c323f0f4891c80593
Opcode Fuzzy Hash: c6ba79d9b6371d6f822006693f02231cb0ac971d4645c888cd2fc120f7542d42
Instruction Fuzzy Hash: 6B31D536A04205DFDB10CF68C585EA97BE0EF54328F248159ED169B392D772DE41D760

Function 00F53EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F53F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F53F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F53F78

Strings

SysMonthCal32, xrefs: 00F53F0B

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 1466004112bf2e82c3ac6fce854bc2990bf86d92bae7f7b6fc5ed7fb755b0143
Instruction ID: 7a1ca4b8e36d785f9aef072621e5755af34ae111eca4f760948733b6cc059d8e
Opcode Fuzzy Hash: 1466004112bf2e82c3ac6fce854bc2990bf86d92bae7f7b6fc5ed7fb755b0143
Instruction Fuzzy Hash: B521EC32A00219BFDF258F54CC42FEA3BB9EB48764F110214FE197B1C0C6B1A955EBA0

Function 00F54653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F54705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F54713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F5471A

Strings

msctls_updown32, xrefs: 00F54684

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 32c62cf18570f79ef69b084f2618383e09c2aa7bbb35408d82fe42fc56f26c64
Instruction ID: 8d3717a2ff332434a5fc5481931e8b6d2c45782b795b24fe88b7cc4bcb6b686e
Opcode Fuzzy Hash: 32c62cf18570f79ef69b084f2618383e09c2aa7bbb35408d82fe42fc56f26c64
Instruction Fuzzy Hash: F22160B5600209AFEB11DF64ECC1DA737EDEB4A3A9B140459FA019B251CB31FC56EB60

Function 00F295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F2961D

Strings

#notrayicon, xrefs: 00F295B7
#requireadmin, xrefs: 00F295D9
#OnAutoItStartRegister, xrefs: 00F295F3

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: b498cfb3b1cec00eb61906626f6c8fb4a1693605ef7980902ade529a1f685d4f
Instruction ID: 9a120813ea7697457609a6ba93d621d621c8839b94cb2eaf3dd21f23682164b0
Opcode Fuzzy Hash: b498cfb3b1cec00eb61906626f6c8fb4a1693605ef7980902ade529a1f685d4f
Instruction Fuzzy Hash: 0E218B3260813166C331AB25ED03FB777D8DF91320F04402AF989A7181EBD1DD46E2D2

Function 00F537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F53840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F53850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F53876

Strings

Listbox, xrefs: 00F5380F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: bbd29042338cd52ac358679b226e36ab55b41e60d84351f96b4008719dcb188e
Instruction ID: 6e714c03ee8a3de8a2ee5d14d01d10dd15ea0bb9b867a69734e23ce117b6c0a4
Opcode Fuzzy Hash: bbd29042338cd52ac358679b226e36ab55b41e60d84351f96b4008719dcb188e
Instruction Fuzzy Hash: 8521C572A002187BEF219F58DC41FBB376EEF897A1F108114FA159B190C671DC56A7A0

Function 00F349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F34A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F34A5C
SetErrorMode.KERNEL32(00000000,?,?,00F5CC08), ref: 00F34AD0

Strings

%lu, xrefs: 00F34A6F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 557096da3b7e4e0292e711bfd669c30100b13a23a0bfd1f90ff0252f84d519e8
Instruction ID: d40f6d64cace234b338d4412c4123dfb73738c740900df790dca86213a51d20e
Opcode Fuzzy Hash: 557096da3b7e4e0292e711bfd669c30100b13a23a0bfd1f90ff0252f84d519e8
Instruction Fuzzy Hash: 4C316171A00209AFDB10DF54C985EAE7BF8EF04318F144099F905EB252D775ED46DBA1

Function 00F541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F5424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F54264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F54271

Strings

msctls_trackbar32, xrefs: 00F54226

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: aa45d4949b5dd8effda8405ca9a6b41a0049e04dfa3cd7a668470e7b61567c5f
Instruction ID: e0ca57adc52abfb98dbb54f3649d3fc056b4baa78db553fb4a143ef1b229b473
Opcode Fuzzy Hash: aa45d4949b5dd8effda8405ca9a6b41a0049e04dfa3cd7a668470e7b61567c5f
Instruction Fuzzy Hash: 1511E331640308BEEF205F29CC06FAB3BACEF85B69F110124FB55E2090D271E852AB60

Function 00F22F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC6B57: _wcslen.LIBCMT ref: 00EC6B6A

Part of subcall function 00F22DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F22DC5
Part of subcall function 00F22DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F22DD6
Part of subcall function 00F22DA7: GetCurrentThreadId.KERNEL32 ref: 00F22DDD
Part of subcall function 00F22DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F22DE4

GetFocus.USER32 ref: 00F22F78

Part of subcall function 00F22DEE: GetParent.USER32(00000000), ref: 00F22DF9

GetClassNameW.USER32(?,?,00000100), ref: 00F22FC3
EnumChildWindows.USER32(?,00F2303B), ref: 00F22FEB

Strings

%s%d, xrefs: 00F22FFF

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: aee19b6d887a451fe08bcbfafc478dd3f599328716fb9b96b82ca59e0ec23952
Instruction ID: 0f5153644b4255e729f06439d0e6df40477ad1f3c3be298b3562acf849627cac
Opcode Fuzzy Hash: aee19b6d887a451fe08bcbfafc478dd3f599328716fb9b96b82ca59e0ec23952
Instruction Fuzzy Hash: 0C11E7B16002156BCF40BF709C95FEE37AAAF84308F044075F909AB252DE349A45AB70

Function 00F55882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00F558C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00F558EE
DrawMenuBar.USER32(?), ref: 00F558FD

Strings

0, xrefs: 00F5588F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 0efee9344836361fd6ab9a790f16baaae710deda76e5cde35dbf269120fa93f9
Instruction ID: 7c41f8cca3a80f999d8cad3298028c05aea325625165cb591fa3e79f44983e29
Opcode Fuzzy Hash: 0efee9344836361fd6ab9a790f16baaae710deda76e5cde35dbf269120fa93f9
Instruction Fuzzy Hash: F2018431500218EFDB119F51DC44BAEBBB4FF45762F148099ED49D6261DB348A88EF61

Function 00F1D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00F1D3BF
FreeLibrary.KERNEL32 ref: 00F1D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00F1D3B9
X64, xrefs: 00F1D2A8

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 110f70653aa49478b23f2238a794beacad2f4a60850d71baeefbbabc65c2d279
Instruction ID: ec4dc05413723222bfc38ae1f59e6925e0fdc2b617d413438f60a94d63361869
Opcode Fuzzy Hash: 110f70653aa49478b23f2238a794beacad2f4a60850d71baeefbbabc65c2d279
Instruction Fuzzy Hash: AFF0E532C05B659FDB3552204CA4AE93334AF12706F558157E913F2105DB70CDC4B6D2

Function 00F2007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1453ba8baf9f07fabf369ce4959a160bab5429cbf01c4588c02504c812f1879
Instruction ID: 230ef82fc22f51207606d68f829f42e51487bc9d23f07338637251a16864b075
Opcode Fuzzy Hash: d1453ba8baf9f07fabf369ce4959a160bab5429cbf01c4588c02504c812f1879
Instruction Fuzzy Hash: 0FC16C76A0021AEFDB04CF94D894BAEB7B5FF48314F108598E505EB292CB31ED41EB90

Function 00F4342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F43459
CoUninitialize.OLE32 ref: 00F43463
VariantInit.OLEAUT32(?), ref: 00F4346E
VariantClear.OLEAUT32(?), ref: 00F4371B

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: e478f8b13b3dbd78f282c36b7adde944ed44bb6a19fb12dd9d11510887636465
Instruction ID: f5bf9692b0f1f9511ed7014824162481270ce853b6ce19c6cdfd7043fa294eaa
Opcode Fuzzy Hash: e478f8b13b3dbd78f282c36b7adde944ed44bb6a19fb12dd9d11510887636465
Instruction Fuzzy Hash: 73A107756043119FC710DF28C585E2ABBE5EF88724F05885DF98AAB362DB31EE01DB91

Function 00F20436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F5FC08,?), ref: 00F205F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F5FC08,?), ref: 00F20608
CLSIDFromProgID.OLE32(?,?,00000000,00F5CC40,000000FF,?,00000000,00000800,00000000,?,00F5FC08,?), ref: 00F2062D
_memcmp.LIBVCRUNTIME ref: 00F2064E

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 47d0f845f746b614cc5bccaf9312f53f1e44b117e3efebc4ca8ece9eeaf5bcb3
Instruction ID: 4b1ad9e67690f9c0f292cb5c7d71cf561146d801fbe534250f29e9beae761355
Opcode Fuzzy Hash: 47d0f845f746b614cc5bccaf9312f53f1e44b117e3efebc4ca8ece9eeaf5bcb3
Instruction Fuzzy Hash: 33813E72A00219EFCB04DF94C984EEEB7B9FF89315F204558F506AB251DB71AE06DB60

Function 00F4A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F4A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00F4A6BA

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Process32NextW.KERNEL32(00000000,?), ref: 00F4A79C
CloseHandle.KERNEL32(00000000), ref: 00F4A7AB

Part of subcall function 00EDCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00F03303,?), ref: 00EDCE8A

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 186a62e7a49ca12dc389cb675f4a4db5ed1359862fb8117ae3b89ad6898a5f76
Instruction ID: 58d493dc1795de9be0d6c703cd3e757d126530b8b6ed20c8d9cc8693a49b0426
Opcode Fuzzy Hash: 186a62e7a49ca12dc389cb675f4a4db5ed1359862fb8117ae3b89ad6898a5f76
Instruction Fuzzy Hash: 08515D715083009FD310EF24C986E6BBBE8FF89754F04591DF986A7292EB31D905CB92

Function 00F01391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F014C0

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6bc26e7f68a0e5dd820c400e735d23808e3e8e5a12bca870d032c4c8fd6aab90
Instruction ID: 02687501bed54b38e1dc2b4500ccf79ae6c2489cf8e9fa6cefcd1cb6933f0a26
Opcode Fuzzy Hash: 6bc26e7f68a0e5dd820c400e735d23808e3e8e5a12bca870d032c4c8fd6aab90
Instruction Fuzzy Hash: 24414C3AA00508ABDB21EBB98C457BE3AE4FF47330F140225F619E71F2E73448417261

Function 00F56278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F562E2
ScreenToClient.USER32(?,?), ref: 00F56315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00F56382

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: d1e5692084510a6632d9a599f75a34f59c38e9b68d431abcba6d3c5e6ce123e1
Instruction ID: b4d585b9cd1a913e3b005d2e6266e65b25cbbcd53850c0693698aca20c803540
Opcode Fuzzy Hash: d1e5692084510a6632d9a599f75a34f59c38e9b68d431abcba6d3c5e6ce123e1
Instruction Fuzzy Hash: 98512C74A00209EFDF10DF54D881AAE7BB5FB45361F508169FA25DB2A0D730ED85EB90

Function 00F41AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00F41AFD
WSAGetLastError.WSOCK32 ref: 00F41B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F41B8A
WSAGetLastError.WSOCK32 ref: 00F41B94

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 066a7b9c8db157b0ef3e733a4881b5b70a821448d24eb152a7a3a52bed60d34c
Instruction ID: ef9c5440be2024d373524b93641a16b5d52079a8f490b1e267747763851dd314
Opcode Fuzzy Hash: 066a7b9c8db157b0ef3e733a4881b5b70a821448d24eb152a7a3a52bed60d34c
Instruction Fuzzy Hash: DF41A5356003006FE720AF24C886F2A7BE5EB84718F54945CF95A9F7D2D772DD829B90

Function 00EFB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8224ef8808430fe59bba9840e4d79c86865e5085f0312101596672fe71b4cb51
Instruction ID: f2a0923208ed1b5a89ad2733334007b45467a6eb33e575f20fd0f4267eab51bf
Opcode Fuzzy Hash: 8224ef8808430fe59bba9840e4d79c86865e5085f0312101596672fe71b4cb51
Instruction Fuzzy Hash: CE410B75A00708AFD7249F38CC41B7ABBE9EB88710F10562EF651EB691E775A9018B80

Function 00F356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F35783
GetLastError.KERNEL32(?,00000000), ref: 00F357A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F357CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F357FA

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 1f07e9232670044298e1c4d6c062bd87351dc581b94b1469be51a7a4c63ea8ad
Instruction ID: a34d7c0300889f06d0137acc03a1a6d512e96d7e7603aec3c8c1f01ccb1ddd6f
Opcode Fuzzy Hash: 1f07e9232670044298e1c4d6c062bd87351dc581b94b1469be51a7a4c63ea8ad
Instruction Fuzzy Hash: 04412B35600614DFCB11DF15C545A1EBBE2EF89720F188488E94AAB362CB35FD01EF91

Function 00EFD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00EE82D9,?,00EE82D9,?,00000001,?,?,00000001,00EE82D9,00EE82D9), ref: 00EFD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EFD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00EFD9AB
__freea.LIBCMT ref: 00EFD9B4

Part of subcall function 00EF3820: RtlAllocateHeap.NTDLL(00000000,?,00F91444,?,00EDFDF5,?,?,00ECA976,00000010,00F91440,00EC13FC,?,00EC13C6,?,00EC1129), ref: 00EF3852

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 898d11dee02314d688193653386dc77a51e0a730d8bb5d657f8029c64f9f1eac
Instruction ID: aa4890bde3471bb290ddf4d615aeb5dedca3f72a5005bc9f53721e47fc39bee0
Opcode Fuzzy Hash: 898d11dee02314d688193653386dc77a51e0a730d8bb5d657f8029c64f9f1eac
Instruction Fuzzy Hash: 1331CE72A0020EABDB249FA5DC45EBE7BA6EB80314B050168FD04E6190EBB5CD50DBA0

Function 00F552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00F55352
GetWindowLongW.USER32(?,000000F0), ref: 00F55375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F55382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F553A8

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 6d8b5f13a76feb67bd9a179b57888003ac03ec183858cf4a8fa6733d413b4125
Instruction ID: 6af2011fd1c019fc58708f3a1500e12a8506b42a5024af45ca0e7bc5dd38b3b3
Opcode Fuzzy Hash: 6d8b5f13a76feb67bd9a179b57888003ac03ec183858cf4a8fa6733d413b4125
Instruction Fuzzy Hash: 7D31D231E55A0CEFEB309F54CC25BE83763AB05BA2F584012FF19961E1C7B19988BB41

Function 00F2AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00F2ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00F2AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00F2AC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00F2ACC6

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 195fb28ee61db7c494647cec6c46e6ef2e738afbb7ff5d6aaa4770d5ae8da958
Instruction ID: 8799ab9be8c9cd091168f3ec01a4b80701bd6191d60d6c3c4f7c880d72610d01
Opcode Fuzzy Hash: 195fb28ee61db7c494647cec6c46e6ef2e738afbb7ff5d6aaa4770d5ae8da958
Instruction Fuzzy Hash: 76310830E84728AFFF35CB65EC047FE7BA5AB85320F04421AE485561D1D379C985A793

Function 00F57674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00F5769A
GetWindowRect.USER32(?,?), ref: 00F57710
PtInRect.USER32(?,?,00F58B89), ref: 00F57720
MessageBeep.USER32(00000000), ref: 00F5778C

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 95a3212260d6cc9f6e5e7a6d3201d0c2bc070afeae55e64af84e3253f0d877a9
Instruction ID: d95efcace1ba26add877ee0c00abbf9ea889de6cf989acd66d5bc7cc7ab991c0
Opcode Fuzzy Hash: 95a3212260d6cc9f6e5e7a6d3201d0c2bc070afeae55e64af84e3253f0d877a9
Instruction Fuzzy Hash: 8741B035A05319DFCB11EF58F884FA9BBF0FB49312F1540A9EA158B261C330A949EF90

Function 00F516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00F516EB

Part of subcall function 00F23A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F23A57
Part of subcall function 00F23A3D: GetCurrentThreadId.KERNEL32 ref: 00F23A5E
Part of subcall function 00F23A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F225B3), ref: 00F23A65

GetCaretPos.USER32(?), ref: 00F516FF
ClientToScreen.USER32(00000000,?), ref: 00F5174C
GetForegroundWindow.USER32 ref: 00F51752

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 4d6240b2820b0505fd8f921c12bfb577fa174c116ac61fe8ee60dae3362e2c9b
Instruction ID: f401beb6e1ec264077476472f90d40f43fbe82b3a4b0d36e2056be4095dade04
Opcode Fuzzy Hash: 4d6240b2820b0505fd8f921c12bfb577fa174c116ac61fe8ee60dae3362e2c9b
Instruction Fuzzy Hash: 86316175D00249AFC700EFA9D981DAEBBF9EF48304B5480AEE515E7211D735AE46CFA0

Function 00F2DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00EC7620: _wcslen.LIBCMT ref: 00EC7625

_wcslen.LIBCMT ref: 00F2DFCB
_wcslen.LIBCMT ref: 00F2DFE2
_wcslen.LIBCMT ref: 00F2E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00F2E018

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: bd642d0a50a2a2eb8f28573b59a05e73ed68b33ea2604593c6a10d7fa7417d5d
Instruction ID: 1cca1d92d838b9d027374e7ce66e425ee67503ebf11f7645581a52401d947c52
Opcode Fuzzy Hash: bd642d0a50a2a2eb8f28573b59a05e73ed68b33ea2604593c6a10d7fa7417d5d
Instruction Fuzzy Hash: E021A671D00225AFCB10DFA4E981B6EB7F8EF85760F144065E905BB285D6709E419BE1

Function 00F58FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00ED9BB2

GetCursorPos.USER32(?), ref: 00F59001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F17711,?,?,?,?,?), ref: 00F59016
GetCursorPos.USER32(?), ref: 00F5905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F17711,?,?,?), ref: 00F59094

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: df7e5b9807c3d581bda41d4b0a9b06fb8509986264d4e2a073713ee248525ec7
Instruction ID: 8a1305f6816857a832ae2b5f2b9b3ab8f21965cbe0f82a561463a4ac7b768b3c
Opcode Fuzzy Hash: df7e5b9807c3d581bda41d4b0a9b06fb8509986264d4e2a073713ee248525ec7
Instruction Fuzzy Hash: 5421B131600118EFDB298FA4CC58EEB3BB9FB49362F044465FA05472A1C3719950FB60

Function 00F2D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00F5CB68), ref: 00F2D2FB
GetLastError.KERNEL32 ref: 00F2D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F2D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00F5CB68), ref: 00F2D376

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 3ca924d6766f97c46d28313880b4ef274479f95b1675b651eb059ad6f9999b60
Instruction ID: be90b9a092a8c782ae676bb78a3f014b9df42a10f512320c4ea80e5956f2e83d
Opcode Fuzzy Hash: 3ca924d6766f97c46d28313880b4ef274479f95b1675b651eb059ad6f9999b60
Instruction Fuzzy Hash: 5A21D1719083119F8300DF28D8859AE77E4EF56328F104A1DF499D32A1D731DD4ADB93

Function 00F21571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F21014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F2102A
Part of subcall function 00F21014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F21036
Part of subcall function 00F21014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F21045
Part of subcall function 00F21014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F2104C
Part of subcall function 00F21014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F21062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F215BE
_memcmp.LIBVCRUNTIME ref: 00F215E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F21617
HeapFree.KERNEL32(00000000), ref: 00F2161E

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 7164400f47eedc64820944662a9e8b79bd70d72884fa7ab8219caaab42ca26a8
Instruction ID: 70c243cc0aae0d2d6925a909dea0446bca719136b2620ed04ccf7b9fa76e1242
Opcode Fuzzy Hash: 7164400f47eedc64820944662a9e8b79bd70d72884fa7ab8219caaab42ca26a8
Instruction Fuzzy Hash: BF218C31E00218EFDF10DFA4D945BEEBBB8FF54355F184499E441AB241E730AA05EBA4

Function 00F52782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00F5280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F52824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F52832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00F52840

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: ddefb4b7b3871c55056ed3be2fc00e2f4675dc6048ed479f118806405e696d08
Instruction ID: 1ab82f2636bc8a209ddef73f4e7e9d6e1190b9ec47efcb17acb65f2bdb2d53cd
Opcode Fuzzy Hash: ddefb4b7b3871c55056ed3be2fc00e2f4675dc6048ed479f118806405e696d08
Instruction Fuzzy Hash: 9021F431604610AFD714DB24CC45F6A7B95EF46326F148258F9268B2D2CB75FC46D7D0

Function 00F278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F28D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00F2790A,?,000000FF,?,00F28754,00000000,?,0000001C,?,?), ref: 00F28D8C
Part of subcall function 00F28D7D: lstrcpyW.KERNEL32(00000000,?,?,00F2790A,?,000000FF,?,00F28754,00000000,?,0000001C,?,?,00000000), ref: 00F28DB2
Part of subcall function 00F28D7D: lstrcmpiW.KERNEL32(00000000,?,00F2790A,?,000000FF,?,00F28754,00000000,?,0000001C,?,?), ref: 00F28DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00F28754,00000000,?,0000001C,?,?,00000000), ref: 00F27923
lstrcpyW.KERNEL32(00000000,?,?,00F28754,00000000,?,0000001C,?,?,00000000), ref: 00F27949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00F28754,00000000,?,0000001C,?,?,00000000), ref: 00F27984

Strings

cdecl, xrefs: 00F2797B

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: c64eff978279297046dd8b91ed6da02bc182b77119e77be2af60605150c23e25
Instruction ID: a062025b85da9e8593421b550e6b38ae4aa21cd0467da1ffa0e27f5c8dc4bcab
Opcode Fuzzy Hash: c64eff978279297046dd8b91ed6da02bc182b77119e77be2af60605150c23e25
Instruction Fuzzy Hash: 2E11D63A200315AFCB15AF34EC45E7A77A5FF453A0B50402AF946CB3A4EB319851E791

Function 00F57CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00F57D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00F57D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F57D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F3B7AD,00000000), ref: 00F57D6B

Part of subcall function 00ED9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00ED9BB2

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 72f6e86518ad4cdb7ec8f6e4fdcc9c83d72c9670eea83d9918ff3ec08c60f3b3
Instruction ID: 53140c64e6803adabe83ea8ddd31616de8ede14eae854ccce511c3ee66e9988f
Opcode Fuzzy Hash: 72f6e86518ad4cdb7ec8f6e4fdcc9c83d72c9670eea83d9918ff3ec08c60f3b3
Instruction Fuzzy Hash: 9211AE32504719AFCB10AF28DC04A663BA5BF45372B154325FE3AD72E0E7319954EB80

Function 00F55660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00F556BB
_wcslen.LIBCMT ref: 00F556CD
_wcslen.LIBCMT ref: 00F556D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F55816

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: ace15244038937d051569d9ed10a4d746adbbaa0370ba42974055eadcc4f13f0
Instruction ID: 5bbdf72b72df34f47860858fc441be1766538b4f1939055bd0d1b4c967163cc0
Opcode Fuzzy Hash: ace15244038937d051569d9ed10a4d746adbbaa0370ba42974055eadcc4f13f0
Instruction Fuzzy Hash: 5C11A271A0060996DF20DF619C95AEE77BCEF11B62B104026FF15A6081E774CA88EBA0

Function 00EF1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b5f1d79aaec2836ad344ff24505f96c2c114fc32be652e3d815421969c57c4
Instruction ID: 48c12b907cafa28dac65dc7caf627bacd7a015d9cc0802cf3081909b2c173fc6
Opcode Fuzzy Hash: 61b5f1d79aaec2836ad344ff24505f96c2c114fc32be652e3d815421969c57c4
Instruction Fuzzy Hash: A401A2B2209B1EBEF71116786CC0F77666DDF813BAB34236AF721B21D2DB628C005160

Function 00F21A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00F21A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F21A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F21A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F21A8A

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 382095f78e456593e66d45efe89aa084178c2950acf30519712110d7d09b17ac
Instruction ID: a1fe168e587121235c3a8c41fcd02b48e9b8b8bacbfd742b7892444620f0698f
Opcode Fuzzy Hash: 382095f78e456593e66d45efe89aa084178c2950acf30519712110d7d09b17ac
Instruction Fuzzy Hash: 80113C3AD01229FFEB10DBA4CD85FADBB78FB18750F200091E604B7290D6716E50EB94

Function 00F2E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F2E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00F2E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F2E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F2E24D

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 959fd6c3d279fdc86909ca2a5c35a3323e469ddae75e40696d787eb1f78eacac
Instruction ID: 3b9d8771ba40001fef02f852ad0ea978cda6d93832b9eada1b038fa09de6f9ff
Opcode Fuzzy Hash: 959fd6c3d279fdc86909ca2a5c35a3323e469ddae75e40696d787eb1f78eacac
Instruction Fuzzy Hash: 96110872D0436DFFC7019FA8AC05E9E7FACEB45321F104226FA26E3290D270C90097A0

Function 00EED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00EECFF9,00000000,00000004,00000000), ref: 00EED218
GetLastError.KERNEL32 ref: 00EED224
__dosmaperr.LIBCMT ref: 00EED22B
ResumeThread.KERNEL32(00000000), ref: 00EED249

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 5fcda9bf79c999a4608b650192c776a8551909ccbf0ee4dbeded64a011f5e8ca
Instruction ID: 9e919843a5192f3b6cb5e9696e4e50f0b5165927642c6af9d4fc098ce68fd2d6
Opcode Fuzzy Hash: 5fcda9bf79c999a4608b650192c776a8551909ccbf0ee4dbeded64a011f5e8ca
Instruction Fuzzy Hash: 8801D63680924CBFC7115BA7DC05BAE7AA9DF85731F105259FA25B21E0DB718901D6A0

Function 00F59EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00ED9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00ED9BB2

GetClientRect.USER32(?,?), ref: 00F59F31
GetCursorPos.USER32(?), ref: 00F59F3B
ScreenToClient.USER32(?,?), ref: 00F59F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00F59F7A

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: df50c2b58321b050b0b2efdeea99999d56452edf00df86b274a69d44e749f9c5
Instruction ID: ddbf2c245aa26deea981d5eb7ef31d100556c9cce64f6cc0aade2ad483703cf2
Opcode Fuzzy Hash: df50c2b58321b050b0b2efdeea99999d56452edf00df86b274a69d44e749f9c5
Instruction Fuzzy Hash: 2D11483290421AEFDB14DFA9DC899EE77B8FB05312F000451FA12E3141D374BA85EBA1

Function 00EC600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00EC604C
GetStockObject.GDI32(00000011), ref: 00EC6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00EC606A

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: ca4914ba9fe53d4cdc88f1ed167582a64475d584b2e7e7a1bad570d98189bb1b
Instruction ID: 73f29702d4ff5635b9d0d5a03bd49c6b023f4ec0332f066966085e7857d21ade
Opcode Fuzzy Hash: ca4914ba9fe53d4cdc88f1ed167582a64475d584b2e7e7a1bad570d98189bb1b
Instruction Fuzzy Hash: F8118E72101608BFEF224F949D45FEB7B69EF08359F001115FA0566010C7329C61AB90

Function 00EE3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00EE3B56

Part of subcall function 00EE3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00EE3AD2
Part of subcall function 00EE3AA3: ___AdjustPointer.LIBCMT ref: 00EE3AED

_UnwindNestedFrames.LIBCMT ref: 00EE3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00EE3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00EE3BA4

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 063b3614a4a61f5e85b9de4e0f1371689970b5cdc7bec65ba02461155a9f2259
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 8401407210018DBBDF125EA6CC46DEB7FADEF48754F045014FE4866161C732D961DBA0

Function 00EF3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00EC13C6,00000000,00000000,?,00EF301A,00EC13C6,00000000,00000000,00000000,?,00EF328B,00000006,FlsSetValue), ref: 00EF30A5
GetLastError.KERNEL32(?,00EF301A,00EC13C6,00000000,00000000,00000000,?,00EF328B,00000006,FlsSetValue,00F62290,FlsSetValue,00000000,00000364,?,00EF2E46), ref: 00EF30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00EF301A,00EC13C6,00000000,00000000,00000000,?,00EF328B,00000006,FlsSetValue,00F62290,FlsSetValue,00000000), ref: 00EF30BF

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 465298f90df1f5a75ab857258e0eec37ae90151f461b0758f948f083522f12f8
Instruction ID: e4adfbc574e51ef860c4cbb3025de38c003b35ae8591054647fd39ade8dd0694
Opcode Fuzzy Hash: 465298f90df1f5a75ab857258e0eec37ae90151f461b0758f948f083522f12f8
Instruction Fuzzy Hash: 0901D43230132EAFCB214B799C449B77B98AF05BA6B100622FB06F3240DF21D941C6E0

Function 00F27464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00F2747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F27497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F274AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F274CA

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 240c29b1ec7a9ed3db8d44387122d7091ee75288fa1d7e56b1baa886702034ea
Instruction ID: 07e57ef881f20c3caca51c890fd68731cb069d4a40718caad1adae31cdb27e5e
Opcode Fuzzy Hash: 240c29b1ec7a9ed3db8d44387122d7091ee75288fa1d7e56b1baa886702034ea
Instruction Fuzzy Hash: 2A11ADB1609324EFE720EF14EC08FA27BFCEB00B00F108569A616D6191D7B0E904EBA1

Function 00F2B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F2ACD3,?,00008000), ref: 00F2B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F2ACD3,?,00008000), ref: 00F2B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F2ACD3,?,00008000), ref: 00F2B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F2ACD3,?,00008000), ref: 00F2B126

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 751a65d8e56e1355a175e446178cf9c60674918e6bd92e9f90b0a83280ff2168
Instruction ID: fa618c312237601a3f286afe6c4c9f025a5c88375d5352d15a881756173676ff
Opcode Fuzzy Hash: 751a65d8e56e1355a175e446178cf9c60674918e6bd92e9f90b0a83280ff2168
Instruction Fuzzy Hash: 37111E31D01A3DDBCF00EFE5E9696EEBB78FF49711F114095D941B2282CB305551AB91

Function 00F57E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F57E33
ScreenToClient.USER32(?,?), ref: 00F57E4B
ScreenToClient.USER32(?,?), ref: 00F57E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F57E8A

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: d63903d4ded91ead9badf0f41ed63e39f4836c51956bf2edc7ddc0e0dbc31a34
Instruction ID: a8d70c67b5a01d779f183f176dd802f04f24530c9eab9b012db8c5d014f124d8
Opcode Fuzzy Hash: d63903d4ded91ead9badf0f41ed63e39f4836c51956bf2edc7ddc0e0dbc31a34
Instruction Fuzzy Hash: 0F1140B9D0020AAFDB41DF98D884AEEBBF9FB08311F509066E915E3210D735AA54DF90

Function 00F22DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F22DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F22DD6
GetCurrentThreadId.KERNEL32 ref: 00F22DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F22DE4

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 3e7542e7c89332cae53f02d526489bbdd18ad4895928bcfed9c7220d6ed2bce1
Instruction ID: 142fba4cda6c3d83c78d1185f802c4eee2671239ddfc9ed7420b69eea7a66ee7
Opcode Fuzzy Hash: 3e7542e7c89332cae53f02d526489bbdd18ad4895928bcfed9c7220d6ed2bce1
Instruction Fuzzy Hash: 1CE0ED725017387BD7201BB3AC1DFEB7E6CEB56BA2F400115B60AD50909AA59941E6F0

Function 00F58863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00ED9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00ED9693
Part of subcall function 00ED9639: SelectObject.GDI32(?,00000000), ref: 00ED96A2
Part of subcall function 00ED9639: BeginPath.GDI32(?), ref: 00ED96B9
Part of subcall function 00ED9639: SelectObject.GDI32(?,00000000), ref: 00ED96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00F58887
LineTo.GDI32(?,?,?), ref: 00F58894
EndPath.GDI32(?), ref: 00F588A4
StrokePath.GDI32(?), ref: 00F588B2

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: fe99bf0a196d81094f370e76290ca517dd90be0af15352e7197c63b185cae671
Instruction ID: 6d16241b88407747cab029b43d7cb6298137cff3d78e032ad1ac2c8f76d73676
Opcode Fuzzy Hash: fe99bf0a196d81094f370e76290ca517dd90be0af15352e7197c63b185cae671
Instruction Fuzzy Hash: 32F03A36041759BADB126F94AC09FCA3B59AF06362F048001FB22A50E2C7755511EBE5

Function 00ED98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00ED98CC
SetTextColor.GDI32(?,?), ref: 00ED98D6
SetBkMode.GDI32(?,00000001), ref: 00ED98E9
GetStockObject.GDI32(00000005), ref: 00ED98F1

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: e87c19ea9d3503c653db0177ed46f0c2aa4c114eca5e10053759d7a41919e5bf
Instruction ID: b5bb130961212b6dbfd9fc3a607f1f7870c58da34665e29d674f6d27d9c58441
Opcode Fuzzy Hash: e87c19ea9d3503c653db0177ed46f0c2aa4c114eca5e10053759d7a41919e5bf
Instruction Fuzzy Hash: 01E06531644784AEDB215B74AC09BD83F21EB11736F048219F7FA540E1C7714641AB10

Function 00F2162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00F21634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00F211D9), ref: 00F2163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F211D9), ref: 00F21648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00F211D9), ref: 00F2164F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 75d67a0ff5d993f724ec26226923c57c82009f375c3b035254593695e5944ef3
Instruction ID: f4d306e92bc34797b1efab3fdf3b95e654c54a8e6de53e75880c76451e05a096
Opcode Fuzzy Hash: 75d67a0ff5d993f724ec26226923c57c82009f375c3b035254593695e5944ef3
Instruction Fuzzy Hash: DBE04F71A02325AFD7201FA0AD0DB4A3B68AF54BA2F144808F346C9080D6244440E794

Function 00F1D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F1D858
GetDC.USER32(00000000), ref: 00F1D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F1D882
ReleaseDC.USER32(?), ref: 00F1D8A3

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0a064c217ca0e39f249053a351e0defe9812e0325b5d43fe0e8b4271828b0ec9
Instruction ID: a4dcdf628c837c3992880600b255248eb782a0f4b92f33df46e17c8ff76190d7
Opcode Fuzzy Hash: 0a064c217ca0e39f249053a351e0defe9812e0325b5d43fe0e8b4271828b0ec9
Instruction Fuzzy Hash: 9CE0E5B1800308DFCB419FA0D908A6DBBB2EB08312B249009E90AE7290C7384A42AF80

Function 00F1D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F1D86C
GetDC.USER32(00000000), ref: 00F1D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F1D882
ReleaseDC.USER32(?), ref: 00F1D8A3

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 08a0a1dd8c90804746ed7ad69fd410cc24d2de13d966e61d583548e643340271
Instruction ID: 450b8ed6c0a8b127c390be4b33b4fe3322494999cfb13a3a981d1cb7f7b9d6a8
Opcode Fuzzy Hash: 08a0a1dd8c90804746ed7ad69fd410cc24d2de13d966e61d583548e643340271
Instruction Fuzzy Hash: 7FE09A75904308DFCF519FA0D90866DBBF5FB48712B149449EA4AE7250C7395A12EF90

Function 00F34D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC7620: _wcslen.LIBCMT ref: 00EC7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00F34ED4

Strings

LPT, xrefs: 00F34DFB
*, xrefs: 00F34E10

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: b6741b2b5301ab6752ef3dfbda64f1485ec7607aec8416a3f0d80b34b3ff3871
Instruction ID: f211b9419f1f733331df3566c7cea494f1a8c70f2eaa513dd95d6272a580486d
Opcode Fuzzy Hash: b6741b2b5301ab6752ef3dfbda64f1485ec7607aec8416a3f0d80b34b3ff3871
Instruction Fuzzy Hash: 9F916175A002049FCB14DF58C584EAABBF1BF44324F188099E84A9F3A2C735FD86DB91

Function 00EDE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00EDE1B1

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: d693496e5df75a3f90afdcdb71d541aa8cef85de25861997d11a9f929f1dc7b9
Instruction ID: 53dd29e5686d772cc64da7ea8e4934e791ea83d3baa86c86d3476d136830b806
Opcode Fuzzy Hash: d693496e5df75a3f90afdcdb71d541aa8cef85de25861997d11a9f929f1dc7b9
Instruction Fuzzy Hash: C3510275900246DFEB15EF68C485AFA7BA8EF15320F24405AECA1AF3D0D6349D83DB90

Function 00EDF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00EDF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00EDF2BB

Strings

@, xrefs: 00EDF2AF

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 6a1c57ef02fa3a722660f28759a75f8240b5fb926e226b1386aeda33d6a4ce4a
Instruction ID: 909ff155597e0c3944f1334cb6aea74334d4cfb1d918de6825765b856d842ae9
Opcode Fuzzy Hash: 6a1c57ef02fa3a722660f28759a75f8240b5fb926e226b1386aeda33d6a4ce4a
Instruction Fuzzy Hash: 205155715087889BD320AF14DD86BAFBBF8FB84300F81884DF1D9511A5EB31856ACB67

Function 00F45745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00F457E0
_wcslen.LIBCMT ref: 00F457EC

Strings

CALLARGARRAY, xrefs: 00F457E6, 00F457EB

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 9a664f5fdf5666ce04299e14f596a7518f80678f1a4a169e01a18947b9faeedf
Instruction ID: 2389f135a6bdd5c6f17be90cfad4865689b4b7e5469bde9d664fe33743a031b0
Opcode Fuzzy Hash: 9a664f5fdf5666ce04299e14f596a7518f80678f1a4a169e01a18947b9faeedf
Instruction Fuzzy Hash: 4F41A131E002099FCB04EFA8C885DAEBFF5FF59724F145069E905A7292EB359D81DB90

Function 00F3D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F3D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F3D13A

Strings

|, xrefs: 00F3D10B

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 3ca591a133226425ef0ad25737c4a52e8721e8502083ddaae1751f570a98c73c
Instruction ID: 046d9a87465890f44d4dbcc7c02cd0d5b1aa243f91ff0b0b56dae97e52f57bb1
Opcode Fuzzy Hash: 3ca591a133226425ef0ad25737c4a52e8721e8502083ddaae1751f570a98c73c
Instruction Fuzzy Hash: A8310671D00209ABDF15EFA5DD85EEEBFB9FF04350F100019E815B6162E732AA16DB60

Function 00F5356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00F53621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F5365C

Strings

static, xrefs: 00F535BC

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8839e1d554d16a3da18d862335b9002758c2754902c48db900a9e2a383be50e1
Instruction ID: 404a5995535b798daf75d0e7f8a27884dcaa4377e3e9d6bdcb48837ee2d2ea43
Opcode Fuzzy Hash: 8839e1d554d16a3da18d862335b9002758c2754902c48db900a9e2a383be50e1
Instruction Fuzzy Hash: 9831AF71500604AEDB109F28DC80FFB73A9FF88761F10961DFEA597280DA31AD86E760

Function 00F54537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00F5461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F54634

Strings

', xrefs: 00F5458E

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 00d72e71d87cd9b9b07ac9238d5b7dcd266db82e4a3205ac24a3083f9164cf88
Instruction ID: 934a535853cd4a8692a823c532c9add5d9f6225a03ec3f8c5d7bb40acd41eda7
Opcode Fuzzy Hash: 00d72e71d87cd9b9b07ac9238d5b7dcd266db82e4a3205ac24a3083f9164cf88
Instruction Fuzzy Hash: 44313975A0130A9FDB14CF69C990BDABBB5FF09305F14406AEE05AB381E770A985DF90

Function 00F531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F5327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F53287

Strings

Combobox, xrefs: 00F53249

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 8a52cea7d09003ec7c9ab363c0784a1f32c4873fa886fa2d940640cad991e3e6
Instruction ID: 864b8a356fa8cdeeee3610bddb4fd3b7b10e1dbfb5fb96ac44b3b514ae7e3ba2
Opcode Fuzzy Hash: 8a52cea7d09003ec7c9ab363c0784a1f32c4873fa886fa2d940640cad991e3e6
Instruction Fuzzy Hash: DC11E2717006087FEF219F58DC80EBB3B6AEB943A5F104128FA18E7290D631DD55A760

Function 00F53710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00EC600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00EC604C
Part of subcall function 00EC600E: GetStockObject.GDI32(00000011), ref: 00EC6060
Part of subcall function 00EC600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EC606A

GetWindowRect.USER32(00000000,?), ref: 00F5377A
GetSysColor.USER32(00000012), ref: 00F53794

Strings

static, xrefs: 00F53757

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 053086a85f28381d6880bbc1b47b3e07a430de42222d5038a4ad55d056ab082b
Instruction ID: 072c98cba52d54a3e8a8ae3bbce46796f75e3730d821d17e9ec4c3f0e64490cd
Opcode Fuzzy Hash: 053086a85f28381d6880bbc1b47b3e07a430de42222d5038a4ad55d056ab082b
Instruction Fuzzy Hash: 06115CB2A10209AFDF00DFA8CC45EEA7BB8FB08355F004514FE56E2150E735E855AB50

Function 00F3CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F3CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F3CDA6

Strings

<local>, xrefs: 00F3CD66

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 343487339f91f36e1adb6c46368d74e6acb14d909a9828d7fe3c558a773d22ce
Instruction ID: 36854ae121d9e81cab567e1ae63d6cc4f6e7f3c3654e94c914bc845ec9910659
Opcode Fuzzy Hash: 343487339f91f36e1adb6c46368d74e6acb14d909a9828d7fe3c558a773d22ce
Instruction Fuzzy Hash: D911C6766056367AD7344B668C49FE7BE6CEF127B4F004226B129A3180D7709840E7F0

Function 00F53429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00F534AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F534BA

Strings

edit, xrefs: 00F5348F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: af42e846f443a7899ab87989a2b15292b3e5f5230055895e9fbcb065a59f405c
Instruction ID: 11fb0f9961fc46e89c9a7af1372910211edf7491204181a9f21a2e7bc6333be8
Opcode Fuzzy Hash: af42e846f443a7899ab87989a2b15292b3e5f5230055895e9fbcb065a59f405c
Instruction Fuzzy Hash: BE116D71500208AFEB218E68DC44AAB376AEB053B5F504724FE65931D4C771DD9AA750

Function 00F26C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00F26CB6
_wcslen.LIBCMT ref: 00F26CC2

Strings

STOP, xrefs: 00F26CBC, 00F26CC1

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 717be2ebaadff80109a515f2fa0e215f5732aebc8c1d91d885eaa10259bca963
Instruction ID: 8b8fc338e9d6c0e334e92641eec3e84a1ddd045cd3ea63692f015143242df0fd
Opcode Fuzzy Hash: 717be2ebaadff80109a515f2fa0e215f5732aebc8c1d91d885eaa10259bca963
Instruction Fuzzy Hash: D901C432A0053B8BCB20AFFDEC809BF77E5EB617257500529E862E7191EA32D941E650

Function 00F21CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F23CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F21D4C

Strings

ListBox, xrefs: 00F21D16
ComboBox, xrefs: 00F21CEB

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ff2a887d2b5ca915c059ddb552c880d600ab51bc9b1edef83ae8b17731868e1d
Instruction ID: 54ee779a63a6fc206eafeffb3d03d6fcd038963f7ce2a2b4f7e80239e7cbb4bc
Opcode Fuzzy Hash: ff2a887d2b5ca915c059ddb552c880d600ab51bc9b1edef83ae8b17731868e1d
Instruction Fuzzy Hash: CE012D71A00224ABCB08EFA0ED15EFE73A4FB52350B500519F832672C1DA355909A760

Function 00F21BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F23CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00F21C46

Strings

ListBox, xrefs: 00F21C10
ComboBox, xrefs: 00F21BE5

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 784cb7c8990278f55261f5db83d852a8486aa67310ff815c60de3a332e08fc5b
Instruction ID: 8e27a9a01db4ce194dde5089a73c27c81f05fb7e914930eae4131a88a389d55d
Opcode Fuzzy Hash: 784cb7c8990278f55261f5db83d852a8486aa67310ff815c60de3a332e08fc5b
Instruction Fuzzy Hash: 6201FC75AC021867CB04FB90DE55EFF77E8AB21340F100019A41677182EA259F08A7B5

Function 00F21C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F23CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00F21CC8

Strings

ListBox, xrefs: 00F21C94
ComboBox, xrefs: 00F21C69

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 026d27cd3ff5e0aacf4ccc9feb889e8f3569c412040b72b535b999dfc33b36a4
Instruction ID: 0032fce599bc11c2edd8d3691f6359598adc734c25a11da3f715fa0acc6423e5
Opcode Fuzzy Hash: 026d27cd3ff5e0aacf4ccc9feb889e8f3569c412040b72b535b999dfc33b36a4
Instruction Fuzzy Hash: 7C01D075BC122867CB04FB90DF15FFE77D8AB21740F140019780177182EA259F19E675

Function 00F21D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9CB3: _wcslen.LIBCMT ref: 00EC9CBD

Part of subcall function 00F23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F23CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00F21DD3

Strings

ListBox, xrefs: 00F21DA0
ComboBox, xrefs: 00F21D75

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 821de120bea0eada386a9d3a01e04dc3e66f046dc173b382cf0ff0e8e90f4ba4
Instruction ID: db82a6cfb0e5465bc0b21a8fc5863b9b5198a9499cc9bd8d79262367f3dee887
Opcode Fuzzy Hash: 821de120bea0eada386a9d3a01e04dc3e66f046dc173b382cf0ff0e8e90f4ba4
Instruction Fuzzy Hash: 70F07D72B40328A7CB04F7A0DD55FFF73F8BB11350F400918B422772C2DA2559089264

Function 00F4747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F47493
_wcslen.LIBCMT ref: 00F474B9

Strings

3, 3, 16, 1, xrefs: 00F47483

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 822a4cf91e19c0bbfb5b2f629a83356bf4367c2419e24041e1b91939b97cda17
Instruction ID: a9509ce973b409dbab08bd93a9c9783fba33428ec267193247830f152fd65e3a
Opcode Fuzzy Hash: 822a4cf91e19c0bbfb5b2f629a83356bf4367c2419e24041e1b91939b97cda17
Instruction Fuzzy Hash: 8FE02B42604361509331327AACC1A7F5BC9CFC9760710282BFD81E22B7EB95CD91A3F1

Function 00F20B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F20B23

Strings

AutoIt, xrefs: 00F20B17
Error allocating memory., xrefs: 00F20B1C

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: a393e5c82fa62bbdace746395b6661960e9af2dd4453eea4a0d57550db68b2a9
Instruction ID: 6ef43d0c6c47043b2240b71bdbb045633e79144c537ac13a7abc0b1253676c97
Opcode Fuzzy Hash: a393e5c82fa62bbdace746395b6661960e9af2dd4453eea4a0d57550db68b2a9
Instruction Fuzzy Hash: B5E0D8322443182FD21036957C07F897FC4CF09F61F10042BFB4AB55C38AD2645066EA

Function 00EE0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00EDF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00EE0D71,?,?,?,00EC100A), ref: 00EDF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00EC100A), ref: 00EE0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00EC100A), ref: 00EE0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00EE0D7F

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: a7ff5fada6d3210e300d3b5651aeee4270a65be8e3e48303f311f0d064c5dcbb
Instruction ID: 537ca6a96c90484aa398a1ea5219e90e863b5596989ba70bcfa9603a861a232c
Opcode Fuzzy Hash: a7ff5fada6d3210e300d3b5651aeee4270a65be8e3e48303f311f0d064c5dcbb
Instruction Fuzzy Hash: F8E06D702007458FD3209FB9D8057467BE0AB00745F00496EE982E6651DBF1E4899BA1

Function 00F33017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00F3302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00F33044

Strings

aut, xrefs: 00F33038

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d16fb6627ba1289dc2012eba7bc0660b35600898b64318822b870019d9b37733
Instruction ID: 821667e33cb42849e600800d8cc3392f6b9dd6a9b3ddb5d3c26b2b4be5f2a041
Opcode Fuzzy Hash: d16fb6627ba1289dc2012eba7bc0660b35600898b64318822b870019d9b37733
Instruction Fuzzy Hash: 19D05E725003286BDA20A7A4AC4EFCB3A6CDB04751F0002A1B756E2091EAB4D984CBD0

Function 00F1D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F1D220

Strings

%.3d, xrefs: 00F1D22B
X64, xrefs: 00F1D2A8

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: d177cc846f3b32b138cd99b4e3727b81af49053c80928d3db71968ae1b1e470a
Instruction ID: ac831ef6f66bfd71daf5f7f285edd62130bacff664ca1fd0b9e973fdaf0d211a
Opcode Fuzzy Hash: d177cc846f3b32b138cd99b4e3727b81af49053c80928d3db71968ae1b1e470a
Instruction Fuzzy Hash: 98D01262808258E9CB50A6D0CC49BF9B3BCEB19301F608453F917A1040D634D5897762

Function 00F52356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F5236C
PostMessageW.USER32(00000000), ref: 00F52373

Part of subcall function 00F2E97B: Sleep.KERNEL32 ref: 00F2E9F3

Strings

Shell_TrayWnd, xrefs: 00F52365

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f7a1542bed08c7e6857637310f6b3edd61b3881053b1a61685d20202d508a6ea
Instruction ID: 4e9bef35ba810bbd2adb185b2aa59e75a1d76f647c72f35134bc39d60a635e41
Opcode Fuzzy Hash: f7a1542bed08c7e6857637310f6b3edd61b3881053b1a61685d20202d508a6ea
Instruction Fuzzy Hash: 51D0A9323803107AE264B370AC0FFCA76049B00B01F0009027306EA0D0C8A0A8009A84

Function 00F52322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F5232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F5233F

Part of subcall function 00F2E97B: Sleep.KERNEL32 ref: 00F2E9F3

Strings

Shell_TrayWnd, xrefs: 00F52325

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6878107aba31ba88303dbc4b62604a07b0490471e7544824039978e4bd0f2876
Instruction ID: f27638c8a48d3064a1031f2afb132bcd3ed4b47a46a7eb265d08f2f28d663e80
Opcode Fuzzy Hash: 6878107aba31ba88303dbc4b62604a07b0490471e7544824039978e4bd0f2876
Instruction Fuzzy Hash: 01D01276394314BBE664B770ED1FFCA7A149B00B11F104916774AEA1D0D9F4A841DB94

Function 00EFBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00EFBE93
GetLastError.KERNEL32 ref: 00EFBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EFBEFC

Memory Dump Source

Source File: 00000000.00000002.2134880599.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2134862680.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134956470.0000000000F82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135032274.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135055236.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 462392a219fe293f7672e6e517a1bede7e6db56a9339d670fb5f5d252689b48a
Instruction ID: c4c75931be0d1fbb0e27bd38b56cdf7d839b93426f255b2aaf4f61123a93750b
Opcode Fuzzy Hash: 462392a219fe293f7672e6e517a1bede7e6db56a9339d670fb5f5d252689b48a
Instruction Fuzzy Hash: 0641D43670020EAFCF218F65CC44ABA7BA5EF41324F156169FB59B71A1DB318D00DB50

Analysis Process: firefox.exePID: 672, Parent PID: 4592COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001AC23CBB7F2 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001AC23CBB857

Strings

z, xrefs: 000001AC23CBCE36
>, xrefs: 000001AC23CBF8FF
#, xrefs: 000001AC23CBC931
>, xrefs: 000001AC23CBB8B9
#, xrefs: 000001AC23CBB882
A, xrefs: 000001AC23CBB84F
z, xrefs: 000001AC23CBB88B
>, xrefs: 000001AC23CBC65C
4, xrefs: 000001AC23CBF8D9
#, xrefs: 000001AC23CB9BC5

Memory Dump Source

Source File: 00000008.00000002.3387948247.000001AC23CB9000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001AC23CB9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ac23cb9000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: 12520b96e7d91052ef59fc8311a3ea5e2936df9971f4125b7fb95972e99181d8
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: 3CA3C531718A498BDB2DDF28DC857E977EAFB99700F14422ED84AC7255DE34E9028BC1

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 52.222.236.80 52.222.236.80
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 00000004.00000003.2203493236.0000026989297000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2202024378.00000269892A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2203569112.00000269892AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000004.00000003.2297543640.0000026983946000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2222821948.000002698393D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2222821948.0000026983927000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000004.00000003.2308249679.0000026981592000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000004.00000003.2257876639.000002698815C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2221708711.000002698815B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2223620431.000002698376C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000004.00000003.2257876639.000002698815C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2221708711.000002698815B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2223620431.000002698376C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000004.00000003.2297543640.0000026983946000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2221048528.00000269891DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2222821948.000002698393D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000004.00000003.2314639674.0000026989805000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000004.00000003.2321555410.00000269810C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2310528646.00000269810B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000004.00000003.2321555410.00000269810C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2310528646.00000269810B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000004.00000003.2257876639.000002698815C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2221708711.000002698815B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2223620431.000002698376C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000004.00000003.2257876639.000002698815C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2221708711.000002698815B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2223620431.000002698376C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000008.00000002.3385255523.000001AC23703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.3385299951.0000023A5A20C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000008.00000002.3385255523.000001AC23703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.3385299951.0000023A5A20C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000008.00000002.3385255523.000001AC23703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.3385299951.0000023A5A20C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000009.00000002.3385299951.0000023A5A20C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.facebook.com (Facebook)
Source: firefox.exe, 00000009.00000002.3385299951.0000023A5A20C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.twitter.com (Twitter)
Source: firefox.exe, 00000009.00000002.3385299951.0000023A5A20C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.youtube.com (Youtube)
Source: firefox.exe, 00000004.00000003.2273930926.00000269880BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2258183926.00000269880BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2221833153.00000269880BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://6edd4cbe-8a9f-4158-beca-90f5feba9c8c/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 00000004.00000003.2222821948.0000026983994000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2314382280.00000269804BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2297543640.0000026983946000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000004.00000003.2314382280.00000269804BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2314639674.0000026989805000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2322851410.00000269804BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000004.00000003.2222821948.0000026983994000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2275483905.00000269839B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 00000004.00000003.2314745664.000002698812E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2301585132.0000026988128000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000004.00000003.2293555324.000002698811F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:63952 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:63953 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.222.236.80:443 -> 192.168.2.6:63954 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:63962 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:63964 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:63963 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:63965 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:64110 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:64109 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:64115 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:64112 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:64114 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:64113 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:64116 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:64117 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64064
Source: unknown	Network traffic detected: HTTP traffic on port 63963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64115 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63925
Source: unknown	Network traffic detected: HTTP traffic on port 64119 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63962
Source: unknown	Network traffic detected: HTTP traffic on port 63953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63964
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 63964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64109
Source: unknown	Network traffic detected: HTTP traffic on port 64112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64110 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64119
Source: unknown	Network traffic detected: HTTP traffic on port 63955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64117 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64114
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64115
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64117
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63954
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63956
Source: unknown	Network traffic detected: HTTP traffic on port 64114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63953
Source: unknown	Network traffic detected: HTTP traffic on port 64064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63952

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_845e1396-f980-4bfe-b1f5-5bf2d4182059.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_845e1396-f980-4bfe-b1f5-5bf2d4182059.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre