Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1530938
MD5:	c9c34b72ead9cdbe82b54d3af0ba0861
SHA1:	1196c9841ef6455c836b3fc4fda5fc79d2331cd2
SHA256:	c083a16f244340b1abb7ad21d10753833da58e208a308f6d7df268da39c3eee4
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 3636 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C9C34B72EAD9CDBE82B54D3AF0BA0861)

taskkill.exe (PID: 3556 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2676 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6564 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4956 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5508 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6188 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1084 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6488 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4668 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2108 -prefMapHandle 2056 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef464ed5-9094-4688-a292-80196e98cb86} 6488 "\\.\pipe\gecko-crash-server-pipe.6488" 204fae6e910 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1880 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3936 -parentBuildID 20230927232528 -prefsHandle 3868 -prefMapHandle 3888 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12a61a49-e04c-49ed-bb6c-48c4ab798e72} 6488 "\\.\pipe\gecko-crash-server-pipe.6488" 20492a9ba10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7504 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3252 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3188 -prefMapHandle 3200 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acbe668f-b23f-4d64-845f-e0072f837971} 6488 "\\.\pipe\gecko-crash-server-pipe.6488" 204fae6ed10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 3636	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0041EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0041EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0041ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0041EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0040AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00439576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00439576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2071560527.0000000000462000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bc5cfbd2-4
Source: file.exe, 00000000.00000000.2071560527.0000000000462000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9d864a70-f
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_da3c63f1-2
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_87ccd6ef-0

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001D6AD55B972 NtQuerySystemInformation,		17_2_000001D6AD55B972
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001D6AD553F37 NtQuerySystemInformation,		17_2_000001D6AD553F37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0040D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00401201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00401201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0040E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003ABF40	0_2_003ABF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00412046	0_2_00412046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A8060	0_2_003A8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408298	0_2_00408298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003DE4FF	0_2_003DE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003D676B	0_2_003D676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00434873	0_2_00434873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003CCAA0	0_2_003CCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003ACAF0	0_2_003ACAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003BCC39	0_2_003BCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003D6DD9	0_2_003D6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003BB119	0_2_003BB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A91C0	0_2_003A91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C1394	0_2_003C1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C1706	0_2_003C1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C781B	0_2_003C781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A7920	0_2_003A7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003B997D	0_2_003B997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C19B0	0_2_003C19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C7A4A	0_2_003C7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C1C77	0_2_003C1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C7CA7	0_2_003C7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042BE44	0_2_0042BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003D9EEE	0_2_003D9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C1F32	0_2_003C1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001D6AD55B972	17_2_000001D6AD55B972
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001D6AD553F37	17_2_000001D6AD553F37
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001D6AD55B9B2	17_2_000001D6AD55B9B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001D6AD55C09C	17_2_000001D6AD55C09C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003A9CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003BF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003C0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/39@72/11

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004137B5 GetLastError,FormatMessageW,

0_2_004137B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004010BF AdjustTokenPrivileges,CloseHandle,		0_2_004010BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004016C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004151CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0040D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0041648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003A42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_003A42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6148:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2108 -prefMapHandle 2056 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef464ed5-9094-4688-a292-80196e98cb86} 6488 "\\.\pipe\gecko-crash-server-pipe.6488" 204fae6e910 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3936 -parentBuildID 20230927232528 -prefsHandle 3868 -prefMapHandle 3888 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12a61a49-e04c-49ed-bb6c-48c4ab798e72} 6488 "\\.\pipe\gecko-crash-server-pipe.6488" 20492a9ba10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3252 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3188 -prefMapHandle 3200 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acbe668f-b23f-4d64-845f-e0072f837971} 6488 "\\.\pipe\gecko-crash-server-pipe.6488" 204fae6ed10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2108 -prefMapHandle 2056 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef464ed5-9094-4688-a292-80196e98cb86} 6488 "\\.\pipe\gecko-crash-server-pipe.6488" 204fae6e910 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3936 -parentBuildID 20230927232528 -prefsHandle 3868 -prefMapHandle 3888 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12a61a49-e04c-49ed-bb6c-48c4ab798e72} 6488 "\\.\pipe\gecko-crash-server-pipe.6488" 20492a9ba10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3252 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3188 -prefMapHandle 3200 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acbe668f-b23f-4d64-845f-e0072f837971} 6488 "\\.\pipe\gecko-crash-server-pipe.6488" 204fae6ed10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003A42DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003C0A76 push ecx; ret

0_2_003C0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003BF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_003BF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00431C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96929

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000001D6AD55B972 rdtsc

17_2_000001D6AD55B972

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Users\user\Desktop\file.exe TID: 3748	Thread sleep count: 110 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3748	Thread sleep count: 125 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0040DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003DC2A2 FindFirstFileExW,	0_2_003DC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004168EE FindFirstFileW,FindClose,	0_2_004168EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0041698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0040D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0040D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00419642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00419642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0041979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00419B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00419B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00415C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00415C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003A42DE

Source: firefox.exe, 00000010.00000002.3935008027.000002E5DEF00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWV
Source: firefox.exe, 00000011.00000002.3934264081.000001D6ADB40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW:
Source: firefox.exe, 00000012.00000002.3934190616.000001F797600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW-
Source: firefox.exe, 00000010.00000002.3935008027.000002E5DEF00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWV
Source: firefox.exe, 00000010.00000002.3930552876.000002E5DE9FA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3935008027.000002E5DEF00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3930280158.000001D6AD2EA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3930814147.000001F79729A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3934492843.000002E5DEE1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3935008027.000002E5DEF00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3934264081.000001D6ADB40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000001D6AD55B972 rdtsc

17_2_000001D6AD55B972

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041EAA2 BlockInput,

0_2_0041EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_003D2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003A42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003C4CE8 mov eax, dword ptr fs:[00000030h]

0_2_003C4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00400B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00400B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003D2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003C083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C09D5 SetUnhandledExceptionFilter,	0_2_003C09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003C0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00401201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003E2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_003E2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040B226 SendInput,keybd_event,

0_2_0040B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004222DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00400B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00401663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00401663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2317622709.000002048F011000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003C0698 cpuid

0_2_003C0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00418195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00418195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003FD27A GetUserNameW,

0_2_003FD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003DB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_003DB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003A42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 3636, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 3636, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00421204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00421204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00421806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00421806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	24%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.252.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.129	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	52.222.236.23	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.185.238	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	172.217.23.110	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.193.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.3931743400.000001D6AD6C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3931597558.000001F7975C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2140738016.0000020493023000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250091632.0000020493021000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 0000000E.00000003.2158966963.00000204FEEAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3931818927.000002E5DECEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3931743400.000001D6AD6E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3934321698.000001F797703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3931743400.000001D6AD686000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3931597558.000001F79758F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2287545556.0000020496A1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296718335.0000020496A1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278765008.0000020496A1B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2160182857.0000020495A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177396770.0000020495A90000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2166471897.0000020492D28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2160182857.0000020495A53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177396770.0000020495A53000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://screenshots.firefox.com	firefox.exe, 0000000E.00000003.2276786470.00000204FF7B2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2282342598.0000020495ED2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2282342598.0000020495EBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301372591.0000020495EBA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2165484805.0000020494464000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2304821827.0000020492E70000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2177396770.0000020495A90000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.2310786096.000002048E4F3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2122316581.000002048B277000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122152016.000002048B25A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2121983293.000002048B23C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2121755997.000002048B21F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2121582202.000002048B000000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 0000000E.00000003.2163323905.00000204966BD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2179097524.00000204946C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160596098.0000020492DB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194476395.0000020492DB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2184740261.0000020492DB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309806766.0000020492DB7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2165572776.0000020494447000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2287545556.0000020496A1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296718335.0000020496A1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278765008.0000020496A1B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2308277124.00000204961CD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.instagram.com/	firefox.exe, 0000000E.00000003.2180612998.000002049621D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2155982376.000002049621D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2179364489.000002049449E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://exslt.org/dates-and-times	firefox.exe, 0000000E.00000003.2158966963.00000204FEE61000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.2266593376.00000204FF47D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/	firefox.exe, 00000012.00000002.3931597558.000001F797503000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2182751894.000002048A653000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2170459987.0000020496765000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2170620219.0000020496772000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2301372591.0000020495ED2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2282342598.0000020495ED2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2160182857.0000020495A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177396770.0000020495A90000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2287732008.0000020496179000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308277124.0000020496179000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280621181.0000020496179000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2299399294.0000020496179000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000011.00000002.3931743400.000001D6AD6C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3931597558.000001F7975C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2310560081.000002048E6E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2170459987.0000020496759000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2179364489.0000020494468000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2182751894.000002048A630000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2156140250.00000204960D6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2194476395.0000020492DC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2322693548.0000020495F7A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 0000000E.00000003.2158966963.00000204FEEAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3931818927.000002E5DECEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3931743400.000001D6AD6E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3934321698.000001F797703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 0000000E.00000003.2158966963.00000204FEEAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3931818927.000002E5DECEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3931743400.000001D6AD6E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3934321698.000001F797703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2310458739.0000020492ABE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3931743400.000001D6AD612000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3931597558.000001F797513000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2160182857.0000020495A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177396770.0000020495A90000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3929997525.000001F797250000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.14.dr	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2304821827.0000020492E70000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2177396770.0000020495A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160182857.0000020495A73000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2165622117.0000020492E39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269317095.000002048B9D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2253691083.00000204962AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297236121.000002048B69C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2199443794.000002048B9C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312502420.000002048E443000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2172670559.00000204962BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2155170457.00000204962BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2165622117.0000020492EE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2244178738.0000020492BE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2173583894.00000204962B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254386731.00000204960D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181376737.000002048C3E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2253691083.00000204962BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2128917600.000002048B6F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254386731.00000204960BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304973756.0000020492DF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162614568.00000204960BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2298706842.000002048B207000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2156994997.00000204962B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2128917600.000002048B677000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2310786096.000002048E4F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000E.00000003.2160182857.0000020495A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177396770.0000020495A90000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2310786096.000002048E4F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	firefox.exe, 0000000E.00000003.2163323905.00000204966BD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2184740261.0000020492D93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309806766.0000020492D93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160596098.0000020492D93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194476395.0000020492D93000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2160337175.00000204946B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183880271.00000204946C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2165622117.0000020492ECA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2179097524.00000204946C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304393852.0000020492EA4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2160337175.00000204946B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183880271.00000204946C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2165622117.0000020492ECA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2179097524.00000204946C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304393852.0000020492EA4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2177396770.0000020495A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160182857.0000020495A73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2250091632.0000020493021000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2160182857.0000020495A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177396770.0000020495A90000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2165572776.0000020494447000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2291243036.0000020488125000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2306929111.0000020496AEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278201075.0000020496AEA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2313504632.000002048DA53000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2182751894.000002048A653000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2170459987.0000020496759000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2179364489.0000020494468000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2182751894.000002048A630000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2266593376.00000204FF47D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291243036.0000020488125000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2287732008.0000020496179000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308277124.0000020496179000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280621181.0000020496179000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2299399294.0000020496179000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2179364489.000002049449E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2160182857.0000020495A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177396770.0000020495A90000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2309806766.0000020492D85000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3931444071.000002E5DEA90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3930818061.000001D6AD500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3931216266.000001F7973C0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2121582202.000002048B000000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
52.222.236.23	services.addons.mozilla.org	United States	16509	AMAZON-02US	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1530938
Start date and time:	2024-10-10 18:01:40 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/39@72/11
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 39 Number of non-executed functions: 310
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.238.148.23, 44.242.27.108, 44.224.63.42, 142.250.185.238, 2.22.61.59, 2.22.61.56, 172.217.23.106, 142.250.185.74, 216.58.206.46, 142.250.184.202
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
52.222.236.23	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	http://braintumourresearch.org	Get hash	malicious	Unknown	Browse	157.240.252.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	2NkFwDDoDy.elf	Get hash	malicious	Mirai	Browse	32.86.191.185
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://link.edgepilot.com/s/66670586/vw0py2v3TkuVLaWS3JAaPg?u=https://bharatgroup.net/	Get hash	malicious	Unknown	Browse	34.149.66.134
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
AMAZON-02US	Fw_ Complete with Docusign_ J929272_SOW Extension_002_09-OCT-24_201415.pdf.eml	Get hash	malicious	Unknown	Browse	54.201.17.39
	https://na2.docusign.net/Signing/EmailStart.aspx?a=65ce31e3-0f62-43e8-8a06-1efc3ff79e46&etti=24&acct=f03a97ef-a21a-4b5f-a673-fe222edf542a&er=c4396d2f-541c-4d1d-bd82-7b6b044f29c3	Get hash	malicious	HTMLPhisher	Browse	35.160.175.105
	original.eml	Get hash	malicious	Unknown	Browse	35.161.37.142
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.48
	2NkFwDDoDy.elf	Get hash	malicious	Mirai	Browse	54.103.237.20
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.48
	https://media.thesocialpresskit.com/american-bankers-association/BNAT2024PrintablesPostcard2.zip	Get hash	malicious	Unknown	Browse	18.245.31.28
	http://braintumourresearch.org	Get hash	malicious	Unknown	Browse	13.33.187.74
	https://clicktime.symantec.com/15tpJCqdM9QTMPCbrFFYy?h=klzqFfVRykrA0KxCmyOSMtGNk2cnn93amKCU2afEZ8c=&u=https://www.tiktok.com/link/v2?aid%3D1988%26lang%3Den%26scene%3Dbio_url%26target%3Dhttps://www.google.ht/url?q%3Dhttps://google%25E3%2580%2582com/amp/s/cli.re/kBNkWr%23a2FyZW4ubWNjcm9ob25AdXJlbmNvLmNvbQ%3D%3D%252F%26opi%3D256371986142%26usg%3DlxfGUQNysmkDx%26source%3Dgmail%26ust%3D2908128326238375%26usg%3DAO2mBxLVnqpOjng75rOWFwZ2mBxLVnqpOqR75	Get hash	malicious	HTMLPhisher	Browse	52.19.234.136

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.23 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cf40411f-ba1f-4c9b-b9c4-fb318c168abe.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.176109886468584
Encrypted:	false
SSDEEP:	192:SKMX2wjcbhbVbTbfbRbObtbyEl7nErfJA6wnSrDtTkd/Sx5:SPbcNhnzFSJkrGjnSrDhkd/W
MD5:	5A2DF817390FD8EA4F86ED030E427998
SHA1:	1D0D158D4814D7E28E56E85EF80974234D380D4F
SHA-256:	0EEDCACFFFCA3E1A85628A5F05F3A185E3F1A830B99E16FBBBCB2CD140C5733D
SHA-512:	CBA07090D17EF8B5F88FCA84586C9AC6BEB6D7EC8092BA4CE8519F2EA3F075AEDA32B261C6F3A882AC5BC970E672F3FBD99D3E417FD04B792B206E9C1FE173ED
Malicious:	false
Preview:	{"type":"uninstall","id":"cf40411f-ba1f-4c9b-b9c4-fb318c168abe","creationDate":"2024-10-10T17:31:07.416Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cf40411f-ba1f-4c9b-b9c4-fb318c168abe.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.176109886468584
Encrypted:	false
SSDEEP:	192:SKMX2wjcbhbVbTbfbRbObtbyEl7nErfJA6wnSrDtTkd/Sx5:SPbcNhnzFSJkrGjnSrDhkd/W
MD5:	5A2DF817390FD8EA4F86ED030E427998
SHA1:	1D0D158D4814D7E28E56E85EF80974234D380D4F
SHA-256:	0EEDCACFFFCA3E1A85628A5F05F3A185E3F1A830B99E16FBBBCB2CD140C5733D
SHA-512:	CBA07090D17EF8B5F88FCA84586C9AC6BEB6D7EC8092BA4CE8519F2EA3F075AEDA32B261C6F3A882AC5BC970E672F3FBD99D3E417FD04B792B206E9C1FE173ED
Malicious:	false
Preview:	{"type":"uninstall","id":"cf40411f-ba1f-4c9b-b9c4-fb318c168abe","creationDate":"2024-10-10T17:31:07.416Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	modified
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3035575387521954
Encrypted:	false
SSDEEP:	48:uvSdaqUgdwvz3vBdaa6Bdwp3v7daaadwr1:cbZ
MD5:	D7F81E3BA142F3A312EA28C4EA2AAA50
SHA1:	1143595525E410F8BE40816306F8F5CABE03CF69
SHA-256:	1CA7606CD1F1431DEA7C75CFD14850CDFBF83A8BAF6B0802CA5EEFAD4F383FA0
SHA-512:	691F748E246DF4C597A13FA33F737E24F939A646F71B452C06EF0256DB61B6584AD756FF7E37212C052D3C29E93F88474187332A14134FF6DFF773901E995D55
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......K-..-...........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IJYS.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WJYS.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WJYS...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............*......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3035575387521954
Encrypted:	false
SSDEEP:	48:uvSdaqUgdwvz3vBdaa6Bdwp3v7daaadwr1:cbZ
MD5:	D7F81E3BA142F3A312EA28C4EA2AAA50
SHA1:	1143595525E410F8BE40816306F8F5CABE03CF69
SHA-256:	1CA7606CD1F1431DEA7C75CFD14850CDFBF83A8BAF6B0802CA5EEFAD4F383FA0
SHA-512:	691F748E246DF4C597A13FA33F737E24F939A646F71B452C06EF0256DB61B6584AD756FF7E37212C052D3C29E93F88474187332A14134FF6DFF773901E995D55
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......K-..-...........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IJYS.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WJYS.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WJYS...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............*......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AZRQDYL5OGRXEU0LI60O.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3035575387521954
Encrypted:	false
SSDEEP:	48:uvSdaqUgdwvz3vBdaa6Bdwp3v7daaadwr1:cbZ
MD5:	D7F81E3BA142F3A312EA28C4EA2AAA50
SHA1:	1143595525E410F8BE40816306F8F5CABE03CF69
SHA-256:	1CA7606CD1F1431DEA7C75CFD14850CDFBF83A8BAF6B0802CA5EEFAD4F383FA0
SHA-512:	691F748E246DF4C597A13FA33F737E24F939A646F71B452C06EF0256DB61B6584AD756FF7E37212C052D3C29E93F88474187332A14134FF6DFF773901E995D55
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......K-..-...........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IJYS.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WJYS.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WJYS...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............*......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MZQL2Z21UWTMD50MN4IF.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3035575387521954
Encrypted:	false
SSDEEP:	48:uvSdaqUgdwvz3vBdaa6Bdwp3v7daaadwr1:cbZ
MD5:	D7F81E3BA142F3A312EA28C4EA2AAA50
SHA1:	1143595525E410F8BE40816306F8F5CABE03CF69
SHA-256:	1CA7606CD1F1431DEA7C75CFD14850CDFBF83A8BAF6B0802CA5EEFAD4F383FA0
SHA-512:	691F748E246DF4C597A13FA33F737E24F939A646F71B452C06EF0256DB61B6584AD756FF7E37212C052D3C29E93F88474187332A14134FF6DFF773901E995D55
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......K-..-...........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IJYS.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WJYS.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WJYS...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............*......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.923909127963707
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNNx9Rxeh:8S+OVPUFRbOdwNIOdYpjvY1Q6Laxn8P
MD5:	2A1EF085EE9483B12AB17E2BE973862F
SHA1:	2E4999CACADBCBF6D0A76938600168CCBAAB0430
SHA-256:	41036AF0CB185F057AE17BAB5F648947D181D5B750D4746895CAEFFD4012CDC9
SHA-512:	DDED10C425F7C15D5EC92C79B01F035510EC1D9F3CD725CAD721BE804C0BFEE142DEBC8F25F395950C5BFA6BCB53C4359A343175027DE32BC50712FBA2B92583
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.923909127963707
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNNx9Rxeh:8S+OVPUFRbOdwNIOdYpjvY1Q6Laxn8P
MD5:	2A1EF085EE9483B12AB17E2BE973862F
SHA1:	2E4999CACADBCBF6D0A76938600168CCBAAB0430
SHA-256:	41036AF0CB185F057AE17BAB5F648947D181D5B750D4746895CAEFFD4012CDC9
SHA-512:	DDED10C425F7C15D5EC92C79B01F035510EC1D9F3CD725CAD721BE804C0BFEE142DEBC8F25F395950C5BFA6BCB53C4359A343175027DE32BC50712FBA2B92583
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 27267 bytes
Category:	dropped
Size (bytes):	6182
Entropy (8bit):	6.620181661941173
Encrypted:	false
SSDEEP:	96:J2YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlSAJVrfzjZXjkTndS12opTEE1WwP:JTx2x2t0FDJ4NF6ILDfzjtedh6TEEswP
MD5:	E11F11339CEB459FF9FC2BDEFFA0A805
SHA1:	53D15C3D45026AD6AE2EF665A65E3BB8F9188E43
SHA-256:	60927DCDFA856EBD1B59A991424115D642A785C24A6A73656797A691790DCFAA
SHA-512:	18A1C00BA98F64112EE89A240AA4879C7421F186EABEBD611209AEC44B39627FE48E7669DB31852A7CF44DFF7389CAF90C5B7EAA67DCAA0821683BFF4E309648
Malicious:	false
Preview:	mozLz40..j....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 27267 bytes
Category:	dropped
Size (bytes):	6182
Entropy (8bit):	6.620181661941173
Encrypted:	false
SSDEEP:	96:J2YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlSAJVrfzjZXjkTndS12opTEE1WwP:JTx2x2t0FDJ4NF6ILDfzjtedh6TEEswP
MD5:	E11F11339CEB459FF9FC2BDEFFA0A805
SHA1:	53D15C3D45026AD6AE2EF665A65E3BB8F9188E43
SHA-256:	60927DCDFA856EBD1B59A991424115D642A785C24A6A73656797A691790DCFAA
SHA-512:	18A1C00BA98F64112EE89A240AA4879C7421F186EABEBD611209AEC44B39627FE48E7669DB31852A7CF44DFF7389CAF90C5B7EAA67DCAA0821683BFF4E309648
Malicious:	false
Preview:	mozLz40..j....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07332591664048395
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiNa:DLhesh7Owd4+jiN
MD5:	9B186CA7B39627BB378C16DCA9B36E6E
SHA1:	265419CE300083504EC9DCA08363D21A2FB5FFC2
SHA-256:	6CB39DC1B53E57E88C02BD49DCC1CE504EFD88CC2F845464C8B8DD30EA5C7ADF
SHA-512:	BCDDEA9ACE833DB32D14783A70502391CEF4E55D89EDE5F4D2EBEDD6B7B014B60562DF7F50E28410E3D5FD1589D03ADA755200B2274E6D8CF22B55857FAEF4DD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.038809065359681434
Encrypted:	false
SSDEEP:	6:G7V+EUrnSBoG7V+EUrnSBotOL9XIwlio:c9UrYoGR9UrYotePi
MD5:	7FD30C116D5ED7FE416BFC2F2CD367A1
SHA1:	1D75A146DCE75395EE6C86A2DDFF2832BE6F29D3
SHA-256:	5D6F35DE962EB34CE5F323C1D42F55131562E7F3A050E9492F0C9293E45F7F95
SHA-512:	7BFE15EFF16A75FFCB25F688E2B03E47D4D559C9B9C76EDBA9F42A41D3F242E175233EDE400C75BD4B54F88E07CC6582D966E5542AA4357BA4B55189A8394318
Malicious:	false
Preview:	..-......................W`.......nP`..b"K8l.....-......................W`.......nP`..b"K8l...........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.13358610267729476
Encrypted:	false
SSDEEP:	24:Kyr//fkkLxsZ+2J2zxsMlCXsMzqCFZ7pCF6C5WUCuSCCQE/HaaKCc7RCGOxsaD2Q:h//MQQbJ2VJCXs4qLWeJa1VyUmZk
MD5:	4C6C9E99192B1748EB63B7C90218A4FF
SHA1:	18C311700B8D867F125E1239272DEDA3927BE1B4
SHA-256:	AFD235B7F0E5C013492BEAB6512D0F7701765A2F33CB5F9ACA0E71460A90BEB2
SHA-512:	9FC85C70F91744556BE88E507512EC1A6A244976AA67855C72C89753BD770EDD03CC372F31D49730FB790B6C33284BEABFD88C3EDFB7E06EF5E0B56C16A6B619
Malicious:	false
Preview:	7....-............nP`..b&5..A3............nP`..b..h@..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.4777463354247145
Encrypted:	false
SSDEEP:	192:ZnPOeRnLYbBp6OJ0aX+C6SEXKNANUq5RHWNBw8dXSl:9DeHJU5sQ7HEwU0
MD5:	F65527A9CCC1C8327A4C4C36E248214E
SHA1:	8B140048C65590FEABBBF009B2E8970310B0911C
SHA-256:	1F067CE3095D97013F3782DBFDFEE1CD81065B6D04C9A9794D57740F26DE167C
SHA-512:	3F271D8FB0D60CD1B12F3D57EBA3E9DAD975615E74F156833A86D69D6C045AFEE647F6106A194511C37E284D7819DDDEC09C11A4E208EFA6E675EFA2C4F00EB8
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728581437);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728581437);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728581437);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172858

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.4777463354247145
Encrypted:	false
SSDEEP:	192:ZnPOeRnLYbBp6OJ0aX+C6SEXKNANUq5RHWNBw8dXSl:9DeHJU5sQ7HEwU0
MD5:	F65527A9CCC1C8327A4C4C36E248214E
SHA1:	8B140048C65590FEABBBF009B2E8970310B0911C
SHA-256:	1F067CE3095D97013F3782DBFDFEE1CD81065B6D04C9A9794D57740F26DE167C
SHA-512:	3F271D8FB0D60CD1B12F3D57EBA3E9DAD975615E74F156833A86D69D6C045AFEE647F6106A194511C37E284D7819DDDEC09C11A4E208EFA6E675EFA2C4F00EB8
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728581437);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728581437);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728581437);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172858

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1561
Entropy (8bit):	6.336554698744281
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSOLXnIrJf/pnxQwRcWT5sKmgbx3eHVpjO+WamhujJKjtO2c0TiVm0f:GUpOxLynRcoegl3erjxW4JStc3zBtv
MD5:	14165EF7BAF95D0EF90AA36B42FFB48B
SHA1:	05D67A174FB82D71CF351B9603B2748D49322A0E
SHA-256:	A76EBE6284D89EE02E8EA8BF7FFA5755BE88B57356E1A8C14C0F5C615D0A1CD9
SHA-512:	9061522826BF6878D96C0030C693D0FBCA1A43B7A5779035F093BB4BE848FDB498BCFCD38BBBB59F76BFE989E51792548CAB7759B62D833B48B6A25CD6C3CF7B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{1f5373a2-03f2-41ed-b49b-46c9615a0398}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1728581442439,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..iUpdate...40,"startTim..P06877...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...10456,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1561
Entropy (8bit):	6.336554698744281
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSOLXnIrJf/pnxQwRcWT5sKmgbx3eHVpjO+WamhujJKjtO2c0TiVm0f:GUpOxLynRcoegl3erjxW4JStc3zBtv
MD5:	14165EF7BAF95D0EF90AA36B42FFB48B
SHA1:	05D67A174FB82D71CF351B9603B2748D49322A0E
SHA-256:	A76EBE6284D89EE02E8EA8BF7FFA5755BE88B57356E1A8C14C0F5C615D0A1CD9
SHA-512:	9061522826BF6878D96C0030C693D0FBCA1A43B7A5779035F093BB4BE848FDB498BCFCD38BBBB59F76BFE989E51792548CAB7759B62D833B48B6A25CD6C3CF7B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{1f5373a2-03f2-41ed-b49b-46c9615a0398}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1728581442439,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..iUpdate...40,"startTim..P06877...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...10456,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1561
Entropy (8bit):	6.336554698744281
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSOLXnIrJf/pnxQwRcWT5sKmgbx3eHVpjO+WamhujJKjtO2c0TiVm0f:GUpOxLynRcoegl3erjxW4JStc3zBtv
MD5:	14165EF7BAF95D0EF90AA36B42FFB48B
SHA1:	05D67A174FB82D71CF351B9603B2748D49322A0E
SHA-256:	A76EBE6284D89EE02E8EA8BF7FFA5755BE88B57356E1A8C14C0F5C615D0A1CD9
SHA-512:	9061522826BF6878D96C0030C693D0FBCA1A43B7A5779035F093BB4BE848FDB498BCFCD38BBBB59F76BFE989E51792548CAB7759B62D833B48B6A25CD6C3CF7B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{1f5373a2-03f2-41ed-b49b-46c9615a0398}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1728581442439,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..iUpdate...40,"startTim..P06877...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...10456,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.030045138057897
Encrypted:	false
SSDEEP:	96:ycpMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:gTEr5NX0z3DhRe
MD5:	6DE8843E437DEF4F6DC307BB5A753D5A
SHA1:	753F6D7F6B8F5B4D0FE930A5BC7B2D2EB1ED3843
SHA-256:	A4D37EA0EB0BB2F3A2A773117E4079341FF932D5910F700F2C10DEC8BA756997
SHA-512:	B442037572665A5FA1310B97864AA2040F308644868327450DC6AB310B0F7BB2F9ECC2EECD74648FFD325F07C1E7538422A9A8A5193B161D28221A465F433BF5
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-10T17:30:26.889Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.030045138057897
Encrypted:	false
SSDEEP:	96:ycpMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:gTEr5NX0z3DhRe
MD5:	6DE8843E437DEF4F6DC307BB5A753D5A
SHA1:	753F6D7F6B8F5B4D0FE930A5BC7B2D2EB1ED3843
SHA-256:	A4D37EA0EB0BB2F3A2A773117E4079341FF932D5910F700F2C10DEC8BA756997
SHA-512:	B442037572665A5FA1310B97864AA2040F308644868327450DC6AB310B0F7BB2F9ECC2EECD74648FFD325F07C1E7538422A9A8A5193B161D28221A465F433BF5
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-10T17:30:26.889Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5846784798599
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	c9c34b72ead9cdbe82b54d3af0ba0861
SHA1:	1196c9841ef6455c836b3fc4fda5fc79d2331cd2
SHA256:	c083a16f244340b1abb7ad21d10753833da58e208a308f6d7df268da39c3eee4
SHA512:	281bdebfcc02e1be3bbf87131c930b029d4e9e266a0a867ca2f15471083bb8cebccebfb5c2d507982fa1c5c3364fe2110ccf7da2a8915d1c9dfb4d8fa2bd9015
SSDEEP:	12288:KqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/T7:KqDEvCTbMWu7rQYlBQcBiT6rprG8ab7
TLSH:	9B159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6707F68A [Thu Oct 10 15:45:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F93507ECCF3h
jmp 00007F93507EC5FFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F93507EC7DDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F93507EC7AAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F93507EF39Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F93507EF3E8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F93507EF3D1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	d048c670df492233d57d5cdf0fb5499c	False	0.31561511075949367	data	5.373734712230729	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 10, 2024 18:02:41.467271090 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:02:41.467315912 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 10, 2024 18:02:41.467968941 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:02:41.506820917 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:02:41.506843090 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 10, 2024 18:02:41.729264021 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:41.734297991 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:41.734379053 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:41.734520912 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:41.739406109 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:41.989907980 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 10, 2024 18:02:41.990011930 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:02:42.156367064 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:02:42.156441927 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 10, 2024 18:02:42.156553984 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:02:42.156703949 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 10, 2024 18:02:42.160809994 CEST	49714	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:02:42.160860062 CEST	443	49714	35.190.72.216	192.168.2.5
Oct 10, 2024 18:02:42.168932915 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:02:42.168968916 CEST	49714	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:02:42.193052053 CEST	49714	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:02:42.193087101 CEST	443	49714	35.190.72.216	192.168.2.5
Oct 10, 2024 18:02:42.208030939 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:42.249713898 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:42.489063025 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:02:42.489156008 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 10, 2024 18:02:42.489595890 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:02:42.489762068 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:02:42.489784956 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 10, 2024 18:02:42.491421938 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:42.491446972 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:42.492631912 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:42.494476080 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:42.494514942 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:42.494529009 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:42.504074097 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:42.504514933 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:42.504638910 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:42.509761095 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:42.578560114 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:42.578588009 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:42.580923080 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:42.582443953 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:42.582453966 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:42.696033955 CEST	443	49714	35.190.72.216	192.168.2.5
Oct 10, 2024 18:02:42.696049929 CEST	443	49714	35.190.72.216	192.168.2.5
Oct 10, 2024 18:02:42.701646090 CEST	49714	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:02:42.705952883 CEST	49714	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:02:42.705976963 CEST	443	49714	35.190.72.216	192.168.2.5
Oct 10, 2024 18:02:42.706044912 CEST	49714	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:02:42.706110001 CEST	443	49714	35.190.72.216	192.168.2.5
Oct 10, 2024 18:02:42.708332062 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:42.709155083 CEST	49714	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:02:42.713185072 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:42.718722105 CEST	49720	443	192.168.2.5	34.160.144.191
Oct 10, 2024 18:02:42.718756914 CEST	443	49720	34.160.144.191	192.168.2.5
Oct 10, 2024 18:02:42.718930006 CEST	49720	443	192.168.2.5	34.160.144.191
Oct 10, 2024 18:02:42.719053984 CEST	49720	443	192.168.2.5	34.160.144.191
Oct 10, 2024 18:02:42.719064951 CEST	443	49720	34.160.144.191	192.168.2.5
Oct 10, 2024 18:02:42.817581892 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:42.822108030 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:42.845587015 CEST	49722	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:42.850403070 CEST	80	49722	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:42.856348991 CEST	49722	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:42.856681108 CEST	49722	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:42.861908913 CEST	80	49722	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:42.868223906 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:42.878467083 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:42.887530088 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:42.887829065 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:42.986748934 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 10, 2024 18:02:42.986835957 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:02:42.988807917 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:42.990586042 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:02:42.990606070 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 10, 2024 18:02:42.990849018 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 10, 2024 18:02:42.993737936 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:02:42.993828058 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:02:42.993884087 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 10, 2024 18:02:42.994422913 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:02:42.994440079 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:02:42.994481087 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:42.999690056 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:42.999690056 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:42.999711037 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:42.999923944 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:43.000093937 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.000143051 CEST	443	49723	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:43.000540972 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.000550985 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.001918077 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.001933098 CEST	443	49723	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:43.075238943 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:43.078315973 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.082990885 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.083020926 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:43.083117962 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.083261967 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:43.083524942 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.083570004 CEST	443	49724	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:43.083602905 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.083648920 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.085071087 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.085092068 CEST	443	49724	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:43.088314056 CEST	49725	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:02:43.088401079 CEST	443	49725	34.107.243.93	192.168.2.5
Oct 10, 2024 18:02:43.088617086 CEST	49725	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:02:43.089996099 CEST	49725	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:02:43.090023041 CEST	443	49725	34.107.243.93	192.168.2.5
Oct 10, 2024 18:02:43.095946074 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:43.101247072 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:43.101521969 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:43.158185959 CEST	49726	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:43.158273935 CEST	443	49726	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:43.162039042 CEST	49726	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:43.163494110 CEST	49726	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:43.163532019 CEST	443	49726	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:43.206434011 CEST	443	49720	34.160.144.191	192.168.2.5
Oct 10, 2024 18:02:43.206770897 CEST	49720	443	192.168.2.5	34.160.144.191
Oct 10, 2024 18:02:43.210287094 CEST	49720	443	192.168.2.5	34.160.144.191
Oct 10, 2024 18:02:43.210300922 CEST	443	49720	34.160.144.191	192.168.2.5
Oct 10, 2024 18:02:43.210541964 CEST	443	49720	34.160.144.191	192.168.2.5
Oct 10, 2024 18:02:43.213407993 CEST	49720	443	192.168.2.5	34.160.144.191
Oct 10, 2024 18:02:43.213505030 CEST	49720	443	192.168.2.5	34.160.144.191
Oct 10, 2024 18:02:43.213558912 CEST	443	49720	34.160.144.191	192.168.2.5
Oct 10, 2024 18:02:43.213649035 CEST	49720	443	192.168.2.5	34.160.144.191
Oct 10, 2024 18:02:43.337572098 CEST	80	49722	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:43.337838888 CEST	49722	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:43.343532085 CEST	80	49722	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:43.343586922 CEST	49722	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:43.468439102 CEST	443	49723	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:43.472253084 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.476440907 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.476450920 CEST	443	49723	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:43.476532936 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.476607084 CEST	443	49723	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:43.476701021 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.553910971 CEST	443	49724	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:43.554089069 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.557723045 CEST	443	49725	34.107.243.93	192.168.2.5
Oct 10, 2024 18:02:43.557790041 CEST	49725	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:02:43.654011011 CEST	443	49726	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:43.654098034 CEST	49726	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:43.744240046 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.744278908 CEST	443	49724	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:43.744434118 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.744564056 CEST	443	49724	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:43.744565010 CEST	49725	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:02:43.744615078 CEST	443	49725	34.107.243.93	192.168.2.5
Oct 10, 2024 18:02:43.744870901 CEST	49725	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:02:43.744903088 CEST	443	49725	34.107.243.93	192.168.2.5
Oct 10, 2024 18:02:43.745605946 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:43.745629072 CEST	49725	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:02:43.747699976 CEST	49726	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:43.747773886 CEST	443	49726	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:43.747806072 CEST	49726	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:43.748312950 CEST	443	49726	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:43.748380899 CEST	49726	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:44.387693882 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:44.393050909 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:44.393371105 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:44.393465042 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:44.398399115 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:44.575226068 CEST	49729	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:44.575282097 CEST	443	49729	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:44.580878973 CEST	49729	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:44.582258940 CEST	49729	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:44.582276106 CEST	443	49729	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:44.605567932 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:44.605611086 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:44.605897903 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:44.607441902 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:44.607456923 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:44.842703104 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:44.884445906 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:45.063035965 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:45.063117027 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:45.065845013 CEST	443	49729	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:45.066950083 CEST	49729	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:45.068978071 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:45.068996906 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:45.069152117 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:45.069184065 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:45.069192886 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:45.070926905 CEST	49729	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:45.070939064 CEST	443	49729	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:45.071008921 CEST	49729	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:45.071115971 CEST	443	49729	34.117.188.166	192.168.2.5
Oct 10, 2024 18:02:45.071716070 CEST	49729	443	192.168.2.5	34.117.188.166
Oct 10, 2024 18:02:45.071808100 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:46.340003967 CEST	49732	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:46.344969034 CEST	80	49732	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:46.345526934 CEST	49732	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:46.345716953 CEST	49732	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:46.350559950 CEST	80	49732	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:46.382584095 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:46.387809992 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:46.477304935 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:46.526323080 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:46.565395117 CEST	49734	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:46.565447092 CEST	443	49734	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:46.565563917 CEST	49734	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:46.568490028 CEST	49734	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:46.568502903 CEST	443	49734	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:46.573831081 CEST	49732	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:46.828989983 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:46.829080105 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:46.829416990 CEST	80	49732	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:46.829535961 CEST	49732	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:46.830903053 CEST	80	49732	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:46.830960035 CEST	49732	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:46.857453108 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:46.862624884 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:46.868995905 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:46.869138956 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:46.874644995 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:47.280162096 CEST	443	49734	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:47.280287027 CEST	49734	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:47.285715103 CEST	49734	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:47.285743952 CEST	443	49734	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:47.285832882 CEST	49734	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:47.285927057 CEST	443	49734	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:47.286057949 CEST	49734	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:47.307738066 CEST	49736	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:02:47.307835102 CEST	443	49736	34.149.100.209	192.168.2.5
Oct 10, 2024 18:02:47.308037996 CEST	49736	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:02:47.309504032 CEST	49736	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:02:47.309544086 CEST	443	49736	34.149.100.209	192.168.2.5
Oct 10, 2024 18:02:47.318506956 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:47.359992027 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:47.815871954 CEST	443	49736	34.149.100.209	192.168.2.5
Oct 10, 2024 18:02:47.816663980 CEST	49736	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:02:47.821305037 CEST	49736	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:02:47.821316004 CEST	443	49736	34.149.100.209	192.168.2.5
Oct 10, 2024 18:02:47.821450949 CEST	49736	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:02:47.821454048 CEST	443	49736	34.149.100.209	192.168.2.5
Oct 10, 2024 18:02:47.821470022 CEST	443	49736	34.149.100.209	192.168.2.5
Oct 10, 2024 18:02:47.821827888 CEST	49737	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:02:47.821877956 CEST	443	49737	34.149.100.209	192.168.2.5
Oct 10, 2024 18:02:47.827308893 CEST	49737	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:02:47.828712940 CEST	49737	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:02:47.828727007 CEST	443	49737	34.149.100.209	192.168.2.5
Oct 10, 2024 18:02:48.031411886 CEST	443	49736	34.149.100.209	192.168.2.5
Oct 10, 2024 18:02:48.031500101 CEST	49736	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:02:48.313941002 CEST	443	49737	34.149.100.209	192.168.2.5
Oct 10, 2024 18:02:48.314053059 CEST	49737	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:02:48.319331884 CEST	49737	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:02:48.319350004 CEST	443	49737	34.149.100.209	192.168.2.5
Oct 10, 2024 18:02:48.319508076 CEST	49737	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:02:48.319612980 CEST	443	49737	34.149.100.209	192.168.2.5
Oct 10, 2024 18:02:48.319752932 CEST	49737	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:02:50.570534945 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:50.575779915 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:50.636727095 CEST	49739	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:02:50.636781931 CEST	443	49739	35.244.181.201	192.168.2.5
Oct 10, 2024 18:02:50.640160084 CEST	49739	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:02:50.640283108 CEST	49739	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:02:50.640295029 CEST	443	49739	35.244.181.201	192.168.2.5
Oct 10, 2024 18:02:50.665035009 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:50.712980032 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:52.024941921 CEST	443	49739	35.244.181.201	192.168.2.5
Oct 10, 2024 18:02:52.025013924 CEST	49739	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:02:52.028007030 CEST	49739	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:02:52.028012991 CEST	443	49739	35.244.181.201	192.168.2.5
Oct 10, 2024 18:02:52.028227091 CEST	443	49739	35.244.181.201	192.168.2.5
Oct 10, 2024 18:02:52.030016899 CEST	49739	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:02:52.030102015 CEST	49739	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:02:52.030152082 CEST	443	49739	35.244.181.201	192.168.2.5
Oct 10, 2024 18:02:52.030853987 CEST	49739	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:02:52.030868053 CEST	49739	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:02:55.193641901 CEST	49759	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:55.193711042 CEST	443	49759	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:55.194447041 CEST	49760	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:55.194459915 CEST	443	49760	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:55.200617075 CEST	49759	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:55.200617075 CEST	49760	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:55.200958014 CEST	49759	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:55.200973988 CEST	443	49759	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:55.201031923 CEST	49760	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:55.201041937 CEST	443	49760	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:55.281083107 CEST	49761	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:55.281172991 CEST	443	49761	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:55.281480074 CEST	49761	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:55.283588886 CEST	49761	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:55.283627033 CEST	443	49761	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:55.283771992 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:55.288844109 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:55.304929018 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:55.309937954 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:55.400571108 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:55.403542995 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:55.454514980 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:55.454622030 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:55.668217897 CEST	443	49760	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:55.668298006 CEST	49760	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:55.680829048 CEST	443	49759	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:55.680845022 CEST	443	49759	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:55.681390047 CEST	49759	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:55.768963099 CEST	443	49761	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:55.769592047 CEST	49761	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:56.250777960 CEST	49759	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:56.250855923 CEST	443	49759	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:56.251142979 CEST	443	49759	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:56.252948999 CEST	49760	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:56.252985001 CEST	443	49760	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:56.253834009 CEST	443	49760	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:56.258846998 CEST	49759	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:56.258938074 CEST	49759	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:56.259058952 CEST	443	49759	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:56.259058952 CEST	49761	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:56.259087086 CEST	443	49761	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:56.259135962 CEST	49761	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:56.259232044 CEST	49760	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:56.259331942 CEST	49760	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:56.259408951 CEST	49759	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:56.259629965 CEST	443	49761	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:56.259653091 CEST	443	49760	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:56.262020111 CEST	49761	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:56.262039900 CEST	49760	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:56.520612955 CEST	49773	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:02:56.520670891 CEST	443	49773	34.107.243.93	192.168.2.5
Oct 10, 2024 18:02:56.521374941 CEST	49773	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:02:56.522844076 CEST	49773	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:02:56.522875071 CEST	443	49773	34.107.243.93	192.168.2.5
Oct 10, 2024 18:02:56.654970884 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:56.659934998 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:56.746304035 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:56.751334906 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:56.752692938 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:56.794648886 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:56.795212984 CEST	49774	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:56.795279980 CEST	443	49774	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:56.805192947 CEST	49774	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:56.806538105 CEST	49774	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:56.806571007 CEST	443	49774	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:56.842425108 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:56.889779091 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:56.994589090 CEST	443	49773	34.107.243.93	192.168.2.5
Oct 10, 2024 18:02:56.994671106 CEST	49773	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:02:56.998421907 CEST	49773	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:02:56.998435974 CEST	443	49773	34.107.243.93	192.168.2.5
Oct 10, 2024 18:02:56.998507023 CEST	49773	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:02:56.998584986 CEST	443	49773	34.107.243.93	192.168.2.5
Oct 10, 2024 18:02:56.998652935 CEST	49773	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:02:57.279582977 CEST	443	49774	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:57.279597044 CEST	443	49774	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:57.279664993 CEST	49774	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:57.283760071 CEST	49774	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:57.283775091 CEST	443	49774	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:57.283879042 CEST	49774	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:57.283942938 CEST	443	49774	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:57.284183979 CEST	49774	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:59.114413977 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:59.119541883 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:59.218769073 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:59.231175900 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:59.233809948 CEST	49790	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:59.233839989 CEST	443	49790	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:59.234385014 CEST	49790	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:59.235860109 CEST	49790	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:02:59.235874891 CEST	443	49790	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:59.236370087 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:59.265604973 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:59.326064110 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:59.354485035 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:59.360364914 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:59.366745949 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:59.450767994 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:02:59.497440100 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:02:59.723659992 CEST	443	49790	34.120.208.123	192.168.2.5
Oct 10, 2024 18:02:59.723742962 CEST	49790	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:00.077244997 CEST	49790	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:00.077322960 CEST	443	49790	34.120.208.123	192.168.2.5
Oct 10, 2024 18:03:00.077354908 CEST	49790	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:00.077748060 CEST	443	49790	34.120.208.123	192.168.2.5
Oct 10, 2024 18:03:00.078809977 CEST	49790	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:00.094011068 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:00.099078894 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:00.188427925 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:00.193873882 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:00.199021101 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:00.237310886 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:00.308440924 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:00.353225946 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:09.126565933 CEST	49843	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:03:09.126657963 CEST	443	49843	34.107.243.93	192.168.2.5
Oct 10, 2024 18:03:09.126785040 CEST	49843	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:03:09.128061056 CEST	49843	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:03:09.128093004 CEST	443	49843	34.107.243.93	192.168.2.5
Oct 10, 2024 18:03:09.584220886 CEST	443	49843	34.107.243.93	192.168.2.5
Oct 10, 2024 18:03:09.584408998 CEST	49843	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:03:09.588406086 CEST	49843	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:03:09.588422060 CEST	443	49843	34.107.243.93	192.168.2.5
Oct 10, 2024 18:03:09.588502884 CEST	49843	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:03:09.588576078 CEST	443	49843	34.107.243.93	192.168.2.5
Oct 10, 2024 18:03:09.589044094 CEST	49843	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:03:09.593528032 CEST	49847	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:09.593558073 CEST	443	49847	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:09.593902111 CEST	49847	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:09.593998909 CEST	49847	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:09.594013929 CEST	443	49847	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:09.597263098 CEST	49848	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:03:09.597328901 CEST	443	49848	34.149.100.209	192.168.2.5
Oct 10, 2024 18:03:09.597450972 CEST	49848	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:03:09.597562075 CEST	49848	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:03:09.597575903 CEST	443	49848	34.149.100.209	192.168.2.5
Oct 10, 2024 18:03:09.598834991 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:09.604172945 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:09.610153913 CEST	49849	443	192.168.2.5	52.222.236.23
Oct 10, 2024 18:03:09.610241890 CEST	443	49849	52.222.236.23	192.168.2.5
Oct 10, 2024 18:03:09.610411882 CEST	49849	443	192.168.2.5	52.222.236.23
Oct 10, 2024 18:03:09.610527992 CEST	49849	443	192.168.2.5	52.222.236.23
Oct 10, 2024 18:03:09.610562086 CEST	443	49849	52.222.236.23	192.168.2.5
Oct 10, 2024 18:03:09.693757057 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:09.754128933 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:09.776187897 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:09.780021906 CEST	49850	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:03:09.780073881 CEST	443	49850	35.190.72.216	192.168.2.5
Oct 10, 2024 18:03:09.780838013 CEST	49850	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:03:09.781946898 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:09.782407045 CEST	49850	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:03:09.782443047 CEST	443	49850	35.190.72.216	192.168.2.5
Oct 10, 2024 18:03:09.795160055 CEST	49851	443	192.168.2.5	35.201.103.21
Oct 10, 2024 18:03:09.795202017 CEST	443	49851	35.201.103.21	192.168.2.5
Oct 10, 2024 18:03:09.796282053 CEST	49851	443	192.168.2.5	35.201.103.21
Oct 10, 2024 18:03:09.797715902 CEST	49851	443	192.168.2.5	35.201.103.21
Oct 10, 2024 18:03:09.797739029 CEST	443	49851	35.201.103.21	192.168.2.5
Oct 10, 2024 18:03:09.871943951 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:09.916925907 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:10.056458950 CEST	443	49848	34.149.100.209	192.168.2.5
Oct 10, 2024 18:03:10.063414097 CEST	443	49848	34.149.100.209	192.168.2.5
Oct 10, 2024 18:03:10.070736885 CEST	49848	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:03:10.073767900 CEST	49848	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:03:10.073782921 CEST	443	49848	34.149.100.209	192.168.2.5
Oct 10, 2024 18:03:10.075054884 CEST	443	49848	34.149.100.209	192.168.2.5
Oct 10, 2024 18:03:10.076297998 CEST	49848	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:03:10.076402903 CEST	49848	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:03:10.076713085 CEST	443	49848	34.149.100.209	192.168.2.5
Oct 10, 2024 18:03:10.078588009 CEST	49848	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:03:10.080291986 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:10.085515976 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:10.142158985 CEST	443	49847	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.142318964 CEST	49847	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.145172119 CEST	49847	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.145195007 CEST	443	49847	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.145412922 CEST	443	49847	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.147536993 CEST	49847	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.147634983 CEST	49847	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.175256968 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:10.178298950 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:10.183605909 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:10.217714071 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:10.257397890 CEST	443	49850	35.190.72.216	192.168.2.5
Oct 10, 2024 18:03:10.257585049 CEST	49850	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:03:10.262105942 CEST	49850	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:03:10.262128115 CEST	443	49850	35.190.72.216	192.168.2.5
Oct 10, 2024 18:03:10.262202024 CEST	49850	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:03:10.262537956 CEST	443	49850	35.190.72.216	192.168.2.5
Oct 10, 2024 18:03:10.262934923 CEST	49850	443	192.168.2.5	35.190.72.216
Oct 10, 2024 18:03:10.264786005 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:10.273439884 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:10.275774002 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:10.318042994 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:10.322789907 CEST	443	49851	35.201.103.21	192.168.2.5
Oct 10, 2024 18:03:10.322936058 CEST	49851	443	192.168.2.5	35.201.103.21
Oct 10, 2024 18:03:10.327070951 CEST	49851	443	192.168.2.5	35.201.103.21
Oct 10, 2024 18:03:10.327084064 CEST	443	49851	35.201.103.21	192.168.2.5
Oct 10, 2024 18:03:10.327145100 CEST	49851	443	192.168.2.5	35.201.103.21
Oct 10, 2024 18:03:10.329457045 CEST	443	49851	35.201.103.21	192.168.2.5
Oct 10, 2024 18:03:10.332468987 CEST	443	49849	52.222.236.23	192.168.2.5
Oct 10, 2024 18:03:10.333571911 CEST	49851	443	192.168.2.5	35.201.103.21
Oct 10, 2024 18:03:10.333724976 CEST	49849	443	192.168.2.5	52.222.236.23
Oct 10, 2024 18:03:10.335827112 CEST	49849	443	192.168.2.5	52.222.236.23
Oct 10, 2024 18:03:10.335865021 CEST	443	49849	52.222.236.23	192.168.2.5
Oct 10, 2024 18:03:10.336086035 CEST	443	49849	52.222.236.23	192.168.2.5
Oct 10, 2024 18:03:10.337749004 CEST	49849	443	192.168.2.5	52.222.236.23
Oct 10, 2024 18:03:10.337812901 CEST	49849	443	192.168.2.5	52.222.236.23
Oct 10, 2024 18:03:10.337872982 CEST	443	49849	52.222.236.23	192.168.2.5
Oct 10, 2024 18:03:10.343090057 CEST	49849	443	192.168.2.5	52.222.236.23
Oct 10, 2024 18:03:10.344525099 CEST	49856	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.344587088 CEST	443	49856	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.345016956 CEST	49856	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.345149994 CEST	49856	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.345165968 CEST	443	49856	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.346309900 CEST	49857	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.346381903 CEST	443	49857	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.346534967 CEST	49857	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.346621990 CEST	49857	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.346642017 CEST	443	49857	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.348273039 CEST	49858	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.348294973 CEST	443	49858	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.348504066 CEST	49858	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.348592043 CEST	49858	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.348606110 CEST	443	49858	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.349926949 CEST	49859	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:03:10.349977016 CEST	443	49859	34.149.100.209	192.168.2.5
Oct 10, 2024 18:03:10.350054979 CEST	49859	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:03:10.350132942 CEST	49859	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:03:10.350142956 CEST	443	49859	34.149.100.209	192.168.2.5
Oct 10, 2024 18:03:10.362976074 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:10.364922047 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:10.369957924 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:10.402690887 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:10.463658094 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:10.515268087 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:10.824839115 CEST	443	49857	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.824922085 CEST	49857	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.825373888 CEST	443	49856	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.825558901 CEST	49856	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.827655077 CEST	49857	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.827680111 CEST	443	49857	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.828170061 CEST	443	49857	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.829826117 CEST	49856	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.829863071 CEST	443	49856	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.830118895 CEST	443	49856	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.831576109 CEST	443	49859	34.149.100.209	192.168.2.5
Oct 10, 2024 18:03:10.832250118 CEST	49857	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.832411051 CEST	49857	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.832510948 CEST	443	49857	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.832706928 CEST	443	49858	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.832771063 CEST	49856	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.832825899 CEST	49856	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.832937956 CEST	443	49856	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.833002090 CEST	49857	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.833031893 CEST	49856	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.833038092 CEST	49857	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.833060026 CEST	49859	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:03:10.835051060 CEST	49856	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.835062981 CEST	49858	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.836323977 CEST	49859	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:03:10.836335897 CEST	443	49859	34.149.100.209	192.168.2.5
Oct 10, 2024 18:03:10.836599112 CEST	443	49859	34.149.100.209	192.168.2.5
Oct 10, 2024 18:03:10.838649988 CEST	49858	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.838656902 CEST	443	49858	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.838922024 CEST	443	49858	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.841156960 CEST	49859	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:03:10.841239929 CEST	49859	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:03:10.841309071 CEST	443	49859	34.149.100.209	192.168.2.5
Oct 10, 2024 18:03:10.841461897 CEST	49858	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.841573954 CEST	49858	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.841607094 CEST	443	49858	35.244.181.201	192.168.2.5
Oct 10, 2024 18:03:10.845077991 CEST	49859	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:03:10.845093966 CEST	49858	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.845102072 CEST	49859	443	192.168.2.5	34.149.100.209
Oct 10, 2024 18:03:10.845380068 CEST	49858	443	192.168.2.5	35.244.181.201
Oct 10, 2024 18:03:10.847152948 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:10.853076935 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:10.942506075 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:10.947191000 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:10.988740921 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:11.158063889 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:11.264321089 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:11.264761925 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:11.264898062 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:11.267375946 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:11.349919081 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:11.389905930 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:20.957772970 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:20.962697983 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:21.359018087 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:21.364855051 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:21.406948090 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:21.413244009 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:21.503612995 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:21.507334948 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:21.512387037 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:21.543916941 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:21.604536057 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:21.659846067 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:29.761801004 CEST	49958	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:03:29.761857986 CEST	443	49958	34.107.243.93	192.168.2.5
Oct 10, 2024 18:03:29.761992931 CEST	49958	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:03:29.763375998 CEST	49958	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:03:29.763398886 CEST	443	49958	34.107.243.93	192.168.2.5
Oct 10, 2024 18:03:30.241683960 CEST	443	49958	34.107.243.93	192.168.2.5
Oct 10, 2024 18:03:30.241915941 CEST	49958	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:03:30.246053934 CEST	49958	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:03:30.246062994 CEST	443	49958	34.107.243.93	192.168.2.5
Oct 10, 2024 18:03:30.246144056 CEST	49958	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:03:30.246237993 CEST	443	49958	34.107.243.93	192.168.2.5
Oct 10, 2024 18:03:30.246999979 CEST	49958	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:03:30.249294043 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:30.254431009 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:30.344315052 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:30.347548962 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:30.355964899 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:30.388613939 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:30.443515062 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:30.488831043 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:39.669084072 CEST	50005	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:39.669152975 CEST	443	50005	34.120.208.123	192.168.2.5
Oct 10, 2024 18:03:39.678925991 CEST	50005	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:39.679064035 CEST	50005	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:39.679075956 CEST	443	50005	34.120.208.123	192.168.2.5
Oct 10, 2024 18:03:39.680759907 CEST	50006	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:39.680768967 CEST	443	50006	34.120.208.123	192.168.2.5
Oct 10, 2024 18:03:39.681504011 CEST	50006	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:39.681847095 CEST	50006	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:39.681859970 CEST	443	50006	34.120.208.123	192.168.2.5
Oct 10, 2024 18:03:40.348587036 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:40.353601933 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:40.448890924 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:40.453952074 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:40.517914057 CEST	443	50005	34.120.208.123	192.168.2.5
Oct 10, 2024 18:03:40.517997980 CEST	443	50005	34.120.208.123	192.168.2.5
Oct 10, 2024 18:03:40.518130064 CEST	50005	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:40.522119999 CEST	50005	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:40.522149086 CEST	443	50005	34.120.208.123	192.168.2.5
Oct 10, 2024 18:03:40.523200989 CEST	443	50005	34.120.208.123	192.168.2.5
Oct 10, 2024 18:03:40.524384975 CEST	50005	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:40.524538994 CEST	50005	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:40.524776936 CEST	443	50005	34.120.208.123	192.168.2.5
Oct 10, 2024 18:03:40.524852037 CEST	50005	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:40.532018900 CEST	443	50006	34.120.208.123	192.168.2.5
Oct 10, 2024 18:03:40.532340050 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:40.532671928 CEST	50006	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:40.536569118 CEST	50006	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:40.536581993 CEST	443	50006	34.120.208.123	192.168.2.5
Oct 10, 2024 18:03:40.536905050 CEST	443	50006	34.120.208.123	192.168.2.5
Oct 10, 2024 18:03:40.537301064 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:40.538604021 CEST	50006	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:40.538690090 CEST	50006	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:40.538780928 CEST	443	50006	34.120.208.123	192.168.2.5
Oct 10, 2024 18:03:40.543418884 CEST	443	50006	34.120.208.123	192.168.2.5
Oct 10, 2024 18:03:40.549206018 CEST	50006	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:40.549235106 CEST	50006	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:40.549362898 CEST	50006	443	192.168.2.5	34.120.208.123
Oct 10, 2024 18:03:40.627572060 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:40.631577015 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:40.636744976 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:40.687264919 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:40.727415085 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:40.775634050 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:50.628878117 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:50.634871006 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:03:50.729280949 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:03:50.734671116 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:04:00.642585039 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:04:00.715764999 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:04:00.743029118 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:04:00.748521090 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:04:10.625422955 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:04:10.625531912 CEST	443	50032	34.107.243.93	192.168.2.5
Oct 10, 2024 18:04:10.625804901 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:04:10.627871037 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:04:10.627907038 CEST	443	50032	34.107.243.93	192.168.2.5
Oct 10, 2024 18:04:10.718683004 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:04:10.724441051 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:04:10.749977112 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:04:10.755533934 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:04:11.124490023 CEST	443	50032	34.107.243.93	192.168.2.5
Oct 10, 2024 18:04:11.124610901 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:04:11.130497932 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:04:11.130527973 CEST	443	50032	34.107.243.93	192.168.2.5
Oct 10, 2024 18:04:11.130629063 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:04:11.130825996 CEST	443	50032	34.107.243.93	192.168.2.5
Oct 10, 2024 18:04:11.131799936 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:04:11.133877039 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:04:11.139070034 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:04:11.229008913 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:04:11.232652903 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:04:11.239249945 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:04:11.273557901 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:04:11.333607912 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:04:11.389512062 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:04:21.234107018 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:04:21.334429979 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:04:21.383908987 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:04:21.383964062 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:04:31.383656979 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:04:31.383723021 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:04:31.388880014 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:04:31.388895035 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:04:41.390096903 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:04:41.390110970 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:04:41.395414114 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:04:41.395442963 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:04:51.403507948 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:04:51.403570890 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:04:51.409236908 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:04:51.409552097 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:05:01.430773020 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:05:01.430795908 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:05:01.436222076 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:05:01.436292887 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:05:11.443005085 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:05:11.443104029 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:05:11.448395967 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:05:11.448484898 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:05:21.450073004 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:05:21.450361967 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:05:21.455637932 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:05:21.455658913 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:05:31.464099884 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:05:31.464171886 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:05:31.469959021 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:05:31.470015049 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:05:31.589401007 CEST	50033	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:05:31.589427948 CEST	443	50033	34.107.243.93	192.168.2.5
Oct 10, 2024 18:05:31.589627028 CEST	50033	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:05:31.591854095 CEST	50033	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:05:31.591872931 CEST	443	50033	34.107.243.93	192.168.2.5
Oct 10, 2024 18:05:32.056067944 CEST	443	50033	34.107.243.93	192.168.2.5
Oct 10, 2024 18:05:32.056296110 CEST	50033	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:05:32.061745882 CEST	50033	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:05:32.061773062 CEST	443	50033	34.107.243.93	192.168.2.5
Oct 10, 2024 18:05:32.062016964 CEST	50033	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:05:32.062078953 CEST	443	50033	34.107.243.93	192.168.2.5
Oct 10, 2024 18:05:32.062129021 CEST	50033	443	192.168.2.5	34.107.243.93
Oct 10, 2024 18:05:32.064384937 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:05:32.069937944 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:05:32.162587881 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:05:32.165997982 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:05:32.171322107 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:05:32.203787088 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:05:32.261780977 CEST	80	49735	34.107.221.82	192.168.2.5
Oct 10, 2024 18:05:32.304241896 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:05:42.168593884 CEST	49728	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:05:42.174371004 CEST	80	49728	34.107.221.82	192.168.2.5
Oct 10, 2024 18:05:42.268606901 CEST	49735	80	192.168.2.5	34.107.221.82
Oct 10, 2024 18:05:42.274045944 CEST	80	49735	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 10, 2024 18:02:41.468043089 CEST	52894	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:41.476788044 CEST	53	52894	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:41.477710962 CEST	58148	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:41.487025023 CEST	53	58148	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:41.659379959 CEST	61507	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:41.659379959 CEST	50595	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:41.666868925 CEST	53	61507	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:41.700408936 CEST	64207	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:41.707474947 CEST	53	64207	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:41.711261034 CEST	62140	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:41.711810112 CEST	61185	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:41.719722033 CEST	53	62140	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:41.719950914 CEST	53	61185	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:41.721353054 CEST	64738	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:41.728712082 CEST	53	64738	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:42.346925020 CEST	64344	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:42.346925020 CEST	59587	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:42.354155064 CEST	53	64344	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:42.354540110 CEST	53	59587	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:42.481050968 CEST	53818	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:42.481050968 CEST	63460	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:42.489532948 CEST	55722	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:42.490545988 CEST	53	63460	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:42.491992950 CEST	58689	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:42.497793913 CEST	53	55722	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:42.498656034 CEST	63788	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:42.503932953 CEST	53	58689	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:42.504445076 CEST	54675	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:42.506814957 CEST	53	63788	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:42.512664080 CEST	53	54675	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:42.567714930 CEST	60869	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:42.574975014 CEST	53	60869	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:42.579581976 CEST	50049	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:42.587521076 CEST	53	50049	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:42.590807915 CEST	51087	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:42.598659992 CEST	53	51087	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:42.692677021 CEST	63963	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:42.699604988 CEST	53	63963	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:42.721293926 CEST	49781	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:42.728996992 CEST	53	49781	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:42.734181881 CEST	56171	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:42.741272926 CEST	53	56171	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:42.762533903 CEST	62496	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:42.792435884 CEST	53	62324	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:42.903412104 CEST	56782	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:42.910903931 CEST	53	56782	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:42.911948919 CEST	60375	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:42.918752909 CEST	53	60375	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:42.919409990 CEST	56241	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:42.926444054 CEST	53	56241	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:43.158373117 CEST	63406	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:43.166130066 CEST	53	63406	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:43.166923046 CEST	61494	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:43.174108982 CEST	53	61494	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:46.858963966 CEST	56160	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:47.117780924 CEST	57832	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:47.125040054 CEST	53	57832	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:47.129573107 CEST	62485	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:47.136814117 CEST	53	62485	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:47.137972116 CEST	58756	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:47.148945093 CEST	53	58756	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:50.580097914 CEST	64466	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:50.586874008 CEST	53	64466	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:50.636874914 CEST	60325	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:50.644232988 CEST	53	60325	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:50.689917088 CEST	55961	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:50.697387934 CEST	53	55961	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:50.729686975 CEST	60101	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:50.738267899 CEST	53	60101	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:55.195421934 CEST	63487	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:55.203994036 CEST	53	63487	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:56.520993948 CEST	55937	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:56.528991938 CEST	53	55937	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:58.273967028 CEST	64961	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:58.273967028 CEST	49573	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:58.274323940 CEST	62697	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:58.281009912 CEST	53	64961	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:58.281450987 CEST	53	62697	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:58.281758070 CEST	53	49573	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:59.107569933 CEST	60476	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:59.107569933 CEST	52091	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:59.107990026 CEST	57353	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:59.115310907 CEST	53	52091	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:59.116300106 CEST	53	57353	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:59.116364002 CEST	53	60476	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:59.117376089 CEST	57439	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:59.117635012 CEST	60694	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:59.117635012 CEST	49422	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:59.124602079 CEST	53	57439	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:59.124737024 CEST	53	49422	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:59.125408888 CEST	50469	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:59.125754118 CEST	54357	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:59.125910997 CEST	53	60694	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:59.132841110 CEST	53	54357	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:59.133250952 CEST	53	50469	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:59.133380890 CEST	60389	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:59.142879963 CEST	53	60389	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:59.143400908 CEST	51401	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:59.151396036 CEST	53	51401	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:59.181902885 CEST	58679	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:59.189563036 CEST	53	58679	1.1.1.1	192.168.2.5
Oct 10, 2024 18:02:59.192934990 CEST	57292	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:02:59.201869011 CEST	53	57292	1.1.1.1	192.168.2.5
Oct 10, 2024 18:03:09.125473976 CEST	53975	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:03:09.132716894 CEST	53	53975	1.1.1.1	192.168.2.5
Oct 10, 2024 18:03:09.133814096 CEST	49444	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:03:09.140996933 CEST	53	49444	1.1.1.1	192.168.2.5
Oct 10, 2024 18:03:09.590392113 CEST	63253	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:03:09.595136881 CEST	64522	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:03:09.599170923 CEST	57566	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:03:09.601614952 CEST	53	63253	1.1.1.1	192.168.2.5
Oct 10, 2024 18:03:09.609388113 CEST	53	64522	1.1.1.1	192.168.2.5
Oct 10, 2024 18:03:09.610341072 CEST	50499	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:03:09.618722916 CEST	53	50499	1.1.1.1	192.168.2.5
Oct 10, 2024 18:03:09.619249105 CEST	61160	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:03:09.627259016 CEST	53	61160	1.1.1.1	192.168.2.5
Oct 10, 2024 18:03:09.784296989 CEST	51646	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:03:09.792160034 CEST	53	51646	1.1.1.1	192.168.2.5
Oct 10, 2024 18:03:09.796123028 CEST	51612	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:03:09.803365946 CEST	53	51612	1.1.1.1	192.168.2.5
Oct 10, 2024 18:03:09.825297117 CEST	55245	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:03:09.833175898 CEST	53	55245	1.1.1.1	192.168.2.5
Oct 10, 2024 18:03:29.761750937 CEST	60723	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:03:29.770306110 CEST	53	60723	1.1.1.1	192.168.2.5
Oct 10, 2024 18:03:40.053667068 CEST	65097	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:03:40.062644958 CEST	53	65097	1.1.1.1	192.168.2.5
Oct 10, 2024 18:03:40.532556057 CEST	60274	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:04:10.611136913 CEST	50246	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:04:10.624258041 CEST	53	50246	1.1.1.1	192.168.2.5
Oct 10, 2024 18:04:10.625792980 CEST	62090	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:04:10.633559942 CEST	53	62090	1.1.1.1	192.168.2.5
Oct 10, 2024 18:05:31.561881065 CEST	54121	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:05:31.570910931 CEST	53	54121	1.1.1.1	192.168.2.5
Oct 10, 2024 18:05:31.577729940 CEST	62791	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:05:31.586211920 CEST	53	62791	1.1.1.1	192.168.2.5
Oct 10, 2024 18:05:31.588936090 CEST	65487	53	192.168.2.5	1.1.1.1
Oct 10, 2024 18:05:31.596491098 CEST	53	65487	1.1.1.1	192.168.2.5
Oct 10, 2024 18:05:32.064668894 CEST	49480	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 10, 2024 18:02:41.468043089 CEST	192.168.2.5	1.1.1.1	0x55a5	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:41.477710962 CEST	192.168.2.5	1.1.1.1	0x15f5	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 10, 2024 18:02:41.659379959 CEST	192.168.2.5	1.1.1.1	0xf099	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:41.659379959 CEST	192.168.2.5	1.1.1.1	0x79cd	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:41.700408936 CEST	192.168.2.5	1.1.1.1	0x24f2	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:41.711261034 CEST	192.168.2.5	1.1.1.1	0x8185	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:41.711810112 CEST	192.168.2.5	1.1.1.1	0xbe6f	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 10, 2024 18:02:41.721353054 CEST	192.168.2.5	1.1.1.1	0xb1fa	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 10, 2024 18:02:42.346925020 CEST	192.168.2.5	1.1.1.1	0xcc4d	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.346925020 CEST	192.168.2.5	1.1.1.1	0xcfaf	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.481050968 CEST	192.168.2.5	1.1.1.1	0xcee3	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.481050968 CEST	192.168.2.5	1.1.1.1	0x99f4	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.489532948 CEST	192.168.2.5	1.1.1.1	0x9cdc	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.491992950 CEST	192.168.2.5	1.1.1.1	0x76a5	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.498656034 CEST	192.168.2.5	1.1.1.1	0xf181	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 10, 2024 18:02:42.504445076 CEST	192.168.2.5	1.1.1.1	0x6f1	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 18:02:42.567714930 CEST	192.168.2.5	1.1.1.1	0x8682	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.579581976 CEST	192.168.2.5	1.1.1.1	0x2ad9	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.590807915 CEST	192.168.2.5	1.1.1.1	0x9aec	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 10, 2024 18:02:42.692677021 CEST	192.168.2.5	1.1.1.1	0x3c98	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.721293926 CEST	192.168.2.5	1.1.1.1	0x3f59	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.734181881 CEST	192.168.2.5	1.1.1.1	0xffd	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 10, 2024 18:02:42.762533903 CEST	192.168.2.5	1.1.1.1	0x9db1	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.903412104 CEST	192.168.2.5	1.1.1.1	0x560c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.911948919 CEST	192.168.2.5	1.1.1.1	0x950f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.919409990 CEST	192.168.2.5	1.1.1.1	0x2f47	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 18:02:43.158373117 CEST	192.168.2.5	1.1.1.1	0x73c5	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:43.166923046 CEST	192.168.2.5	1.1.1.1	0x8c8	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 18:02:46.858963966 CEST	192.168.2.5	1.1.1.1	0x8c2c	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:47.117780924 CEST	192.168.2.5	1.1.1.1	0x63c5	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:47.129573107 CEST	192.168.2.5	1.1.1.1	0x71f5	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:47.137972116 CEST	192.168.2.5	1.1.1.1	0x6ddc	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 10, 2024 18:02:50.580097914 CEST	192.168.2.5	1.1.1.1	0xcc28	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 10, 2024 18:02:50.636874914 CEST	192.168.2.5	1.1.1.1	0x7b59	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:50.689917088 CEST	192.168.2.5	1.1.1.1	0x9cc8	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:50.729686975 CEST	192.168.2.5	1.1.1.1	0xfbfb	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 10, 2024 18:02:55.195421934 CEST	192.168.2.5	1.1.1.1	0x98f7	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 18:02:56.520993948 CEST	192.168.2.5	1.1.1.1	0x4856	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 18:02:58.273967028 CEST	192.168.2.5	1.1.1.1	0xe22e	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.273967028 CEST	192.168.2.5	1.1.1.1	0x2eeb	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.274323940 CEST	192.168.2.5	1.1.1.1	0x3386	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.107569933 CEST	192.168.2.5	1.1.1.1	0x2755	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.107569933 CEST	192.168.2.5	1.1.1.1	0x6ccd	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.107990026 CEST	192.168.2.5	1.1.1.1	0xd089	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.117376089 CEST	192.168.2.5	1.1.1.1	0x1e55	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 10, 2024 18:02:59.117635012 CEST	192.168.2.5	1.1.1.1	0x198c	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 10, 2024 18:02:59.117635012 CEST	192.168.2.5	1.1.1.1	0xf345	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 10, 2024 18:02:59.125408888 CEST	192.168.2.5	1.1.1.1	0xdfe0	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.125754118 CEST	192.168.2.5	1.1.1.1	0xeb43	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.133380890 CEST	192.168.2.5	1.1.1.1	0xd274	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.143400908 CEST	192.168.2.5	1.1.1.1	0x2411	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 10, 2024 18:02:59.181902885 CEST	192.168.2.5	1.1.1.1	0xdedb	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.192934990 CEST	192.168.2.5	1.1.1.1	0x48b7	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 10, 2024 18:03:09.125473976 CEST	192.168.2.5	1.1.1.1	0xc4ef	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.133814096 CEST	192.168.2.5	1.1.1.1	0xfd67	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 18:03:09.590392113 CEST	192.168.2.5	1.1.1.1	0x1615	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 10, 2024 18:03:09.595136881 CEST	192.168.2.5	1.1.1.1	0xee6d	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.599170923 CEST	192.168.2.5	1.1.1.1	0x7a53	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.610341072 CEST	192.168.2.5	1.1.1.1	0xce63	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.619249105 CEST	192.168.2.5	1.1.1.1	0x8184	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 10, 2024 18:03:09.784296989 CEST	192.168.2.5	1.1.1.1	0xd62f	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.796123028 CEST	192.168.2.5	1.1.1.1	0x3655	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.825297117 CEST	192.168.2.5	1.1.1.1	0x4edb	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 18:03:29.761750937 CEST	192.168.2.5	1.1.1.1	0xf720	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 18:03:40.053667068 CEST	192.168.2.5	1.1.1.1	0x343e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 18:03:40.532556057 CEST	192.168.2.5	1.1.1.1	0xbeb7	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:04:10.611136913 CEST	192.168.2.5	1.1.1.1	0x7cc	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:04:10.625792980 CEST	192.168.2.5	1.1.1.1	0xbeb8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 18:05:31.561881065 CEST	192.168.2.5	1.1.1.1	0x4143	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:05:31.577729940 CEST	192.168.2.5	1.1.1.1	0x116b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:05:31.588936090 CEST	192.168.2.5	1.1.1.1	0x6059	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 18:05:32.064668894 CEST	192.168.2.5	1.1.1.1	0x25e4	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 10, 2024 18:02:41.465044022 CEST	1.1.1.1	192.168.2.5	0x9f7b	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:41.476788044 CEST	1.1.1.1	192.168.2.5	0x55a5	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:41.666868925 CEST	1.1.1.1	192.168.2.5	0xf099	No error (0)	youtube.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:41.666883945 CEST	1.1.1.1	192.168.2.5	0x79cd	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:02:41.666883945 CEST	1.1.1.1	192.168.2.5	0x79cd	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:41.707474947 CEST	1.1.1.1	192.168.2.5	0x24f2	No error (0)	youtube.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:41.719722033 CEST	1.1.1.1	192.168.2.5	0x8185	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:41.719950914 CEST	1.1.1.1	192.168.2.5	0xbe6f	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 10, 2024 18:02:41.728712082 CEST	1.1.1.1	192.168.2.5	0xb1fa	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 10, 2024 18:02:42.354155064 CEST	1.1.1.1	192.168.2.5	0xcc4d	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.354540110 CEST	1.1.1.1	192.168.2.5	0xcfaf	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.354540110 CEST	1.1.1.1	192.168.2.5	0xcfaf	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.488389015 CEST	1.1.1.1	192.168.2.5	0x8aaa	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:02:42.488389015 CEST	1.1.1.1	192.168.2.5	0x8aaa	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.490545988 CEST	1.1.1.1	192.168.2.5	0x99f4	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.491705894 CEST	1.1.1.1	192.168.2.5	0xcee3	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:02:42.491705894 CEST	1.1.1.1	192.168.2.5	0xcee3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.497793913 CEST	1.1.1.1	192.168.2.5	0x9cdc	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.503932953 CEST	1.1.1.1	192.168.2.5	0x76a5	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.574975014 CEST	1.1.1.1	192.168.2.5	0x8682	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:02:42.574975014 CEST	1.1.1.1	192.168.2.5	0x8682	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.587521076 CEST	1.1.1.1	192.168.2.5	0x2ad9	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.699604988 CEST	1.1.1.1	192.168.2.5	0x3c98	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:02:42.699604988 CEST	1.1.1.1	192.168.2.5	0x3c98	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:02:42.699604988 CEST	1.1.1.1	192.168.2.5	0x3c98	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.728996992 CEST	1.1.1.1	192.168.2.5	0x3f59	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.741272926 CEST	1.1.1.1	192.168.2.5	0xffd	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 10, 2024 18:02:42.770163059 CEST	1.1.1.1	192.168.2.5	0x9db1	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:02:42.910903931 CEST	1.1.1.1	192.168.2.5	0x560c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:42.918752909 CEST	1.1.1.1	192.168.2.5	0x950f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:43.157087088 CEST	1.1.1.1	192.168.2.5	0x25d4	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:43.166130066 CEST	1.1.1.1	192.168.2.5	0x73c5	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:44.603214979 CEST	1.1.1.1	192.168.2.5	0xb501	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:46.867536068 CEST	1.1.1.1	192.168.2.5	0x8c2c	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:02:46.867536068 CEST	1.1.1.1	192.168.2.5	0x8c2c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:47.125040054 CEST	1.1.1.1	192.168.2.5	0x63c5	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:02:47.125040054 CEST	1.1.1.1	192.168.2.5	0x63c5	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:47.136814117 CEST	1.1.1.1	192.168.2.5	0x71f5	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:50.585706949 CEST	1.1.1.1	192.168.2.5	0xc02d	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:02:50.585706949 CEST	1.1.1.1	192.168.2.5	0xc02d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:50.644232988 CEST	1.1.1.1	192.168.2.5	0x7b59	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:02:50.644232988 CEST	1.1.1.1	192.168.2.5	0x7b59	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:02:50.644232988 CEST	1.1.1.1	192.168.2.5	0x7b59	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:50.697387934 CEST	1.1.1.1	192.168.2.5	0x9cc8	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281009912 CEST	1.1.1.1	192.168.2.5	0xe22e	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281009912 CEST	1.1.1.1	192.168.2.5	0xe22e	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281009912 CEST	1.1.1.1	192.168.2.5	0xe22e	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281009912 CEST	1.1.1.1	192.168.2.5	0xe22e	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281009912 CEST	1.1.1.1	192.168.2.5	0xe22e	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281009912 CEST	1.1.1.1	192.168.2.5	0xe22e	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281009912 CEST	1.1.1.1	192.168.2.5	0xe22e	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281009912 CEST	1.1.1.1	192.168.2.5	0xe22e	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281009912 CEST	1.1.1.1	192.168.2.5	0xe22e	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281009912 CEST	1.1.1.1	192.168.2.5	0xe22e	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281009912 CEST	1.1.1.1	192.168.2.5	0xe22e	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281009912 CEST	1.1.1.1	192.168.2.5	0xe22e	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281009912 CEST	1.1.1.1	192.168.2.5	0xe22e	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281009912 CEST	1.1.1.1	192.168.2.5	0xe22e	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281009912 CEST	1.1.1.1	192.168.2.5	0xe22e	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281009912 CEST	1.1.1.1	192.168.2.5	0xe22e	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281009912 CEST	1.1.1.1	192.168.2.5	0xe22e	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281450987 CEST	1.1.1.1	192.168.2.5	0x3386	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281450987 CEST	1.1.1.1	192.168.2.5	0x3386	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281758070 CEST	1.1.1.1	192.168.2.5	0x2eeb	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:02:58.281758070 CEST	1.1.1.1	192.168.2.5	0x2eeb	No error (0)	star-mini.c10r.facebook.com		157.240.252.35	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.115310907 CEST	1.1.1.1	192.168.2.5	0x6ccd	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.116300106 CEST	1.1.1.1	192.168.2.5	0xd089	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.116300106 CEST	1.1.1.1	192.168.2.5	0xd089	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.116300106 CEST	1.1.1.1	192.168.2.5	0xd089	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.116300106 CEST	1.1.1.1	192.168.2.5	0xd089	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.116300106 CEST	1.1.1.1	192.168.2.5	0xd089	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.116300106 CEST	1.1.1.1	192.168.2.5	0xd089	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.116300106 CEST	1.1.1.1	192.168.2.5	0xd089	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.116300106 CEST	1.1.1.1	192.168.2.5	0xd089	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.116300106 CEST	1.1.1.1	192.168.2.5	0xd089	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.116300106 CEST	1.1.1.1	192.168.2.5	0xd089	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.116300106 CEST	1.1.1.1	192.168.2.5	0xd089	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.116300106 CEST	1.1.1.1	192.168.2.5	0xd089	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.116300106 CEST	1.1.1.1	192.168.2.5	0xd089	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.116300106 CEST	1.1.1.1	192.168.2.5	0xd089	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.116300106 CEST	1.1.1.1	192.168.2.5	0xd089	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.116300106 CEST	1.1.1.1	192.168.2.5	0xd089	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.116364002 CEST	1.1.1.1	192.168.2.5	0x2755	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.124602079 CEST	1.1.1.1	192.168.2.5	0x1e55	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 10, 2024 18:02:59.124737024 CEST	1.1.1.1	192.168.2.5	0xf345	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 10, 2024 18:02:59.124737024 CEST	1.1.1.1	192.168.2.5	0xf345	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 10, 2024 18:02:59.124737024 CEST	1.1.1.1	192.168.2.5	0xf345	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 10, 2024 18:02:59.124737024 CEST	1.1.1.1	192.168.2.5	0xf345	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 10, 2024 18:02:59.125910997 CEST	1.1.1.1	192.168.2.5	0x198c	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 10, 2024 18:02:59.132841110 CEST	1.1.1.1	192.168.2.5	0xeb43	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.133250952 CEST	1.1.1.1	192.168.2.5	0xdfe0	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:02:59.133250952 CEST	1.1.1.1	192.168.2.5	0xdfe0	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.133250952 CEST	1.1.1.1	192.168.2.5	0xdfe0	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.133250952 CEST	1.1.1.1	192.168.2.5	0xdfe0	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.133250952 CEST	1.1.1.1	192.168.2.5	0xdfe0	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.142879963 CEST	1.1.1.1	192.168.2.5	0xd274	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.189563036 CEST	1.1.1.1	192.168.2.5	0xdedb	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.189563036 CEST	1.1.1.1	192.168.2.5	0xdedb	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.189563036 CEST	1.1.1.1	192.168.2.5	0xdedb	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:02:59.189563036 CEST	1.1.1.1	192.168.2.5	0xdedb	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.132716894 CEST	1.1.1.1	192.168.2.5	0xc4ef	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.586540937 CEST	1.1.1.1	192.168.2.5	0xd309	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:03:09.586540937 CEST	1.1.1.1	192.168.2.5	0xd309	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.607608080 CEST	1.1.1.1	192.168.2.5	0x7a53	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:03:09.607608080 CEST	1.1.1.1	192.168.2.5	0x7a53	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.609388113 CEST	1.1.1.1	192.168.2.5	0xee6d	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.609388113 CEST	1.1.1.1	192.168.2.5	0xee6d	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.609388113 CEST	1.1.1.1	192.168.2.5	0xee6d	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.609388113 CEST	1.1.1.1	192.168.2.5	0xee6d	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.618722916 CEST	1.1.1.1	192.168.2.5	0xce63	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.618722916 CEST	1.1.1.1	192.168.2.5	0xce63	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.618722916 CEST	1.1.1.1	192.168.2.5	0xce63	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.618722916 CEST	1.1.1.1	192.168.2.5	0xce63	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.792160034 CEST	1.1.1.1	192.168.2.5	0xd62f	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:03:09.792160034 CEST	1.1.1.1	192.168.2.5	0xd62f	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:09.803365946 CEST	1.1.1.1	192.168.2.5	0x3655	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:10.889070988 CEST	1.1.1.1	192.168.2.5	0xbdda	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:03:10.889070988 CEST	1.1.1.1	192.168.2.5	0xbdda	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:03:40.051839113 CEST	1.1.1.1	192.168.2.5	0x1427	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:03:40.541419983 CEST	1.1.1.1	192.168.2.5	0xbeb7	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:03:40.541419983 CEST	1.1.1.1	192.168.2.5	0xbeb7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:04:10.624258041 CEST	1.1.1.1	192.168.2.5	0x7cc	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:05:31.570910931 CEST	1.1.1.1	192.168.2.5	0x4143	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:05:31.586211920 CEST	1.1.1.1	192.168.2.5	0x116b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 10, 2024 18:05:32.073215961 CEST	1.1.1.1	192.168.2.5	0x25e4	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 18:05:32.073215961 CEST	1.1.1.1	192.168.2.5	0x25e4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	34.107.221.82	80	6488	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 10, 2024 18:02:41.734520912 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 18:02:42.208030939 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62756 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 18:02:42.708332062 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 18:02:42.817581892 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62756 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49718	34.107.221.82	80	6488	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 10, 2024 18:02:42.504638910 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49722	34.107.221.82	80	6488	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 10, 2024 18:02:42.856681108 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 18:02:43.337572098 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 09 Oct 2024 20:22:55 GMT Age: 70788 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49728	34.107.221.82	80	6488	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 10, 2024 18:02:44.393465042 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 18:02:44.842703104 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62758 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 18:02:46.382584095 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 18:02:46.477304935 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62760 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 18:02:46.828989983 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62760 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 18:02:50.570534945 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 18:02:50.665035009 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62764 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 18:02:55.304929018 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 18:02:55.403542995 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62769 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 18:02:56.746304035 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 18:02:56.842425108 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62770 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 18:02:59.231175900 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 18:02:59.326064110 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62773 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 18:03:00.094011068 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 18:03:00.188427925 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62774 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 18:03:09.598834991 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 18:03:09.693757057 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62783 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 18:03:10.080291986 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 18:03:10.175256968 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62784 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 18:03:10.264786005 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 18:03:10.362976074 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62784 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 18:03:10.847152948 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 18:03:10.942506075 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62784 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 18:03:11.264321089 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62784 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 18:03:20.957772970 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:03:21.406948090 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 18:03:21.503612995 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62795 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 18:03:30.249294043 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 18:03:30.344315052 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62804 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 18:03:40.348587036 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:03:40.532340050 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 18:03:40.627572060 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62814 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 18:03:50.628878117 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:04:00.642585039 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:04:10.718683004 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:04:11.133877039 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 18:04:11.229008913 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62845 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 18:04:21.234107018 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:04:31.383656979 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:04:41.390096903 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:04:51.403570890 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:05:01.430773020 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:05:32.064384937 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 18:05:32.162587881 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 22:36:46 GMT Age: 62926 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49732	34.107.221.82	80	6488	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 10, 2024 18:02:46.345716953 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 18:02:46.829416990 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 39122 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49735	34.107.221.82	80	6488	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 10, 2024 18:02:46.869138956 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 18:02:47.318506956 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 39123 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 18:02:55.283771992 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 18:02:55.400571108 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 39131 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 18:02:56.654970884 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 18:02:56.751334906 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 39132 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 18:02:59.114413977 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 18:02:59.218769073 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 39135 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 18:02:59.354485035 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 18:02:59.450767994 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 39135 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 18:03:00.193873882 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 18:03:00.308440924 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 39136 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 18:03:09.776187897 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 18:03:09.871943951 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 39145 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 18:03:10.178298950 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 18:03:10.275774002 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 39146 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 18:03:10.364922047 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 18:03:10.463658094 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 39146 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 18:03:10.947191000 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 18:03:11.158063889 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 18:03:11.349919081 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 39147 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 18:03:21.359018087 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:03:21.507334948 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 18:03:21.604536057 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 39157 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 18:03:30.347548962 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 18:03:30.443515062 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 39166 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 18:03:40.448890924 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:03:40.631577015 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 18:03:40.727415085 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 39176 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 18:03:50.729280949 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:04:00.743029118 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:04:10.749977112 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:04:11.232652903 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 18:04:11.333607912 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 39207 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 18:04:21.334429979 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:04:31.383723021 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:04:41.390110970 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:04:51.403507948 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:05:01.430795908 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 18:05:32.165997982 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 18:05:32.261780977 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 39288 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Target ID:	0
Start time:	12:02:33
Start date:	10/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x3a0000
File size:	919'552 bytes
MD5 hash:	C9C34B72EAD9CDBE82B54D3AF0BA0861
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:02:33
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xc80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:02:33
Start date:	10/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:02:35
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xc80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:02:35
Start date:	10/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:02:36
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xc80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:02:36
Start date:	10/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:02:36
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xc80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:02:36
Start date:	10/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:02:36
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xc80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:02:36
Start date:	10/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:02:36
Start date:	10/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:02:36
Start date:	10/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:02:36
Start date:	10/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	12:02:37
Start date:	10/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2108 -prefMapHandle 2056 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef464ed5-9094-4688-a292-80196e98cb86} 6488 "\\.\pipe\gecko-crash-server-pipe.6488" 204fae6e910 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	12:02:40
Start date:	10/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3936 -parentBuildID 20230927232528 -prefsHandle 3868 -prefMapHandle 3888 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12a61a49-e04c-49ed-bb6c-48c4ab798e72} 6488 "\\.\pipe\gecko-crash-server-pipe.6488" 20492a9ba10 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	12:02:46
Start date:	10/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3252 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3188 -prefMapHandle 3200 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acbe668f-b23f-4d64-845f-e0072f837971} 6488 "\\.\pipe\gecko-crash-server-pipe.6488" 204fae6ed10 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7%
Total number of Nodes:	1567
Total number of Limit Nodes:	67

Executed Functions

Function 003A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 003A430D

Part of subcall function 003A6B57: _wcslen.LIBCMT ref: 003A6B6A

GetCurrentProcess.KERNEL32(?,0043CB64,00000000,?,?), ref: 003A4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 003A4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 003A4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 003A4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 003A4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 003A447B
GetSystemInfo.KERNEL32(?,?,?), ref: 003A44A0

Strings

kernel32.dll, xrefs: 003A444F
GetNativeSystemInfo, xrefs: 003A4460
|O, xrefs: 003E36F8

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 80f76c5144183cff18615aff95e68e2a92ab2c5c7b810a88973ac251a5498dd0
Instruction ID: cdcf4f6a6d0b7e20ba1d5d5dac765f50d4eb077023437fdc2d7c719203d33c94
Opcode Fuzzy Hash: 80f76c5144183cff18615aff95e68e2a92ab2c5c7b810a88973ac251a5498dd0
Instruction Fuzzy Hash: A2A1087190A2D0CFEB23CB7E7C845957FE4AB67300B0459B9E88D97AB1D2604598CB2D

Function 003A42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,003A50AA,?,?,00000000,00000000), ref: 003A42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003A50AA,?,?,00000000,00000000), ref: 003A42C9
LoadResource.KERNEL32(?,00000000,?,?,003A50AA,?,?,00000000,00000000,?,?,?,?,?,?,003A4F20), ref: 003E35BE
SizeofResource.KERNEL32(?,00000000,?,?,003A50AA,?,?,00000000,00000000,?,?,?,?,?,?,003A4F20), ref: 003E35D3
LockResource.KERNEL32(003A50AA,?,?,003A50AA,?,?,00000000,00000000,?,?,?,?,?,?,003A4F20,?), ref: 003E35E6

Strings

SCRIPT, xrefs: 003A42BF

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 29a3bff3e50df57e2e631ecbd2f8507cb86ea37bfd3ffed449b3093406e551ad
Instruction ID: 2d974cbf590344a5b0d23954deaba7c48ba1bdf7a6e9264fd7edc7ef58a34b69
Opcode Fuzzy Hash: 29a3bff3e50df57e2e631ecbd2f8507cb86ea37bfd3ffed449b3093406e551ad
Instruction Fuzzy Hash: 56118E71640700BFE7228B65DC88F277BBDEBC6B51F204669F402E6290DBB1DC008761

Function 003E2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 003A2B6B

Part of subcall function 003A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00471418,?,003A2E7F,?,?,?,00000000), ref: 003A3A78

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00462224), ref: 003E2C10
ShellExecuteW.SHELL32(00000000,?,?,00462224), ref: 003E2C17

Strings

runas, xrefs: 003E2C0B

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: ed775a3ccbedc4b52cf397722dfa95dda5455879c216f49d6aa36586d5004133
Instruction ID: f4069fc6676403f453b5c9b0cf7cfc26fd9426af2c386dcc9e4da3cc31d3bf64
Opcode Fuzzy Hash: ed775a3ccbedc4b52cf397722dfa95dda5455879c216f49d6aa36586d5004133
Instruction Fuzzy Hash: 6311B4712083416BC706FF68D856AAE77A8DB93350F04542EF0466B0E2DF2585498716

Function 0040D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0040D501
Process32FirstW.KERNEL32(00000000,?), ref: 0040D50F
Process32NextW.KERNEL32(00000000,?), ref: 0040D52F
CloseHandle.KERNELBASE(00000000), ref: 0040D5DC

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: b693cfdca4fd5914d2e54134a55a744e695d4ee230800fc65944f0ee1182426b
Instruction ID: 6f35c0ed5c1bd0b9cf7c778e18a94ff71c3c959c05fadc653c731fb0ad34abd0
Opcode Fuzzy Hash: b693cfdca4fd5914d2e54134a55a744e695d4ee230800fc65944f0ee1182426b
Instruction Fuzzy Hash: 8031A471508300AFD301EF54CC81AAFBBF8EF9A354F14092EF581A61A1EB759949CB92

Function 0040DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,003E5222), ref: 0040DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0040DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0040DBEE
FindClose.KERNEL32(00000000), ref: 0040DBFA

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 338ebca8c96b82a0103eaa10289bf229bf75e6dda892f0039f59740440dc1614
Instruction ID: eacd654cd97aa75b86b22268a6fe1f96077cac960eaf5d36f6bbc8f674144be0
Opcode Fuzzy Hash: 338ebca8c96b82a0103eaa10289bf229bf75e6dda892f0039f59740440dc1614
Instruction Fuzzy Hash: 0FF0A031C1892057D2206BB8AC4D8AB3B6C9E01334B144763F836E21E0EBB459598A9E

Function 003C4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(003D28E9,?,003C4CBE,003D28E9,004688B8,0000000C,003C4E15,003D28E9,00000002,00000000,?,003D28E9), ref: 003C4D09
TerminateProcess.KERNEL32(00000000,?,003C4CBE,003D28E9,004688B8,0000000C,003C4E15,003D28E9,00000002,00000000,?,003D28E9), ref: 003C4D10
ExitProcess.KERNEL32 ref: 003C4D22

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 93fe0b7deb73769bff94b22c7359644a3b741bafb39efc746463e18fd6be8697
Instruction ID: 1da31d699d4df0efb848b0755c587ef74741236f732a029a14550f94c3b96726
Opcode Fuzzy Hash: 93fe0b7deb73769bff94b22c7359644a3b741bafb39efc746463e18fd6be8697
Instruction Fuzzy Hash: 84E0B631000148ABCF12BF64DD9EF983B69EB41791B114428FC06DA223CB36DD52DB84

Function 003ABF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#G, xrefs: 003F07CE

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#G
API String ID: 3964851224-4255191568
Opcode ID: e86c19983e9cf3ecd24c47e6f2a864379d0386d07b6c0cdf2981371a2eeb5fba
Instruction ID: 3376a8036cddd53de087475e7f6a6b4bae4b74fdc83be9a64f91629ed482eaf8
Opcode Fuzzy Hash: e86c19983e9cf3ecd24c47e6f2a864379d0386d07b6c0cdf2981371a2eeb5fba
Instruction Fuzzy Hash: 00A27A706083018FCB16DF28C480B6AB7E5FF8A304F15996DE99A8B352D775EC45CB92

Function 0042AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0042B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0042B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0042B1D4
_wcslen.LIBCMT ref: 0042B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0042B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0042B236
_wcslen.LIBCMT ref: 0042B332

Part of subcall function 004105A7: GetStdHandle.KERNEL32(000000F6), ref: 004105C6

_wcslen.LIBCMT ref: 0042B34B
_wcslen.LIBCMT ref: 0042B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0042B3B6
GetLastError.KERNEL32(00000000), ref: 0042B407
CloseHandle.KERNEL32(?), ref: 0042B439
CloseHandle.KERNEL32(00000000), ref: 0042B44A
CloseHandle.KERNEL32(00000000), ref: 0042B45C
CloseHandle.KERNEL32(00000000), ref: 0042B46E
CloseHandle.KERNEL32(?), ref: 0042B4E3

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 5b36c87e4737bd6237b64793bef696fbf8e8ba4d97fd2c20ffd10f7adcf92f6b
Instruction ID: 3e256a06a021b66105df92e2ac26b85da5bdd145f989dd33d768d28b2f7502b0
Opcode Fuzzy Hash: 5b36c87e4737bd6237b64793bef696fbf8e8ba4d97fd2c20ffd10f7adcf92f6b
Instruction Fuzzy Hash: 8FF188316043109FC715EF24D891B6BBBE1EF85314F18855EF8999B2A2DB38EC40CB96

Function 003AD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003AD807
timeGetTime.WINMM ref: 003ADA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003ADB28
TranslateMessage.USER32(?), ref: 003ADB7B
DispatchMessageW.USER32(?), ref: 003ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003ADB9F
Sleep.KERNELBASE(0000000A), ref: 003ADBB1

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 06bd0989638a43698af56a4646b0508179786bc0106c0d47929bf48da6941a82
Instruction ID: 1a8c76cfe7be046366af91dc234b3d7a4a45ad4b9fa573ba6a15c709f6f8c126
Opcode Fuzzy Hash: 06bd0989638a43698af56a4646b0508179786bc0106c0d47929bf48da6941a82
Instruction Fuzzy Hash: 3542E370608345DFD72ACF24C884BBAB7E4FF46304F15452DE9968BAA1D774E844CB92

Function 003A2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 003A2D07
RegisterClassExW.USER32(00000030), ref: 003A2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003A2D42
InitCommonControlsEx.COMCTL32(?), ref: 003A2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003A2D6F
LoadIconW.USER32(000000A9), ref: 003A2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003A2D94

Strings

AutoIt v3 GUI, xrefs: 003A2D23
+, xrefs: 003A2CF0
0, xrefs: 003A2CE9
TaskbarCreated, xrefs: 003A2D37

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 2e91d89bf69aa7acc606c10636676af2d136dab7a4c64b4ba1fc5ae85b74d2ad
Instruction ID: 9d1f93faa09160f8171bbd717473f41909e3845400209a916113567fe63d2a9f
Opcode Fuzzy Hash: 2e91d89bf69aa7acc606c10636676af2d136dab7a4c64b4ba1fc5ae85b74d2ad
Instruction Fuzzy Hash: 6721F7B5911309AFDB00DFA8EC89BDDBBB4FB08700F00512AFA15B62A0D7B54580CF98

Function 003E065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003E039A: CreateFileW.KERNELBASE(00000000,00000000,?,003E0704,?,?,00000000,?,003E0704,00000000,0000000C), ref: 003E03B7

GetLastError.KERNEL32 ref: 003E076F
__dosmaperr.LIBCMT ref: 003E0776
GetFileType.KERNELBASE(00000000), ref: 003E0782
GetLastError.KERNEL32 ref: 003E078C
__dosmaperr.LIBCMT ref: 003E0795
CloseHandle.KERNEL32(00000000), ref: 003E07B5
CloseHandle.KERNEL32(?), ref: 003E08FF
GetLastError.KERNEL32 ref: 003E0931
__dosmaperr.LIBCMT ref: 003E0938

Strings

H, xrefs: 003E08BD

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 0bd8084db5d44302610fb767dcba0172da7c2ea6047a2b44a74e0f329bdf8110
Instruction ID: 560b104717e6a31760316768dff206fa5b6a794ceb119908bd7a4c0203eb45af
Opcode Fuzzy Hash: 0bd8084db5d44302610fb767dcba0172da7c2ea6047a2b44a74e0f329bdf8110
Instruction Fuzzy Hash: 51A11436A041948FDF1EAF68D891BAD7BA1AB06320F14025DF815EF3D1C7719C52CB91

Function 003A344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00471418,?,003A2E7F,?,?,?,00000000), ref: 003A3A78

Part of subcall function 003A3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003A3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003A356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003E318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003E31CE
RegCloseKey.ADVAPI32(?), ref: 003E3210
_wcslen.LIBCMT ref: 003E3277
_wcslen.LIBCMT ref: 003E3286

Strings

Include, xrefs: 003E3184, 003E31C5
Software\AutoIt v3\AutoIt, xrefs: 003A3560
\Include\, xrefs: 003A3527
\, xrefs: 003E328C

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 0938cbe35ee4710a2d761a0684cc2d676c73656cf85a32fce9b04e531b99b5b0
Instruction ID: 2c408468d568014130fa71f030f8fa657cc9c9da3a8608320814bdf864708215
Opcode Fuzzy Hash: 0938cbe35ee4710a2d761a0684cc2d676c73656cf85a32fce9b04e531b99b5b0
Instruction Fuzzy Hash: A3719F714043109EC315EF75DD859ABBBE8FF89340F40493EF9899B1A0DBB49A88CB55

Function 003A2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 003A2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 003A2B9D
LoadIconW.USER32(00000063), ref: 003A2BB3
LoadIconW.USER32(000000A4), ref: 003A2BC5
LoadIconW.USER32(000000A2), ref: 003A2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 003A2BEF
RegisterClassExW.USER32(?), ref: 003A2C40

Part of subcall function 003A2CD4: GetSysColorBrush.USER32(0000000F), ref: 003A2D07
Part of subcall function 003A2CD4: RegisterClassExW.USER32(00000030), ref: 003A2D31
Part of subcall function 003A2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003A2D42
Part of subcall function 003A2CD4: InitCommonControlsEx.COMCTL32(?), ref: 003A2D5F
Part of subcall function 003A2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003A2D6F
Part of subcall function 003A2CD4: LoadIconW.USER32(000000A9), ref: 003A2D85
Part of subcall function 003A2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003A2D94

Strings

AutoIt v3, xrefs: 003A2C2F
0, xrefs: 003A2C0F
#, xrefs: 003A2C16

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 4adc9efb5ae31bdbb09749e1cab7112eaf8700756627255d7f0f6847f29b75fa
Instruction ID: 2c00c2c114d2e1e558f8aa06a07151190baddfe3c30ff11228ad8e7262e553d4
Opcode Fuzzy Hash: 4adc9efb5ae31bdbb09749e1cab7112eaf8700756627255d7f0f6847f29b75fa
Instruction Fuzzy Hash: F3211A75E00314ABEB109FA9EC95A9D7FB4FB48B50F00403AE909B66B0D7B54584CF98

Function 003AB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003ABB4E

Strings

p#G, xrefs: 003F024F
p%G, xrefs: 003AB8DC
p#G, xrefs: 003ABA72
p#G, xrefs: 003ABB6B
p%G, xrefs: 003ABB32
x#G, xrefs: 003F0207
p#G, xrefs: 003F0263
x#G, xrefs: 003F0168

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#G$p#G$p#G$p#G$p%G$p%G$x#G$x#G
API String ID: 1385522511-3712610045
Opcode ID: bb3cfed592a1f3494150f6a3c457e00e1ed82ea9352824af1ca336c2f262f944
Instruction ID: 7c7bd196ce397c275b52509b8aa01087a4c86087a3e6dab719a1444dc3629abe
Opcode Fuzzy Hash: bb3cfed592a1f3494150f6a3c457e00e1ed82ea9352824af1ca336c2f262f944
Instruction Fuzzy Hash: 5932E334A00209EFDB16CF58C994BBEB7B9EF46304F15805AEA05AB752C778ED81CB51

Function 003A3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,003A316A,?,?), ref: 003A31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,003A316A,?,?), ref: 003A3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003A3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,003A316A,?,?), ref: 003A3232
CreatePopupMenu.USER32 ref: 003A3246
PostQuitMessage.USER32(00000000), ref: 003A3267

Strings

TaskbarCreated, xrefs: 003A322D

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 79c9b1b4d43253059b669159bc2de4c4a6ee45f5c47f9d00013a46e0c9be91c7
Instruction ID: 59ca47818344c43c145c82a28e3e0bae1430118aebcb1a170891f1309a38afff
Opcode Fuzzy Hash: 79c9b1b4d43253059b669159bc2de4c4a6ee45f5c47f9d00013a46e0c9be91c7
Instruction Fuzzy Hash: F5414971240204ABDB172B7CDD4EBBA361DEB47340F044236FA1A965F1C774CA40C7A9

Function 003A1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 003A1459
CoUninitialize.COMBASE ref: 003A14F8
UnregisterHotKey.USER32(?), ref: 003A16DD
DestroyWindow.USER32(?), ref: 003E24B9
FreeLibrary.KERNEL32(?), ref: 003E251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 003E254B

Strings

close all, xrefs: 003A1454

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 508add6494654ae4f9ad3598ff1528124bc39dbf67aa16babb7b5f68f7f86b53
Instruction ID: 2e789b8f4a6f77f389c3cfba5d32c70034950b250a79481622e5e16a7757b6ac
Opcode Fuzzy Hash: 508add6494654ae4f9ad3598ff1528124bc39dbf67aa16babb7b5f68f7f86b53
Instruction Fuzzy Hash: C7D16E317012228FCB1AEF16C995B69F7A8FF06700F1542ADE54AAB691CB30AD12CF54

Function 003A2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003A2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 003A2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,003A1CAD,?), ref: 003A2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,003A1CAD,?), ref: 003A2CCF

Strings

AutoIt v3, xrefs: 003A2C89, 003A2C8E, 003A2C8F
edit, xrefs: 003A2CAC

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 2864110aea37e5732fb0e4da754934255917eba41f29c7d338f1483ea0547595
Instruction ID: 465c1ced99c810d649d683867ade72394af663f0cfb0c8c54b47cf9a3499a597
Opcode Fuzzy Hash: 2864110aea37e5732fb0e4da754934255917eba41f29c7d338f1483ea0547595
Instruction Fuzzy Hash: 9FF03A755403907AFB30072BAC49F773EBDD7CAF60F01506AFD08A21B0C2650880DAB8

Function 003A3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,003A3B0F,SwapMouseButtons,00000004,?), ref: 003A3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,003A3B0F,SwapMouseButtons,00000004,?), ref: 003A3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,003A3B0F,SwapMouseButtons,00000004,?), ref: 003A3B83

Strings

Control Panel\Mouse, xrefs: 003A3B3E

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: bc186017000da769ea1d4f598cb95283b8be314b4ace8ba69a4d55f3423ac4e7
Instruction ID: e43473a988141a97bb16a64f98eec393747a4b869a1f49d98577e0554e0ed4c0
Opcode Fuzzy Hash: bc186017000da769ea1d4f598cb95283b8be314b4ace8ba69a4d55f3423ac4e7
Instruction Fuzzy Hash: B7112AB5511208FFDB218FA5DC85AAEB7BDEF05744B114469B805E7110D3319E409764

Function 003A3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003E33A2

Part of subcall function 003A6B57: _wcslen.LIBCMT ref: 003A6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 003A3A04

Strings

Line: , xrefs: 003E33EB

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 741552b749f02840edc83ef46af749ee772da4e34d3b5d21121ea63d90488da8
Instruction ID: f64b7998e09ada30084848c292368d55a2cbdb2fe2bd882a687536550c1eb47a
Opcode Fuzzy Hash: 741552b749f02840edc83ef46af749ee772da4e34d3b5d21121ea63d90488da8
Instruction Fuzzy Hash: 6331C271508310AAD722EB24DC4AFEBB7ECEB42710F10452EF599970E1DB749A48C7D6

Function 003A2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 003E2C8C

Part of subcall function 003A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003A3A97,?,?,003A2E7F,?,?,?,00000000), ref: 003A3AC2

Part of subcall function 003A2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003A2DC4

Strings

`eF, xrefs: 003E2C85
X, xrefs: 003E2C5A

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eF
API String ID: 779396738-787741465
Opcode ID: 4c51e7255c510f98c37293877abe612a7bed420b3ab6f1d105758feb170243ff
Instruction ID: a9e80ff8c06d5e0fd9da3f3464549ec3711bce461d9d70c40a7a78e3cfd638ce
Opcode Fuzzy Hash: 4c51e7255c510f98c37293877abe612a7bed420b3ab6f1d105758feb170243ff
Instruction Fuzzy Hash: 4621A871A00298AFDB02DF99C845BDE7BFCDF49304F00805AE405FB241DBB859898FA5

Function 003BFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 003C0668

Part of subcall function 003C32A4: RaiseException.KERNEL32(?,?,?,003C068A,?,00471444,?,?,?,?,?,?,003C068A,003A1129,00468738,003A1129), ref: 003C3304

__CxxThrowException@8.LIBVCRUNTIME ref: 003C0685

Strings

Unknown exception, xrefs: 003C0692

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 3cf96ad30d0e81ef45091c120429cbddcbf23e232a18a41d9b0032e66bb5587c
Instruction ID: af8b2ec75f7de125852767287f24a0f7cc3c61454f8bebe479270d07e98a6bb6
Opcode Fuzzy Hash: 3cf96ad30d0e81ef45091c120429cbddcbf23e232a18a41d9b0032e66bb5587c
Instruction Fuzzy Hash: 0EF0C23490024DBB8F06BAA4DC4AE9E7B6C9E00314F60853DB914DA995EF71DE29C781

Function 003A10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 003A1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 003A1BF4
Part of subcall function 003A1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 003A1BFC
Part of subcall function 003A1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003A1C07
Part of subcall function 003A1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003A1C12
Part of subcall function 003A1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 003A1C1A
Part of subcall function 003A1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 003A1C22

Part of subcall function 003A1B4A: RegisterWindowMessageW.USER32(00000004,?,003A12C4), ref: 003A1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003A136A
OleInitialize.OLE32 ref: 003A1388
CloseHandle.KERNEL32(00000000,00000000), ref: 003E24AB

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 2e097b47c4903157907b47f4e33bbf2a59778fcbd0697762814de0b78037853b
Instruction ID: c6518eb75e90e5a02f999334ac52cde565d2b57cdb365a05410f88278e4516b5
Opcode Fuzzy Hash: 2e097b47c4903157907b47f4e33bbf2a59778fcbd0697762814de0b78037853b
Instruction Fuzzy Hash: F571B9B4921200AFC388EF7EA9866953BE4FB89344B15863ED00EDB271EB344484CF4D

Function 0040C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 003A3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0040C259
KillTimer.USER32(?,00000001,?,?), ref: 0040C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0040C270

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: ea9c976d050e3e5412e5ea67c42e4d407f1236bf62de37432102206b884f4bcd
Instruction ID: 7949a343860ce786be424aada221ba9115aefebeda20f92d76ea44e9c482b366
Opcode Fuzzy Hash: ea9c976d050e3e5412e5ea67c42e4d407f1236bf62de37432102206b884f4bcd
Instruction Fuzzy Hash: 71319570904344EFEB229F648895BEBBBEC9F16304F0004EEE5DAA7281C7785A85CB55

Function 003D86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,003D85CC,?,00468CC8,0000000C), ref: 003D8704
GetLastError.KERNEL32(?,003D85CC,?,00468CC8,0000000C), ref: 003D870E
__dosmaperr.LIBCMT ref: 003D8739

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 0c98094c782ac643098b8748da5b7605d2af1fde983ae1f54c227ee1e92b0946
Instruction ID: e12fab6a0cd84eb7ac4b9f5cf054dfb45fa72814efe36dd01515ec44b9c9d415
Opcode Fuzzy Hash: 0c98094c782ac643098b8748da5b7605d2af1fde983ae1f54c227ee1e92b0946
Instruction Fuzzy Hash: C0014E37B0566026D72767347845B7E6B498B81774F3A011BF9189F3D2DEA0EC818294

Function 003ADB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 003ADB7B
DispatchMessageW.USER32(?), ref: 003ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003ADB9F
Sleep.KERNELBASE(0000000A), ref: 003ADBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 003F1CC9

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 7bd427fac42ef2a2bdae29674f91f99417cf23808983abd87f0af67cb0676894
Instruction ID: 4516ea2ad11b25deee93b31bfd9386b85b4b359f68778fc2327137e7c085415c
Opcode Fuzzy Hash: 7bd427fac42ef2a2bdae29674f91f99417cf23808983abd87f0af67cb0676894
Instruction Fuzzy Hash: 58F05E306043459BE731DB649C99FEA73ACEB45310F114929E65A934D0DB3494888B2A

Function 003B1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003B17F6

Strings

CALL, xrefs: 003B17C6

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 6563e05bec1eef71de5b1a4e72ae81f610dde5ff0bd0a693500a30d89e7f0eb4
Instruction ID: 0639a38b6c6cd5934bacb601d8efe78c28dd7b76c59f23aadc0f46865f7489d6
Opcode Fuzzy Hash: 6563e05bec1eef71de5b1a4e72ae81f610dde5ff0bd0a693500a30d89e7f0eb4
Instruction Fuzzy Hash: 4B22AD70608201DFC716DF14C491BAABBF5BF85318F64892DF68A8BB61D731E941CB92

Function 003A3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 003A3908

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: c6d11adb32d7aff48f6b11e406b1c4b164f41a7668d42a30b23e61e1d6513f9f
Instruction ID: 11a8e26e2dd0d818e9eadfcab6f7187151542f6f884b495973a037bcbe69d972
Opcode Fuzzy Hash: c6d11adb32d7aff48f6b11e406b1c4b164f41a7668d42a30b23e61e1d6513f9f
Instruction Fuzzy Hash: 2831A570504301DFE722DF34D885B97BBE8FB4A708F00092EF99997290E775AA48CB56

Function 003BF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 003BF661

Part of subcall function 003AD730: GetInputState.USER32 ref: 003AD807

Sleep.KERNEL32(00000000), ref: 003FF2DE

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: b2bc3b135ac76886bbebc8f9900d954e200fa6890ef56debc849f8396420837e
Instruction ID: a00e1ccaa56ff793792efda6ac35d1c1518ef7f72d53c3a50e81b0c80f1c43f3
Opcode Fuzzy Hash: b2bc3b135ac76886bbebc8f9900d954e200fa6890ef56debc849f8396420837e
Instruction Fuzzy Hash: 14F08C31240205AFD314EF69D859B6AF7E9EF4A760F004029E85ADB662DB70A800CB94

Function 003A4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 003A4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,003A4EDD,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4E9C
Part of subcall function 003A4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003A4EAE
Part of subcall function 003A4E90: FreeLibrary.KERNEL32(00000000,?,?,003A4EDD,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4EFD

Part of subcall function 003A4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,003E3CDE,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4E62
Part of subcall function 003A4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003A4E74
Part of subcall function 003A4E59: FreeLibrary.KERNEL32(00000000,?,?,003E3CDE,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4E87

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: ba1bd3ddf41ccfa678505a0c8d679d6a269b88e5f718757bdadafc8ed8052207
Instruction ID: 20a8487d3c7f4310591515319ba4576a231d6d0125a39c0deae1ec74c1e683a4
Opcode Fuzzy Hash: ba1bd3ddf41ccfa678505a0c8d679d6a269b88e5f718757bdadafc8ed8052207
Instruction Fuzzy Hash: 2D110132600205AACB12AB60D802FAD77A4EF81B10F20842EF452AB1C1EEB4EE049750

Function 003D8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 003D8440

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 94e140ac6038e3a8f89346420663afa80568034fefd4cd3c51180d272adfe946
Instruction ID: 84dc87165609e32621877e202841756117207cfa907e72029458463143146815
Opcode Fuzzy Hash: 94e140ac6038e3a8f89346420663afa80568034fefd4cd3c51180d272adfe946
Instruction Fuzzy Hash: 78111C7690410AAFCB06DF59E94199A7BF9EF48314F11405AF808AB312D731EA11CB65

Function 003CE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 72986ef49783b265399a673e6924910dae80ce86354ce7ba80e4fc38d0c0104e
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 8CF0D132521A10AAC6333A79AC05F5A339C9F62330F11072EF421DA2D2DB74AC1187A5

Function 003D3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00471444,?,003BFDF5,?,?,003AA976,00000010,00471440,003A13FC,?,003A13C6,?,003A1129), ref: 003D3852

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f6ae54e89b57b78a65adf107f11770a6a1014cd6cd2b4bc95a179b186ffd4fc3
Instruction ID: 90c8ad2ed99ca276e8d5bd9b4f78747b2225b28587bec2fbb88f71be7df83c8d
Opcode Fuzzy Hash: f6ae54e89b57b78a65adf107f11770a6a1014cd6cd2b4bc95a179b186ffd4fc3
Instruction Fuzzy Hash: E9E0E53310022456E6232676BC00F9A364AAF427B0F0A0036BC04DAA90CB50DD05A3E3

Function 003A4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4F6D

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e7edcfde07b5f98b32614195dae37e6124f3ff95ff9f8254532781acdab52028
Instruction ID: 826923d22e4ce24a2c83aef1c05b20236eddb9df059cbebdc79dce0c57dcfea9
Opcode Fuzzy Hash: e7edcfde07b5f98b32614195dae37e6124f3ff95ff9f8254532781acdab52028
Instruction Fuzzy Hash: 9CF0A971005342CFCB368F20E490822BBE4EF52329320997EE1EA82A20C7B19844EF00

Function 00432A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00432A66

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: d740433bc5bd38899fc5a33252d20667af28adae5f88065add8b1ed3379d19a7
Instruction ID: 29f3da946227c8c0c46a3e3212c093135329c685d6ae0c8d1b59014e98e022ff
Opcode Fuzzy Hash: d740433bc5bd38899fc5a33252d20667af28adae5f88065add8b1ed3379d19a7
Instruction Fuzzy Hash: 3EE0DF72350116ABC710FB31EC808FA735CEF54799B00003BEC16D2180DB78899286AC

Function 003A30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 003A314E

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: d5cc10bc45f6a3ad8c3df7c2a621867ecb3f1c91b9df079047a32cf6b82d7947
Instruction ID: 4064b8524fd793c6eec0457b24894c8826c8ebaa35d31cf0f335e74b4038ac5e
Opcode Fuzzy Hash: d5cc10bc45f6a3ad8c3df7c2a621867ecb3f1c91b9df079047a32cf6b82d7947
Instruction Fuzzy Hash: A6F037709143549FE7539B24DC4A7D67BBCAB01708F0000F9A54C96292DB745BC8CF55

Function 003A2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003A2DC4

Part of subcall function 003A6B57: _wcslen.LIBCMT ref: 003A6B6A

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 4da607989bd34ce89b3bf099a032f71b0d4d98cc5abe2792d2f7d47693f59373
Instruction ID: 61859b6f21a0532f0c9cc6c4f25f510b391034b77de347219e4f10aeeca5d67b
Opcode Fuzzy Hash: 4da607989bd34ce89b3bf099a032f71b0d4d98cc5abe2792d2f7d47693f59373
Instruction Fuzzy Hash: A9E0CD72A001345BCB1192599C06FDA77DDDFC8790F0401B1FD09E7248D970AD808690

Function 003A2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 003A3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003A3908

Part of subcall function 003AD730: GetInputState.USER32 ref: 003AD807

SetCurrentDirectoryW.KERNEL32(?), ref: 003A2B6B

Part of subcall function 003A30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 003A314E

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 40105a84da426a120d47af4c379d7a71dd7ba7e09ef3366b7a40b2a59c41c0b8
Instruction ID: 73af5e25fa73d7516651bf0732cc5c6ec47f1b4057899e6c1d671e70cb41094c
Opcode Fuzzy Hash: 40105a84da426a120d47af4c379d7a71dd7ba7e09ef3366b7a40b2a59c41c0b8
Instruction Fuzzy Hash: 17E0CD3230424407C60ABB78A8565BDB75DDBD3351F40557FF14B5B173CF2945494356

Function 003E039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,003E0704,?,?,00000000,?,003E0704,00000000,0000000C), ref: 003E03B7

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 64d40dd1055565d91e0d6b855dffacbed11a5f71b1a134baf78bacda0cdbd98d
Instruction ID: e085694b419872800f02f588c92dbceb6e1c876956b1efe74cdf8b08804c0ced
Opcode Fuzzy Hash: 64d40dd1055565d91e0d6b855dffacbed11a5f71b1a134baf78bacda0cdbd98d
Instruction Fuzzy Hash: 99D06C3204010DBBDF028F84DD46EDA3BAAFB48714F014010BE1866060C732E821AB94

Function 003A1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 003A1CBC

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 913f3613021674956c8c23ecfb34686b951f56ace3d3b06f65f547864e941051
Instruction ID: 343724beb48bf14f96c1e852fb7eb7e43ccd915cfa3d6725f76d8c2fd65da39e
Opcode Fuzzy Hash: 913f3613021674956c8c23ecfb34686b951f56ace3d3b06f65f547864e941051
Instruction Fuzzy Hash: D7C09236280314FFF2148B94BD8AF107764A348B00F048021FA4EB95F3C3E228A0EB68

Non-executed Functions

Function 00439576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 003B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003B9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0043961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0043965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0043969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004396C9
SendMessageW.USER32 ref: 004396F2
GetKeyState.USER32(00000011), ref: 0043978B
GetKeyState.USER32(00000009), ref: 00439798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004397AE
GetKeyState.USER32(00000010), ref: 004397B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004397E9
SendMessageW.USER32 ref: 00439810
SendMessageW.USER32(?,00001030,?,00437E95), ref: 00439918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0043992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00439941
SetCapture.USER32(?), ref: 0043994A
ClientToScreen.USER32(?,?), ref: 004399AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004399BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004399D6
ReleaseCapture.USER32 ref: 004399E1
GetCursorPos.USER32(?), ref: 00439A19
ScreenToClient.USER32(?,?), ref: 00439A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00439A80
SendMessageW.USER32 ref: 00439AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00439AEB
SendMessageW.USER32 ref: 00439B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00439B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00439B4A
GetCursorPos.USER32(?), ref: 00439B68
ScreenToClient.USER32(?,?), ref: 00439B75
GetParent.USER32(?), ref: 00439B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00439BFA
SendMessageW.USER32 ref: 00439C2B
ClientToScreen.USER32(?,?), ref: 00439C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00439CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00439CDE
SendMessageW.USER32 ref: 00439D01
ClientToScreen.USER32(?,?), ref: 00439D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00439D82

Part of subcall function 003B9944: GetWindowLongW.USER32(?,000000EB), ref: 003B9952

GetWindowLongW.USER32(?,000000F0), ref: 00439E05

Strings

@GUI_DRAGID, xrefs: 0043997D
F, xrefs: 00439D07
p#G, xrefs: 00439990

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#G
API String ID: 3429851547-61952446
Opcode ID: 9d0530efc3e63decea99eeba50580244bc9a5ccfdcdb532e5eec79eb3b19aa62
Instruction ID: feee23764ab3c66a0769747eaf30d846cc9053322491584c606d39b9db18ff3a
Opcode Fuzzy Hash: 9d0530efc3e63decea99eeba50580244bc9a5ccfdcdb532e5eec79eb3b19aa62
Instruction Fuzzy Hash: 3942BD71205200AFD725CF28CC85AABBBE5FF4D310F10162AF6A9972A1D7B59C51CB4A

Function 00434873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004348F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00434908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00434927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0043494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0043495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0043497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004349AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004349D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00434A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00434A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00434A7E
IsMenu.USER32(?), ref: 00434A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00434AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00434B20
GetWindowLongW.USER32(?,000000F0), ref: 00434B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00434BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00434C82
wsprintfW.USER32 ref: 00434CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00434CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00434CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00434D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00434D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00434D5A

Strings

%d/%02d/%02d, xrefs: 00434CA8

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 439260a1812d693670fe62628793441bc0840071fafe23c56f588c12fc15265a
Instruction ID: 7fdac37c030665c7e32f42a724f272cdcb57aab14a7d291fd6c8a917ceca05ba
Opcode Fuzzy Hash: 439260a1812d693670fe62628793441bc0840071fafe23c56f588c12fc15265a
Instruction Fuzzy Hash: 7512E171600214ABEB259F24CC49FEF7BF8EF89310F14612AF515EA2E1D778A941CB58

Function 003BF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 003BF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003FF474
IsIconic.USER32(00000000), ref: 003FF47D
ShowWindow.USER32(00000000,00000009), ref: 003FF48A
SetForegroundWindow.USER32(00000000), ref: 003FF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003FF4AA
GetCurrentThreadId.KERNEL32 ref: 003FF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003FF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 003FF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 003FF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 003FF4DE
SetForegroundWindow.USER32(00000000), ref: 003FF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 003FF4F6
keybd_event.USER32(00000012,00000000), ref: 003FF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 003FF50B
keybd_event.USER32(00000012,00000000), ref: 003FF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 003FF519
keybd_event.USER32(00000012,00000000), ref: 003FF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 003FF528
keybd_event.USER32(00000012,00000000), ref: 003FF52D
SetForegroundWindow.USER32(00000000), ref: 003FF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 003FF557

Strings

Shell_TrayWnd, xrefs: 003FF46F

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 6b06e0f39712d5070352faf18671764d8f8162ee722dfa37f0e1598015dd9611
Instruction ID: 46b3b043b5fc80bdd701ecf6cf8284e7c9aa59e8e22e036a4bd6732e6ea6843a
Opcode Fuzzy Hash: 6b06e0f39712d5070352faf18671764d8f8162ee722dfa37f0e1598015dd9611
Instruction Fuzzy Hash: 1F313071A40218BEEB216BB65C8AFBF7E6CEB44B50F111075FA05F61D1C6B19900AB64

Function 00401201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0040170D
Part of subcall function 004016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0040173A
Part of subcall function 004016C3: GetLastError.KERNEL32 ref: 0040174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00401286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004012A8
CloseHandle.KERNEL32(?), ref: 004012B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004012D1
GetProcessWindowStation.USER32 ref: 004012EA
SetProcessWindowStation.USER32(00000000), ref: 004012F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00401310

Part of subcall function 004010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004011FC), ref: 004010D4
Part of subcall function 004010BF: CloseHandle.KERNEL32(?,?,004011FC), ref: 004010E9

Strings

, xrefs: 0040125A
ZF, xrefs: 00401392
winsta0, xrefs: 004012CC
default, xrefs: 0040130B

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZF
API String ID: 22674027-1819669305
Opcode ID: 525b7c4fa28b4f7800f9663e2464e50063cbd9c852f7761217ec1079fb9f4a20
Instruction ID: f9fe1a22c2db29e698cad879b23e9c9c158b185df71a6ce154cb395c089923f9
Opcode Fuzzy Hash: 525b7c4fa28b4f7800f9663e2464e50063cbd9c852f7761217ec1079fb9f4a20
Instruction Fuzzy Hash: AD816971900249ABDF219FA4DC89FEF7BB9AF04708F14413AF911B62B0D7798954CB29

Function 00400B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00401114
Part of subcall function 004010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00400B9B,?,?,?), ref: 00401120
Part of subcall function 004010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00400B9B,?,?,?), ref: 0040112F
Part of subcall function 004010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00400B9B,?,?,?), ref: 00401136
Part of subcall function 004010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0040114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00400BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00400C00
GetLengthSid.ADVAPI32(?), ref: 00400C17
GetAce.ADVAPI32(?,00000000,?), ref: 00400C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00400C6D
GetLengthSid.ADVAPI32(?), ref: 00400C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00400C8C
HeapAlloc.KERNEL32(00000000), ref: 00400C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00400CB4
CopySid.ADVAPI32(00000000), ref: 00400CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00400CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00400D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00400D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00400D45
HeapFree.KERNEL32(00000000), ref: 00400D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00400D55
HeapFree.KERNEL32(00000000), ref: 00400D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00400D65
HeapFree.KERNEL32(00000000), ref: 00400D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00400D78
HeapFree.KERNEL32(00000000), ref: 00400D7F

Part of subcall function 00401193: GetProcessHeap.KERNEL32(00000008,00400BB1,?,00000000,?,00400BB1,?), ref: 004011A1
Part of subcall function 00401193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00400BB1,?), ref: 004011A8
Part of subcall function 00401193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00400BB1,?), ref: 004011B7

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 2cd5957a60591885642c0486859a59adfaa4e8d66f9b5f9bd9ecb2ec1aec4fff
Instruction ID: fffe7ad7052e07d99e2b3ebe6b53ed17f7e11b45c1041c63a94e00a57eb6335e
Opcode Fuzzy Hash: 2cd5957a60591885642c0486859a59adfaa4e8d66f9b5f9bd9ecb2ec1aec4fff
Instruction Fuzzy Hash: 0D71497690020AABEF109FE4DC84BAFBBB8BF04310F144526E915B6291D779AA05CB74

Function 0041EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0043CC08), ref: 0041EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0041EB37
GetClipboardData.USER32(0000000D), ref: 0041EB43
CloseClipboard.USER32 ref: 0041EB4F
GlobalLock.KERNEL32(00000000), ref: 0041EB87
CloseClipboard.USER32 ref: 0041EB91
GlobalUnlock.KERNEL32(00000000), ref: 0041EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0041EBC9
GetClipboardData.USER32(00000001), ref: 0041EBD1
GlobalLock.KERNEL32(00000000), ref: 0041EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0041EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0041EC38
GetClipboardData.USER32(0000000F), ref: 0041EC44
GlobalLock.KERNEL32(00000000), ref: 0041EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0041EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0041EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0041ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0041ECF3
CountClipboardFormats.USER32 ref: 0041ED14
CloseClipboard.USER32 ref: 0041ED59

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 12c2ebecea9d40ca2350d784163c610f6847a51ab8109c2a68e50647f5fdcd9a
Instruction ID: 275a4bf5e6e16e44bde59c013844e678f01a4546ae40c4f4b5ed6348bd3157f3
Opcode Fuzzy Hash: 12c2ebecea9d40ca2350d784163c610f6847a51ab8109c2a68e50647f5fdcd9a
Instruction Fuzzy Hash: 616104392043029FD300EF21D889F6B77A4EF85714F04546EF846AB2A1CB34ED86CB66

Function 0041698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004169BE
FindClose.KERNEL32(00000000), ref: 00416A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00416A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00416A75

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00416AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00416ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00416B6A
%02d, xrefs: 00416C00, 00416C0A, 00416C5A, 00416CAA, 00416CFA, 00416D4A
%4d, xrefs: 00416BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00416B32
%03d, xrefs: 00416DA2

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: f9b3b001f0770c0016897efbc24b2224ba00df3a887e8a88f96f35093afd9d81
Instruction ID: fe3e9968f09d7ac36a2188bc4407b078831ce6f083e5d675b48f0ccb0369bdc1
Opcode Fuzzy Hash: f9b3b001f0770c0016897efbc24b2224ba00df3a887e8a88f96f35093afd9d81
Instruction Fuzzy Hash: 63D14172508300AEC711EBA4CC95EABB7ECEF89704F04491EF585DA191EB78DA44C762

Function 00419642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00419663
GetFileAttributesW.KERNEL32(?), ref: 004196A1
SetFileAttributesW.KERNEL32(?,?), ref: 004196BB
FindNextFileW.KERNEL32(00000000,?), ref: 004196D3
FindClose.KERNEL32(00000000), ref: 004196DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004196FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0041974A
SetCurrentDirectoryW.KERNEL32(00466B7C), ref: 00419768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00419772
FindClose.KERNEL32(00000000), ref: 0041977F
FindClose.KERNEL32(00000000), ref: 0041978F

Strings

*.*, xrefs: 004196F5

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 33de2a0ca8db9ff7d5295d187e3c81dd7d88261a5129f7048378487ae0b73cd4
Instruction ID: f3ba040ad9cabe97bb23e3c733c34c5506fb525c112625eac5c357734ab8d535
Opcode Fuzzy Hash: 33de2a0ca8db9ff7d5295d187e3c81dd7d88261a5129f7048378487ae0b73cd4
Instruction Fuzzy Hash: 9D31B332940219AADB14AFB4DC59EDF77AC9F09320F1445A7F815E21D0EB38ED848B28

Function 0041979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 004197BE
FindNextFileW.KERNEL32(00000000,?), ref: 00419819
FindClose.KERNEL32(00000000), ref: 00419824
FindFirstFileW.KERNEL32(*.*,?), ref: 00419840
SetCurrentDirectoryW.KERNEL32(?), ref: 00419890
SetCurrentDirectoryW.KERNEL32(00466B7C), ref: 004198AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004198B8
FindClose.KERNEL32(00000000), ref: 004198C5
FindClose.KERNEL32(00000000), ref: 004198D5

Part of subcall function 0040DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0040DB00

Strings

*.*, xrefs: 0041983B

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 3d7f7e95fe931f09c25ea1ff298aa94441cf6d4dac9625b31c6caa88c1bf1511
Instruction ID: 8f47b8fa47fd5d1cf7c724482ea83f0b943194ff0b9dfa3b6edc126785ddb441
Opcode Fuzzy Hash: 3d7f7e95fe931f09c25ea1ff298aa94441cf6d4dac9625b31c6caa88c1bf1511
Instruction Fuzzy Hash: 17317232540619AADB10AFA4DC58ADF77ACAF06324F244567E814E2190DB39DD858B6C

Function 0042BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0042B6AE,?,?), ref: 0042C9B5
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042C9F1
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042CA68
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0042BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0042BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0042BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0042C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0042C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0042C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0042C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0042C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0042C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0042C382
RegCloseKey.ADVAPI32(00000000), ref: 0042C38F

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: ae5ae87fe45c627d908a1483aff61d5576181774721ee1408bc8e3cf8d453487
Instruction ID: f3912fa9009cd65be713a20c741f9c7afad062162ff742365f7f1cdeba296baf
Opcode Fuzzy Hash: ae5ae87fe45c627d908a1483aff61d5576181774721ee1408bc8e3cf8d453487
Instruction Fuzzy Hash: C1026C706042109FC714CF24C8D1E2ABBE5EF49308F58889DF84ADB2A2DB35EC46CB55

Function 00418195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00418257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00418267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00418273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00418310
SetCurrentDirectoryW.KERNEL32(?), ref: 00418324
SetCurrentDirectoryW.KERNEL32(?), ref: 00418356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0041838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00418395

Strings

*.*, xrefs: 0041839B

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: cc345793c9062e52add1bf202a6fdbe567262cf5a0f864381394604e07ca7d31
Instruction ID: 7fdba9046673994d92eed74ad9bef7bbd1abf7bd7c05f304d8ba9b54bc95e6dc
Opcode Fuzzy Hash: cc345793c9062e52add1bf202a6fdbe567262cf5a0f864381394604e07ca7d31
Instruction Fuzzy Hash: A16159725043459FCB10EF60C880A9FB3E8FF8A314F04496EF99997251DB35E945CB96

Function 0040D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003A3A97,?,?,003A2E7F,?,?,?,00000000), ref: 003A3AC2

Part of subcall function 0040E199: GetFileAttributesW.KERNEL32(?,0040CF95), ref: 0040E19A

FindFirstFileW.KERNEL32(?,?), ref: 0040D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0040D1DD
MoveFileW.KERNEL32(?,?), ref: 0040D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0040D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0040D237

Part of subcall function 0040D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0040D21C,?,?), ref: 0040D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0040D253
FindClose.KERNEL32(00000000), ref: 0040D264

Strings

\*.*, xrefs: 0040D0CD, 0040D0D6, 0040D0EB

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 4c89634b47bb8c7eb77222a81b805e32500c354a86afbc4a8293a9a42e3a9808
Instruction ID: c753b92a5ad6e06ed569f1a2abee4d4accff7f62c05f0d0ee4ca16c8993f97eb
Opcode Fuzzy Hash: 4c89634b47bb8c7eb77222a81b805e32500c354a86afbc4a8293a9a42e3a9808
Instruction Fuzzy Hash: AA614F31C0511D9ACF06EBE0D9929EEB779EF55304F2481AAE4027B191EB385F0DCB65

Function 0041ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0041ED91
EmptyClipboard.USER32 ref: 0041ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0041EDAC
CloseClipboard.USER32 ref: 0041EEA3

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 5b43d60a44140faf35313c433e336b7d42469aff8ad53bb1be545b14544b9211
Instruction ID: 9c31c76111b3422b415504560af15a85840419a0220dc3193d6dfba6fc385703
Opcode Fuzzy Hash: 5b43d60a44140faf35313c433e336b7d42469aff8ad53bb1be545b14544b9211
Instruction Fuzzy Hash: 1641A2356046119FD311DF16D889F5ABBE1EF44318F14C0AAE8199F762C735EC82CB94

Function 0040E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0040170D
Part of subcall function 004016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0040173A
Part of subcall function 004016C3: GetLastError.KERNEL32 ref: 0040174A

ExitWindowsEx.USER32(?,00000000), ref: 0040E932

Strings

@, xrefs: 0040E925
, xrefs: 0040E95C
SeShutdownPrivilege, xrefs: 0040E902
, xrefs: 0040E920

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 31e3b3343c14457441919f8b6d37f95ac5d343263ab8b26670760fc8e0ea1c6c
Instruction ID: 8e91018e74535736a6f404a00a281ee54913e7b7526e40e59928ada290faa1b4
Opcode Fuzzy Hash: 31e3b3343c14457441919f8b6d37f95ac5d343263ab8b26670760fc8e0ea1c6c
Instruction Fuzzy Hash: 8001D6B3610211ABEB5426B69CC6FBB726CA714754F154D37FC02F22E2D5B95C50829C

Function 00421204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00421276
WSAGetLastError.WSOCK32 ref: 00421283
bind.WSOCK32(00000000,?,00000010), ref: 004212BA
WSAGetLastError.WSOCK32 ref: 004212C5
closesocket.WSOCK32(00000000), ref: 004212F4
listen.WSOCK32(00000000,00000005), ref: 00421303
WSAGetLastError.WSOCK32 ref: 0042130D
closesocket.WSOCK32(00000000), ref: 0042133C

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: fa51f06f79d8c251c83199ac898c85c5ecbce5cc8fa460b0a86a9918bab6558d
Instruction ID: cd40e1d4191cbde071cc8a3770e1709f6e8eda7a2c62ea5eda8703726cc72b8f
Opcode Fuzzy Hash: fa51f06f79d8c251c83199ac898c85c5ecbce5cc8fa460b0a86a9918bab6558d
Instruction Fuzzy Hash: 9A419031A00110DFD714EF24D484B2ABBE6AF56318F588099E856AF3A2C775ED81CBE5

Function 003DB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003DB9D4
_free.LIBCMT ref: 003DB9F8
_free.LIBCMT ref: 003DBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00443700), ref: 003DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0047121C,000000FF,00000000,0000003F,00000000,?,?), ref: 003DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00471270,000000FF,?,0000003F,00000000,?), ref: 003DBC36
_free.LIBCMT ref: 003DBD4B

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: d3c6300d7ababd5bea4bb936b18943a70634e4b43f9b35fe3f1f50ec0e574fd0
Instruction ID: ce195e93f34a975f19602d5ae5c61bd1b1880484e55752eaf82f707de2ac4e6b
Opcode Fuzzy Hash: d3c6300d7ababd5bea4bb936b18943a70634e4b43f9b35fe3f1f50ec0e574fd0
Instruction Fuzzy Hash: 52C13577904244EFCB229F78AC41BAAFBB8EF41350F1641ABE495DB352EB309E419750

Function 0040D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003A3A97,?,?,003A2E7F,?,?,?,00000000), ref: 003A3AC2

Part of subcall function 0040E199: GetFileAttributesW.KERNEL32(?,0040CF95), ref: 0040E19A

FindFirstFileW.KERNEL32(?,?), ref: 0040D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0040D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0040D481
FindClose.KERNEL32(00000000), ref: 0040D498
FindClose.KERNEL32(00000000), ref: 0040D4A1

Strings

\*.*, xrefs: 0040D3F2

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: bd1a0e5f84d896e10acf4c7ba76313b1caa5543094ef42631ad5ac9bfc9511d0
Instruction ID: da72de2c748c477e0c9e925c1f69bbc5f8ac086a08ec35a060ef6071f2d68522
Opcode Fuzzy Hash: bd1a0e5f84d896e10acf4c7ba76313b1caa5543094ef42631ad5ac9bfc9511d0
Instruction Fuzzy Hash: 7A317E314083459BC301EFA4D8959AFB7A8EE92304F444A6EF4D1A71D1EB38AA0DC767

Function 003DE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 003DE645

Strings

1#QNAN, xrefs: 003DF84B
1#IND, xrefs: 003DF83D
1#SNAN, xrefs: 003DF844
1#INF, xrefs: 003DF852

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2fcf7052390c90ef9d420c3ab8d9c8394bce70f50ed7fa523e7653bfaa64b82d
Instruction ID: 1db8a0b1f48807a38497f4ceaf1ef63e4e7fc6bec93bd32b8e621f25dc2bc5e4
Opcode Fuzzy Hash: 2fcf7052390c90ef9d420c3ab8d9c8394bce70f50ed7fa523e7653bfaa64b82d
Instruction Fuzzy Hash: 1EC22C72E046288FDB26DF28AD807EAB7B5EB45305F1541EBD44EE7241E774AE818F40

Function 0041648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004164DC
CoInitialize.OLE32(00000000), ref: 00416639
CoCreateInstance.OLE32(0043FCF8,00000000,00000001,0043FB68,?), ref: 00416650
CoUninitialize.OLE32 ref: 004168D4

Strings

.lnk, xrefs: 004164BA, 00416524, 004165E0

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 1eccf8f596f32c789370ca41ff138d2fb22ac955f7ba285db829e52a06a48a5e
Instruction ID: c3ba921e563c4b4d993aad37dfc27b937d7a75e4e91b20753f994e7c2b6ef36b
Opcode Fuzzy Hash: 1eccf8f596f32c789370ca41ff138d2fb22ac955f7ba285db829e52a06a48a5e
Instruction Fuzzy Hash: 63D14971508201AFC305EF24C881AABB7E9FF99704F14496EF5959B291EB30ED49CB92

Function 004222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004222E8

Part of subcall function 0041E4EC: GetWindowRect.USER32(?,?), ref: 0041E504

GetDesktopWindow.USER32 ref: 00422312
GetWindowRect.USER32(00000000), ref: 00422319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00422355
GetCursorPos.USER32(?), ref: 00422381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004223DF

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: d2175767c3ee434816e1c30719d2eac0e50f6151f90c20cf2519ce0475af4275
Instruction ID: d39e29e9a7865a64589dff42ffa593030b138f35ae4529d5449e42caf06324e8
Opcode Fuzzy Hash: d2175767c3ee434816e1c30719d2eac0e50f6151f90c20cf2519ce0475af4275
Instruction Fuzzy Hash: E5310472204325AFC720DF25D845F5BB7A9FF84314F40092EF984A7181DB78EA08CB9A

Function 00419B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00419B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00419C8B

Part of subcall function 00413874: GetInputState.USER32 ref: 004138CB
Part of subcall function 00413874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00413966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00419BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00419C75

Strings

*.*, xrefs: 00419B5D

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 8d5e7fd7af0568083aabb8bc5267fc4f2c2483fcc0b34c1c95f3d4bb296e4c86
Instruction ID: 54c2285f5d0e5152c4dbc0988ea8d30de45fd5dab4359cc83c537c320b7b4869
Opcode Fuzzy Hash: 8d5e7fd7af0568083aabb8bc5267fc4f2c2483fcc0b34c1c95f3d4bb296e4c86
Instruction Fuzzy Hash: 2B4181719442099FDF15DF64C899AEE7BB8EF05310F204056E805A7291EB34AE84CFA9

Function 003B997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 003B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003B9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 003B9A4E
GetSysColor.USER32(0000000F), ref: 003B9B23
SetBkColor.GDI32(?,00000000), ref: 003B9B36

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 9932e4df46d5b95a8c38cc0d8c93cd626ff6169ff62c938c904a811d2af3e917
Instruction ID: ee373b039e1895f4e0c48aafa2c0479ef481c5a62c79d8b6c0e5a18101e97ead
Opcode Fuzzy Hash: 9932e4df46d5b95a8c38cc0d8c93cd626ff6169ff62c938c904a811d2af3e917
Instruction Fuzzy Hash: C7A119B0118408BEE727AA3D8C99FFB375DDB46348F16411BF702D6E91CA259D41C27A

Function 00421806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0042304E: inet_addr.WSOCK32(?), ref: 0042307A
Part of subcall function 0042304E: _wcslen.LIBCMT ref: 0042309B

socket.WSOCK32(00000002,00000002,00000011), ref: 0042185D
WSAGetLastError.WSOCK32 ref: 00421884
bind.WSOCK32(00000000,?,00000010), ref: 004218DB
WSAGetLastError.WSOCK32 ref: 004218E6
closesocket.WSOCK32(00000000), ref: 00421915

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: c68fd091b79990d54b535961a9945d72b42de1347a355ac7a39e8e96e4329f21
Instruction ID: 65fd9b701299be2746b83cfae09dcce5348033c112b3d4c27c932c995d42616d
Opcode Fuzzy Hash: c68fd091b79990d54b535961a9945d72b42de1347a355ac7a39e8e96e4329f21
Instruction Fuzzy Hash: 8351D071A00210AFDB11AF24D8C6F6A77E5EB45718F488098F90AAF3D3C775AD41CBA1

Function 00431C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00431CC0
IsWindowEnabled.USER32 ref: 00431CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00431CDB
IsIconic.USER32 ref: 00431CE9
IsZoomed.USER32 ref: 00431CF7

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e9d5fc89dd394ec18da00d2100d9d8fff8833712633c7576591b7ea246bbd1af
Instruction ID: 4ab3fb5c91b9bcf15cbe98d2d37133e8ec890d42f97290a7b8e854599a6080b0
Opcode Fuzzy Hash: e9d5fc89dd394ec18da00d2100d9d8fff8833712633c7576591b7ea246bbd1af
Instruction Fuzzy Hash: 9521D3317402105FD7208F2AC894B6B7BA5EF99314F18B06AE8469B361C779EC42CB98

Function 003A8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 003A843C
VUUU, xrefs: 003E5DF0
VUUU, xrefs: 003A83E8
VUUU, xrefs: 003A83FA
ERCP, xrefs: 003A813C

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 6b58b62f72d5925f9dc375dc3220ba919d7c0bbcbeaf5c145911717212e3d50c
Instruction ID: ee2246bb697eececc659918afe6625bb7820b3f86faf827f95dd40a42dfe5191
Opcode Fuzzy Hash: 6b58b62f72d5925f9dc375dc3220ba919d7c0bbcbeaf5c145911717212e3d50c
Instruction Fuzzy Hash: 5CA2C074E0026ACBDF26CF59C8417AEB7B1FF55314F2586AAD815AB281DB309D81CF90

Function 00408298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004082AA

Strings

|, xrefs: 004082DA
(, xrefs: 004082F0
tbF, xrefs: 004084F4

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbF$|
API String ID: 1659193697-3157441505
Opcode ID: ab522eaeef746bc389d6f5fd8d186b3f254af3e7ee8d1f36c5b45aff41a3e75e
Instruction ID: 3a75237bf32bee3143b5bb679d6cfee69dfd95389e056670d16b33ddf99f2ead
Opcode Fuzzy Hash: ab522eaeef746bc389d6f5fd8d186b3f254af3e7ee8d1f36c5b45aff41a3e75e
Instruction Fuzzy Hash: 3D324675A007059FCB28CF19C581A6AB7F0FF48710B15C56EE89AEB3A1EB74E941CB44

Function 0040AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0040AAAC
SetKeyboardState.USER32(00000080), ref: 0040AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0040AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0040AB88

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3f58a1e2db42f1ab3c90b0e0ae49014221bdf043d678201bae318e48300638ae
Instruction ID: fc4c9ad4e131d413d5b23a31b1d3d6d795f7270f93baa6b3524bff9251df9f29
Opcode Fuzzy Hash: 3f58a1e2db42f1ab3c90b0e0ae49014221bdf043d678201bae318e48300638ae
Instruction Fuzzy Hash: 2B31F731A40318AEEB358A658C05BFB77B6AB44310F04423BE681762D1D37CA9A1C75B

Function 0041CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0041CE89
GetLastError.KERNEL32(?,00000000), ref: 0041CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0041CEFE

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 4a200db879f07668673c1dd92fb1c7942a1ddb1966c5c9a6797c1455f2a72e0d
Instruction ID: 70954de8b8cc4f4caa1a8f2d05b6817109070bfe3d4fbdb28f6e0968edfe947c
Opcode Fuzzy Hash: 4a200db879f07668673c1dd92fb1c7942a1ddb1966c5c9a6797c1455f2a72e0d
Instruction Fuzzy Hash: 4F21B0715403059BD720CFA5CD88BA7B7F9EB10314F10442EE646E2291E778ED858B98

Function 00415C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00415CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00415D17
FindClose.KERNEL32(?), ref: 00415D5F

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 33cb94a4aff3127b95a98004ee32f83e05beab0ace5ef57302dc7b7ba24e229c
Instruction ID: 22fd3320884c32280a8b1e51d44de0c9175f94337252ef22ac89411864e761bc
Opcode Fuzzy Hash: 33cb94a4aff3127b95a98004ee32f83e05beab0ace5ef57302dc7b7ba24e229c
Instruction Fuzzy Hash: 9B519834604A01DFC714CF28D494E9AB7E4FF8A314F14855EE95A8B3A1DB34EC84CB95

Function 003D2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 003D271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003D2724
UnhandledExceptionFilter.KERNEL32(?), ref: 003D2731

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 3e0b647593a18b3aaace2b90bdd8a27bca52f2c526321390cfa375fa011b5fe5
Instruction ID: 7820ebc325dd26672f300ed1c51a48112f3f6c814142fe7ff24f28d858245c37
Opcode Fuzzy Hash: 3e0b647593a18b3aaace2b90bdd8a27bca52f2c526321390cfa375fa011b5fe5
Instruction Fuzzy Hash: 4A31D67590121CABCB22DF64DC88BDDBBB8AF18310F5041EAE81CA7261E7749F818F45

Function 004151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004151DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00415238
SetErrorMode.KERNEL32(00000000), ref: 004152A1

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: ab767d3a5bf5d539d72efe894843bfbd1e3ea82334ecc8a780a0049e40dec6b5
Instruction ID: 2719d56def59562e5dff69ebc45cc7017e7dd4c47bfc846858ecd8bc97879502
Opcode Fuzzy Hash: ab767d3a5bf5d539d72efe894843bfbd1e3ea82334ecc8a780a0049e40dec6b5
Instruction Fuzzy Hash: 6F312B75A00518DFDB00DF54D884EEEBBB4FF49314F0480A9E805AB3A6DB35E856CB95

Function 004016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 003BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 003C0668
Part of subcall function 003BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 003C0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0040170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0040173A
GetLastError.KERNEL32 ref: 0040174A

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: c46f6e80e754d038bf37a34bcb7f5c2acb6f52c358fc59ea8f77b33b41e27417
Instruction ID: 6974e35fbef95f7bd6488f761376cd1a9c92ec2233eb1ce5084a0cd3304b4ec9
Opcode Fuzzy Hash: c46f6e80e754d038bf37a34bcb7f5c2acb6f52c358fc59ea8f77b33b41e27417
Instruction Fuzzy Hash: 5211CEB2400304AFD718AF54DCC6DABB7B9EF04714B20853EE05667691EB70FC418B64

Function 0040D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0040D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0040D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0040D650

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 04fdd1f5130f6192019af271d07badb581b39392ced3234ddc490a0b3252ec87
Instruction ID: 602079b124829ff88f9b74f01d49f36b1b4ae3a5c613a79179bd396927973851
Opcode Fuzzy Hash: 04fdd1f5130f6192019af271d07badb581b39392ced3234ddc490a0b3252ec87
Instruction Fuzzy Hash: 50118E71E01228BFDB108FA4DC84FAFBBBCEB45B50F108122F904F7290C2704A058BA5

Function 00401663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004016A1
FreeSid.ADVAPI32(?), ref: 004016B1

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 73758008f9ead1b959b06be7f0c3c1ba8971b023536adcb7acdc4544e6e47489
Instruction ID: aaf99b6a2f7dc129f30e4d7b5df4d2a0be71e4f034eb1058c09443602597cfe9
Opcode Fuzzy Hash: 73758008f9ead1b959b06be7f0c3c1ba8971b023536adcb7acdc4544e6e47489
Instruction Fuzzy Hash: F0F0F47195030DFBEB00DFE49D89EAEBBBCEB08704F504965E501E2191E774AA448B54

Function 003DC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 003DC36C

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 51ce724297164a3ec9ce87d3e4371bbc2774910620c56c8f18f325a0b1a13c20
Instruction ID: 045c5a992e49b839226394c7c1f4139e7246a80281dba608f15f5f39ed8d9e30
Opcode Fuzzy Hash: 51ce724297164a3ec9ce87d3e4371bbc2774910620c56c8f18f325a0b1a13c20
Instruction Fuzzy Hash: DB415B7791021A6FCB219FB9EC88EBB7778EB84314F10466AF905DB280E6709D41CB50

Function 003FD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 003FD28C

Strings

X64, xrefs: 003FD2A8

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: d521f3f651e86be2f304063ede713788b0c2b1b229c6659d60a74157a997f67f
Instruction ID: 84038648d0f70af2fe7dc27296ee543f106f22e4b240c6aa90ad5950d55a1f3c
Opcode Fuzzy Hash: d521f3f651e86be2f304063ede713788b0c2b1b229c6659d60a74157a997f67f
Instruction Fuzzy Hash: E7D0C9B480111DEACB95DB90DCC8DD9B37CBB04305F100551F206A2400D73096488F10

Function 003CCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 9c5526b9912cef1696adc5716f9210d6d263525494a3476db60e2899466bb095
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 40021B71E102199BDF15CFA9C880BADBBF1EF48314F25816DD819EB284D731AE418B94

Function 003ACAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 003F0C40
p#G, xrefs: 003ACF7F

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#G
API String ID: 0-3110822686
Opcode ID: aee5a28600e2b572ba27429e9d937dbe1aa02d1d54b81f9a574da46ff5d7cbeb
Instruction ID: b124b24b0439dd6fa8ee7fef9875fe3d6107bd40da00541470cbf4b223b4de7c
Opcode Fuzzy Hash: aee5a28600e2b572ba27429e9d937dbe1aa02d1d54b81f9a574da46ff5d7cbeb
Instruction Fuzzy Hash: 9B328A70910218DFCF1ADF94C980AFDB7B9FF16308F155069E906AB292DB35AE45CB60

Function 004168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00416918
FindClose.KERNEL32(00000000), ref: 00416961

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d8ba2fc08f3bdc44515decd529d557839f9e8016ee6805176cb2733dbd945ff2
Instruction ID: c1df7ea1cda221bf6cfbf8d6f0f0b993772bfa05c5333edbf438b9fabee8ef8c
Opcode Fuzzy Hash: d8ba2fc08f3bdc44515decd529d557839f9e8016ee6805176cb2733dbd945ff2
Instruction Fuzzy Hash: C01190716142109FC710DF29D8C4A16BBE5FF85328F15C6AAE8698F3A2C734EC45CB91

Function 004137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00424891,?,?,00000035,?), ref: 004137E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00424891,?,?,00000035,?), ref: 004137F4

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 19838e5fba7b0ed25f3aa833f4817c1aea050b776e527d413edaf2032e7ea51f
Instruction ID: 55d5ec79e85924426135494f012bd44f71198cdb85ea1a3583760157626fd38e
Opcode Fuzzy Hash: 19838e5fba7b0ed25f3aa833f4817c1aea050b776e527d413edaf2032e7ea51f
Instruction Fuzzy Hash: 24F0E5B17043282AEB2017668C8DFEB7AAEEFC5761F000276F509E22C1D9609D44C7F4

Function 0040B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0040B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0040B270

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: b7e04bf2af70ab7ba2c1eb1fb6e3b8601d063883d74d3fc151d1356d796b0d95
Instruction ID: 6d2640dfe2c8c22cdfa08d62de5c17694f1e4cf9eaff764db9f479d6d762b36b
Opcode Fuzzy Hash: b7e04bf2af70ab7ba2c1eb1fb6e3b8601d063883d74d3fc151d1356d796b0d95
Instruction Fuzzy Hash: 66F01D7180424EABDB059FA0C805BAE7BB4FF04305F00905AF955A5191C37986119F98

Function 004010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004011FC), ref: 004010D4
CloseHandle.KERNEL32(?,?,004011FC), ref: 004010E9

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c938a5d13d9eb15b030607ec70b03625fe2cb30b92eda8dc515a1ad28f6a833a
Instruction ID: 494a5cd773078fe08dfd91eaff69d5f538b3204f3212650216e2b8e52fdb1335
Opcode Fuzzy Hash: c938a5d13d9eb15b030607ec70b03625fe2cb30b92eda8dc515a1ad28f6a833a
Instruction Fuzzy Hash: 99E04F32004600AEF7262B51FC45EB777E9EB04310B10883EF5A5948B1DB62ACA0DB54

Function 003D676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,003D6766,?,?,00000008,?,?,003DFEFE,00000000), ref: 003D6998

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ba33c10db4195f122deed959d716b4d1fac6b4ae63e48644b00ba91a51e80b61
Instruction ID: d0f82c6bd0ed12b33f86c719bdd55543a83b521f51fa0bb4739cd88f728351e3
Opcode Fuzzy Hash: ba33c10db4195f122deed959d716b4d1fac6b4ae63e48644b00ba91a51e80b61
Instruction Fuzzy Hash: 07B16A726106089FD716CF28D48AB657BE0FF05364F268659E8E9CF3A2C335E991CB40

Function 003BB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 003F851F

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d75f68391125548e3f7dd0dac20c11871402cf831155f029987352b0479c7d31
Instruction ID: 70db6802c05fce9811c1b1398502dffc9771652c724d30b0138a85d3fae8a39c
Opcode Fuzzy Hash: d75f68391125548e3f7dd0dac20c11871402cf831155f029987352b0479c7d31
Instruction Fuzzy Hash: 6E128E759002299BCB25CF59C8806FEB7F5FF48314F1181AAE949EB651DB709E81CB90

Function 0041EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0041EABD

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 7c8e03ed70d659783aec06bfc90fbee347185dacccfd9e818133b72978211471
Instruction ID: 12bc0acd2683a115f3ec451f19d4354801ec82b46d3674561472afb0cd5cc51b
Opcode Fuzzy Hash: 7c8e03ed70d659783aec06bfc90fbee347185dacccfd9e818133b72978211471
Instruction Fuzzy Hash: CAE04F362102049FC710EF6AD845E9AF7E9EF997A0F008426FC4ADB351DB74E8818B95

Function 003C09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,003C03EE), ref: 003C09DA

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 724a0d43c3af1816ad008803304e3a3c7e9becc89565def6e9cffce7c561de35
Instruction ID: 2c867a437f2a76a79ff73985c7ce40d1de0ec66dc0114ba89500637cc7d9e5e8
Opcode Fuzzy Hash: 724a0d43c3af1816ad008803304e3a3c7e9becc89565def6e9cffce7c561de35
Instruction Fuzzy Hash:

Function 003C781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 003C798B

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: b218f1ab0ad8bcd559592fa5d193d61aa7b11ee508c6a4171f32017fddc9f7e7
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 7551677260C7055BDB3B8628885FFFE23999B12340F19050DEE82DB682CB25DE01DF52

Function 00412046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&G, xrefs: 00412053

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: 0&G
API String ID: 0-4031540117
Opcode ID: f0312f83777b8827bee208c098701a97501fbb0fc948a1a949b35813f6eeb205
Instruction ID: f7d9230036af97c699186706f21b0ff2253b68bd5961388f236941a222787120
Opcode Fuzzy Hash: f0312f83777b8827bee208c098701a97501fbb0fc948a1a949b35813f6eeb205
Instruction Fuzzy Hash: F421D5322206118BD728CF79C9226BE77E5A754310F14862EE4A7C33D1DE79A944CB84

Function 003D6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700a360fa95299656c58a21cade99b88c33707ce5b0b6d41d1bc41682b4abd50
Instruction ID: 26ff57600fa727aa49bfef8cd638bd8e190c3fc5f0ab23f06021c6183862108a
Opcode Fuzzy Hash: 700a360fa95299656c58a21cade99b88c33707ce5b0b6d41d1bc41682b4abd50
Instruction Fuzzy Hash: 4F324426D29F014DD7239634ED22336A249AFB73C5F65D737F81AB5EA6EB29C4834100

Function 003BCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3dfee300456beb7bed9a4332b38c4f96d92fcdb15b6f35d04c7bbbfb5309b63
Instruction ID: c7b4b2d6d03abb457fde96d3328e5de4e104be77785279f8306db499991ec9c1
Opcode Fuzzy Hash: a3dfee300456beb7bed9a4332b38c4f96d92fcdb15b6f35d04c7bbbfb5309b63
Instruction Fuzzy Hash: CD325C31AA414D8BDF36CF28C6906BD7BA1EB45304F2AB526D749CBA91D330DD82DB41

Function 003A7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71c5cd8961de324ae7338a09c949a19c9e9590d347699f944b37d4a079d5735
Instruction ID: cb773064745de5f427e220b8227f887b278b74c045e2c49f13d74e9115a13bc9
Opcode Fuzzy Hash: a71c5cd8961de324ae7338a09c949a19c9e9590d347699f944b37d4a079d5735
Instruction Fuzzy Hash: FF22C0B0A00619DFDF16CFA5C881AEEB3F5FF45304F104629E816AB691EB35AD11CB60

Function 003A91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9862f10f24f25dc8267cf4d5583aad2a08904335b2131418f22240b7488892
Instruction ID: 45851c844561b087fdda5a484007a257b4200ff8562dd7938cae290d1ac75eda
Opcode Fuzzy Hash: ed9862f10f24f25dc8267cf4d5583aad2a08904335b2131418f22240b7488892
Instruction Fuzzy Hash: F802C6B0A00159EFCB06DF65D881BAEB7B5FF44304F118169E816AB2D1EB31EE50CB95

Function 003C1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 37919dee721987f3d32121d16f8ce6b8bc1fe56b843932d98b09a0fc01219533
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 179166721090A349DB6B46398574A3EFFE15A533A131B079DE4F3CA1C6EE249D64F720

Function 003C19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 5d9bb1d946667d9a61dbea680e80b1cb22e0c0954d5111712396509ff2cd055b
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: FD9153762090A349DB2F427A857493DFEE55A933A131A079DD4F2CA1C2FE24CD64BB20

Function 003C7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1147ffb15fc12f8230feef16e56b6d4c7f8a0944c5974519ef050ce9a295e7e
Instruction ID: 30ae730f5d04f048f68a21cb771b2ac16592d6e199de7564fc1c3ce56d430830
Opcode Fuzzy Hash: f1147ffb15fc12f8230feef16e56b6d4c7f8a0944c5974519ef050ce9a295e7e
Instruction Fuzzy Hash: 9161767520874AA6DB3B9A288D96FBE3398DF41710F11091EEC43DF781DA11AE42CF55

Function 003C7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4e1018b2c7210f3ff0a985cebb4e2d4e7fb0ed23a19444807a453a57e8d1b3
Instruction ID: b1fc7ba96e279c6b616232936a56599c3f2c978ade448d108d95defc352fc117
Opcode Fuzzy Hash: 4a4e1018b2c7210f3ff0a985cebb4e2d4e7fb0ed23a19444807a453a57e8d1b3
Instruction Fuzzy Hash: 74617832208709A7DA3B5A38489AFBF2398AF42744F11095EFD43DF681DA12AD42CF55

Function 003C1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 5663be3bd9f88e2bd3ab2f9c98bc92b48242ec1f2cab2ccea248fbc108970663
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: D481637250C0A349DB6B42398534A3EFFE15A933A131B079DD4F2CA5C6EE249D54F760

Function 00422ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00422B30
DeleteObject.GDI32(00000000), ref: 00422B43
DestroyWindow.USER32 ref: 00422B52
GetDesktopWindow.USER32 ref: 00422B6D
GetWindowRect.USER32(00000000), ref: 00422B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00422CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00422CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00422CF8
GetClientRect.USER32(00000000,?), ref: 00422D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00422D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00422D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00422D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00422D80
GlobalLock.KERNEL32(00000000), ref: 00422D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00422D98
GlobalUnlock.KERNEL32(00000000), ref: 00422DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00422DA8
GlobalFree.KERNEL32(00000000), ref: 00422DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00422DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0043FC38,00000000), ref: 00422DDB
GlobalFree.KERNEL32(00000000), ref: 00422DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00422E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00422E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00422E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0042303F

Strings

static, xrefs: 00422D3A, 00422E91
AutoIt v3, xrefs: 00422CF2
DISPLAY, xrefs: 00422EA2
, xrefs: 00422FC5

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b5313e6e8e37aeb8aa02a6c7d59fe7049da91210a42223a1a67a8c022de61348
Instruction ID: 570f8fa32cc52953413d020d1639ec7377ec6158120d22ef01b786c30398982a
Opcode Fuzzy Hash: b5313e6e8e37aeb8aa02a6c7d59fe7049da91210a42223a1a67a8c022de61348
Instruction Fuzzy Hash: 89029C71A00214AFDB14DF64DD89EAE7BB9EF49310F048169F915AB2A1CB78ED01CF64

Function 004370D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0043712F
GetSysColorBrush.USER32(0000000F), ref: 00437160
GetSysColor.USER32(0000000F), ref: 0043716C
SetBkColor.GDI32(?,000000FF), ref: 00437186
SelectObject.GDI32(?,?), ref: 00437195
InflateRect.USER32(?,000000FF,000000FF), ref: 004371C0
GetSysColor.USER32(00000010), ref: 004371C8
CreateSolidBrush.GDI32(00000000), ref: 004371CF
FrameRect.USER32(?,?,00000000), ref: 004371DE
DeleteObject.GDI32(00000000), ref: 004371E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00437230
FillRect.USER32(?,?,?), ref: 00437262
GetWindowLongW.USER32(?,000000F0), ref: 00437284

Part of subcall function 004373E8: GetSysColor.USER32(00000012), ref: 00437421
Part of subcall function 004373E8: SetTextColor.GDI32(?,?), ref: 00437425
Part of subcall function 004373E8: GetSysColorBrush.USER32(0000000F), ref: 0043743B
Part of subcall function 004373E8: GetSysColor.USER32(0000000F), ref: 00437446
Part of subcall function 004373E8: GetSysColor.USER32(00000011), ref: 00437463
Part of subcall function 004373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00437471
Part of subcall function 004373E8: SelectObject.GDI32(?,00000000), ref: 00437482
Part of subcall function 004373E8: SetBkColor.GDI32(?,00000000), ref: 0043748B
Part of subcall function 004373E8: SelectObject.GDI32(?,?), ref: 00437498
Part of subcall function 004373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004374B7
Part of subcall function 004373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004374CE
Part of subcall function 004373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004374DB

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: e3c5c0a88d70c5879d28afaaa72304b2619ac1fcfb47394891b0e6338e3d5767
Instruction ID: 73b97a787b9e3774cb6656b13be8f958ed25602753792304a981e737e0793dba
Opcode Fuzzy Hash: e3c5c0a88d70c5879d28afaaa72304b2619ac1fcfb47394891b0e6338e3d5767
Instruction Fuzzy Hash: 8AA1A172008311BFDB109F60DC88E5B7BA9FB4C320F102A29F9A2A61E1D775E944DF56

Function 003B8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 003B8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 003F6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 003F6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 003F6F43

Part of subcall function 003B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003B8BE8,?,00000000,?,?,?,?,003B8BBA,00000000,?), ref: 003B8FC5

SendMessageW.USER32(?,00001053), ref: 003F6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 003F6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 003F6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 003F6FB7

Strings

0, xrefs: 003F6DCF

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 95e08483217150fc8d192e8e91cbb0b2173bf7181600127e72fab35027c2db9a
Instruction ID: 26b1747f5e47d455a25f137ca4654dea8088d0f396d939a6e10f03eb09db1be6
Opcode Fuzzy Hash: 95e08483217150fc8d192e8e91cbb0b2173bf7181600127e72fab35027c2db9a
Instruction Fuzzy Hash: 3A12DD70200205EFDB26DF28C985BBAB7F9FB44304F154469F6899B661CB31EC92CB95

Function 00422711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0042273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0042286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004228A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004228B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00422900
GetClientRect.USER32(00000000,?), ref: 0042290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00422955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00422964
GetStockObject.GDI32(00000011), ref: 00422974
SelectObject.GDI32(00000000,00000000), ref: 00422978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00422988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00422991
DeleteDC.GDI32(00000000), ref: 0042299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004229C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004229DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00422A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00422A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00422A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00422A77
GetStockObject.GDI32(00000011), ref: 00422A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00422A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00422A97

Strings

AutoIt v3, xrefs: 004228F8
static, xrefs: 0042294F, 00422A71
msctls_progress32, xrefs: 00422A13
DISPLAY, xrefs: 0042295A

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 6305d75bef7a8e4654bb0d24b872a95b22270937f41d9fa264c3849f6bddc1a8
Instruction ID: 6547b14760aa2fd886647fffd8a3eb964cb11b3faeb1b270d4b03f4288be70d8
Opcode Fuzzy Hash: 6305d75bef7a8e4654bb0d24b872a95b22270937f41d9fa264c3849f6bddc1a8
Instruction Fuzzy Hash: 21B16D71A00215BFEB14DF68DD8AFAE7BA9EB49710F104115F914EB2A0D774ED40CBA8

Function 00414ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00414AED
GetDriveTypeW.KERNEL32(?,0043CB68,?,\\.\,0043CC08), ref: 00414BCA
SetErrorMode.KERNEL32(00000000,0043CB68,?,\\.\,0043CC08), ref: 00414D36

Strings

Fibre, xrefs: 00414CAD
iSCSI, xrefs: 00414CC2
ATAPI, xrefs: 00414C91
SSD, xrefs: 00414C4A
SATA, xrefs: 00414CD0
Virtual, xrefs: 00414CE5
RAMDisk, xrefs: 00414BF4
Removable, xrefs: 00414C10, 00414C15
PhysicalDrive, xrefs: 00414B76
\\.\, xrefs: 00414B3F
Fixed, xrefs: 00414C09
Network, xrefs: 00414C02
SSA, xrefs: 00414CA6
1394, xrefs: 00414C9F
CDROM, xrefs: 00414BFB
RAID, xrefs: 00414CBB
ATA, xrefs: 00414C98
SAS, xrefs: 00414CC9
MMC, xrefs: 00414CDE
Unknown, xrefs: 00414BED, 00414C83
FileBackedVirtual, xrefs: 00414CEC
SCSI, xrefs: 00414C8A
USB, xrefs: 00414CB4

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a5077808a6ec21e15844dea162e7fca3e075989ca2d29a0592d89b7f959f0636
Instruction ID: 27a26bde5e499795063162d3741b9f7431c46efa8af1ccf5dd9ee3d740b90359
Opcode Fuzzy Hash: a5077808a6ec21e15844dea162e7fca3e075989ca2d29a0592d89b7f959f0636
Instruction Fuzzy Hash: 7F6174306051059BCB04DF24CA81EE977A1EBC5744B268417F806AB691FB3DED82DB9F

Function 004373E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00437421
SetTextColor.GDI32(?,?), ref: 00437425
GetSysColorBrush.USER32(0000000F), ref: 0043743B
GetSysColor.USER32(0000000F), ref: 00437446
CreateSolidBrush.GDI32(?), ref: 0043744B
GetSysColor.USER32(00000011), ref: 00437463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00437471
SelectObject.GDI32(?,00000000), ref: 00437482
SetBkColor.GDI32(?,00000000), ref: 0043748B
SelectObject.GDI32(?,?), ref: 00437498
InflateRect.USER32(?,000000FF,000000FF), ref: 004374B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004374CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004374DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0043752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00437554
InflateRect.USER32(?,000000FD,000000FD), ref: 00437572
DrawFocusRect.USER32(?,?), ref: 0043757D
GetSysColor.USER32(00000011), ref: 0043758E
SetTextColor.GDI32(?,00000000), ref: 00437596
DrawTextW.USER32(?,004370F5,000000FF,?,00000000), ref: 004375A8
SelectObject.GDI32(?,?), ref: 004375BF
DeleteObject.GDI32(?), ref: 004375CA
SelectObject.GDI32(?,?), ref: 004375D0
DeleteObject.GDI32(?), ref: 004375D5
SetTextColor.GDI32(?,?), ref: 004375DB
SetBkColor.GDI32(?,?), ref: 004375E5

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c2187a4358ea285685be2575f8dc5847f1941a2fad21c994f87e39dd0419328f
Instruction ID: 70b55e85c15d9023df85635d524df9330b01819178e74f219a3acfa30e2e576e
Opcode Fuzzy Hash: c2187a4358ea285685be2575f8dc5847f1941a2fad21c994f87e39dd0419328f
Instruction Fuzzy Hash: EF616E72900218BFDF119FA4DC89AEE7FB9EB08320F105125F911BB2A1D775A940DF94

Function 00430FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00431128
GetDesktopWindow.USER32 ref: 0043113D
GetWindowRect.USER32(00000000), ref: 00431144
GetWindowLongW.USER32(?,000000F0), ref: 00431199
DestroyWindow.USER32(?), ref: 004311B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004311ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0043120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0043121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00431232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00431245
IsWindowVisible.USER32(00000000), ref: 004312A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004312BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004312D0
GetWindowRect.USER32(00000000,?), ref: 004312E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0043130E
GetMonitorInfoW.USER32(00000000,?), ref: 00431328
CopyRect.USER32(?,?), ref: 0043133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004313AA

Strings

0, xrefs: 004310D3
(, xrefs: 0043131B
tooltips_class32, xrefs: 004311E6

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 507450c9ed3f16e3493632d74f01336fb4410e10b19e3254107eb7e0cc563121
Instruction ID: 8a8fa354b51dcc0f9c18a5d1fbefd035e534e4832be9a421f0a3820b506f19bc
Opcode Fuzzy Hash: 507450c9ed3f16e3493632d74f01336fb4410e10b19e3254107eb7e0cc563121
Instruction Fuzzy Hash: B8B19C71608341AFDB04DF64C885B6BBBE4FF89350F00991DF999AB2A1C735E844CB96

Function 00430241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004302E5
_wcslen.LIBCMT ref: 0043031F
_wcslen.LIBCMT ref: 00430389
_wcslen.LIBCMT ref: 004303F1
_wcslen.LIBCMT ref: 00430475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004304C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00430504

Part of subcall function 003BF9F2: _wcslen.LIBCMT ref: 003BF9FD

Part of subcall function 0040223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00402258
Part of subcall function 0040223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0040228A

Strings

VIEWCHANGE, xrefs: 00430675
SELECTCLEAR, xrefs: 0043052D
DESELECT, xrefs: 0043059C
GETTEXT, xrefs: 004303EC, 00430407
GETSELECTED, xrefs: 004305E1
FINDITEM, xrefs: 00430627
SELECT, xrefs: 00430548
SELECTINVERT, xrefs: 0043057E
GETITEMCOUNT, xrefs: 00430316, 00430337
SELECTALL, xrefs: 00430515
GETSUBITEMCOUNT, xrefs: 00430384, 0043039F
ISSELECTED, xrefs: 004304DD
GETSELECTEDCOUNT, xrefs: 00430470, 0043048B

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: e469536df52e28168491ef78e827ffe027e65b936c9e7a8e5447c84656864c4d
Instruction ID: e9ff17d2e724623fa163b5ce5f5b6109cf14e3c701a779729ac8efddc59a6142
Opcode Fuzzy Hash: e469536df52e28168491ef78e827ffe027e65b936c9e7a8e5447c84656864c4d
Instruction Fuzzy Hash: 45E1E2312082009FC714DF24C56192BB3E2FF99318F145A6EF896AB7A6D738ED45CB46

Function 003B8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003B8968
GetSystemMetrics.USER32(00000007), ref: 003B8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003B899B
GetSystemMetrics.USER32(00000008), ref: 003B89A3
GetSystemMetrics.USER32(00000004), ref: 003B89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 003B89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 003B89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 003B8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 003B8A3C
GetClientRect.USER32(00000000,000000FF), ref: 003B8A5A
GetStockObject.GDI32(00000011), ref: 003B8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 003B8A81

Part of subcall function 003B912D: GetCursorPos.USER32(?), ref: 003B9141
Part of subcall function 003B912D: ScreenToClient.USER32(00000000,?), ref: 003B915E
Part of subcall function 003B912D: GetAsyncKeyState.USER32(00000001), ref: 003B9183
Part of subcall function 003B912D: GetAsyncKeyState.USER32(00000002), ref: 003B919D

SetTimer.USER32(00000000,00000000,00000028,003B90FC), ref: 003B8AA8

Strings

AutoIt v3 GUI, xrefs: 003B8A20

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 9ea54e014e30255c7444243be36bdc24592c4c6749e959367338f361028b5410
Instruction ID: d2f71bc5c793fcc831c823deb813f2aa950e5ab0fa3c9ef0226be9644c0f73e6
Opcode Fuzzy Hash: 9ea54e014e30255c7444243be36bdc24592c4c6749e959367338f361028b5410
Instruction Fuzzy Hash: E1B15D75A00209AFDF15DF68CC86BEE3BB5FB48314F114129FA15AB2A0DB74A841CB55

Function 00400D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00401114
Part of subcall function 004010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00400B9B,?,?,?), ref: 00401120
Part of subcall function 004010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00400B9B,?,?,?), ref: 0040112F
Part of subcall function 004010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00400B9B,?,?,?), ref: 00401136
Part of subcall function 004010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0040114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00400DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00400E29
GetLengthSid.ADVAPI32(?), ref: 00400E40
GetAce.ADVAPI32(?,00000000,?), ref: 00400E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00400E96
GetLengthSid.ADVAPI32(?), ref: 00400EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00400EB5
HeapAlloc.KERNEL32(00000000), ref: 00400EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00400EDD
CopySid.ADVAPI32(00000000), ref: 00400EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00400F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00400F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00400F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00400F6E
HeapFree.KERNEL32(00000000), ref: 00400F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00400F7E
HeapFree.KERNEL32(00000000), ref: 00400F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00400F8E
HeapFree.KERNEL32(00000000), ref: 00400F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00400FA1
HeapFree.KERNEL32(00000000), ref: 00400FA8

Part of subcall function 00401193: GetProcessHeap.KERNEL32(00000008,00400BB1,?,00000000,?,00400BB1,?), ref: 004011A1
Part of subcall function 00401193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00400BB1,?), ref: 004011A8
Part of subcall function 00401193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00400BB1,?), ref: 004011B7

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ce6c344cee8ddb86a5513b4e28e4fe06f43caa7e9a218fe57af9693c310a0c41
Instruction ID: dd0a1e508c23a7d2474bb5077e230ad4152927ba5489f96d53c4d6a61e2dc2cf
Opcode Fuzzy Hash: ce6c344cee8ddb86a5513b4e28e4fe06f43caa7e9a218fe57af9693c310a0c41
Instruction Fuzzy Hash: C8716D7290020AABDF209FA4DC84FAFBBB8BF05301F144126FA59F6291D775D905DB68

Function 0042C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0042C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0043CC08,00000000,?,00000000,?,?), ref: 0042C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0042C5A4
_wcslen.LIBCMT ref: 0042C5F4
_wcslen.LIBCMT ref: 0042C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0042C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0042C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0042C84D
RegCloseKey.ADVAPI32(?), ref: 0042C881
RegCloseKey.ADVAPI32(00000000), ref: 0042C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0042C960

Strings

REG_DWORD, xrefs: 0042C804
REG_BINARY, xrefs: 0042C913
REG_SZ, xrefs: 0042C644
REG_MULTI_SZ, xrefs: 0042C6F5
REG_QWORD, xrefs: 0042C8C3
REG_EXPAND_SZ, xrefs: 0042C5CD

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 7504d0c364f84b7d97a3d2063d329c655e7205fda5c73a1e58f1cce9f7aa96ee
Instruction ID: 28cd4e3ea004749fb82f442ea47d1d9482c65f6340ad00c7e484540e4e1272fe
Opcode Fuzzy Hash: 7504d0c364f84b7d97a3d2063d329c655e7205fda5c73a1e58f1cce9f7aa96ee
Instruction Fuzzy Hash: 931287356042119FCB15EF24D891B2AB7E5EF89714F04889DF88A9B3A2DB35FC41CB85

Function 0043091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004309C6
_wcslen.LIBCMT ref: 00430A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00430A54
_wcslen.LIBCMT ref: 00430A8A
_wcslen.LIBCMT ref: 00430B06
_wcslen.LIBCMT ref: 00430B81

Part of subcall function 003BF9F2: _wcslen.LIBCMT ref: 003BF9FD

Part of subcall function 00402BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00402BFA

Strings

GETTOTALCOUNT, xrefs: 004309F2, 00430A17
GETTEXT, xrefs: 00430C97
GETITEMCOUNT, xrefs: 00430C1E
GETSELECTED, xrefs: 00430C4E
CHECK, xrefs: 00430A85, 00430AA0
SELECT, xrefs: 00430D11
UNCHECK, xrefs: 00430D3E
EXPAND, xrefs: 00430BF8
COLLAPSE, xrefs: 00430B01, 00430B1C
ISCHECKED, xrefs: 00430CE1
EXISTS, xrefs: 00430B7C, 00430B97

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 57499b0f3b27fc7f66f35d79db8d28b1b4bda38904890c11bbbf65a1a3e9d67f
Instruction ID: 263d93099b8d3a42d813662fb68471d7bfcafea370af319c8e7e2b02efd9bc7a
Opcode Fuzzy Hash: 57499b0f3b27fc7f66f35d79db8d28b1b4bda38904890c11bbbf65a1a3e9d67f
Instruction Fuzzy Hash: B3E1A1312083018FC714EF24C46092AB7E1FF99718F149A5EF8969B7A2D739ED45CB86

Function 0042C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0042B6AE,?,?), ref: 0042C9B5
_wcslen.LIBCMT ref: 0042C9F1
_wcslen.LIBCMT ref: 0042CA68
_wcslen.LIBCMT ref: 0042CA9E
_wcslen.LIBCMT ref: 0042CAF9
_wcslen.LIBCMT ref: 0042CB2F
_wcslen.LIBCMT ref: 0042CB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 0042CAF3, 0042CAF8
HKCR, xrefs: 0042CB29, 0042CB2E
HKCU, xrefs: 0042CBCE
HKEY_LOCAL_MACHINE, xrefs: 0042CA62, 0042CA67
HKEY_USERS, xrefs: 0042CBDF
HKLM, xrefs: 0042CA98, 0042CA9D
HKEY_CURRENT_CONFIG, xrefs: 0042CB79, 0042CB7E
HKEY_CURRENT_USER, xrefs: 0042CBBD
HKCC, xrefs: 0042CBAC
HKU, xrefs: 0042CBF0

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 5baeb96049dbf875457d30bcf9e91693623b6ba2edc6dfc3506fe1a822369fb7
Instruction ID: dd4e5e3c099794cabb27f4f462497e8fbec1c15b5c683f210f618263fa216bd3
Opcode Fuzzy Hash: 5baeb96049dbf875457d30bcf9e91693623b6ba2edc6dfc3506fe1a822369fb7
Instruction Fuzzy Hash: 9871053270013A8BCB20DE7CED916BF37919F61794B90412AF8569B384EB39DD45C399

Function 0043833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0043835A
_wcslen.LIBCMT ref: 0043836E
_wcslen.LIBCMT ref: 00438391
_wcslen.LIBCMT ref: 004383B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004383F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00435BF2), ref: 0043844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00438487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004384CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00438501
FreeLibrary.KERNEL32(?), ref: 0043850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0043851D
DestroyIcon.USER32(?,?,?,?,?,00435BF2), ref: 0043852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00438549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00438555

Strings

.icl, xrefs: 00438368
.exe, xrefs: 00438388
.dll, xrefs: 004383AB

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 5464856b4346a6d1a23352f3abd9617c737f0e8bd84e5263f8ec38f5395a5c2b
Instruction ID: 04515a5146d3f21d361865ece0c7c2a817e8cd3837f9c84b5d6c15e86604a465
Opcode Fuzzy Hash: 5464856b4346a6d1a23352f3abd9617c737f0e8bd84e5263f8ec38f5395a5c2b
Instruction Fuzzy Hash: E261E171500315BAEB15DF64CC81BBFB7A8FB08720F10561AF815EA1D1EB78A980CBA4

Function 003A7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Bad directive syntax error, xrefs: 003E519A
#notrayicon, xrefs: 003A77E7
Unterminated group of comments, xrefs: 003E528C
#include, xrefs: 003A7847
#OnAutoItStartRegister, xrefs: 003A7817
#ce, xrefs: 003A78ED
#comments-start, xrefs: 003A785F, 003A78B1
#pragma compile, xrefs: 003A77D3
Cannot parse #include, xrefs: 003E5279
#comments-end, xrefs: 003A78D9
#cs, xrefs: 003A7873, 003A78C5
', xrefs: 003E5169
#include-once, xrefs: 003A782F
#requireadmin, xrefs: 003A77FF
", xrefs: 003E5153

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: ce079750cf3b3a80ea93fbde1e383fa7f42de29b30319bd6289c57bd8e02e2b0
Instruction ID: 9805b55113d55f9ae1182b78360cecd8aac9daec7a67dc68b0c93d91ee8f3807
Opcode Fuzzy Hash: ce079750cf3b3a80ea93fbde1e383fa7f42de29b30319bd6289c57bd8e02e2b0
Instruction Fuzzy Hash: 9581F171A04215BBDB23AF61DC82FBE37A8EF16304F154029F905AE192EB75DE01D7A1

Function 00413E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00413EF8
_wcslen.LIBCMT ref: 00413F03
_wcslen.LIBCMT ref: 00413F5A
_wcslen.LIBCMT ref: 00413F98
GetDriveTypeW.KERNEL32(?), ref: 00413FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0041401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00414059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00414087

Strings

open, xrefs: 00413F54, 00413F59
close cd wait, xrefs: 00414072
wait, xrefs: 00414044
close, xrefs: 00413EFE, 00413F18
type cdaudio alias cd wait, xrefs: 00414001
set cd door , xrefs: 00414028
closed, xrefs: 00413F08, 00413F2D, 00413F46, 00413F7E, 00413F97
open , xrefs: 00413FE5

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 49e01b416526c097ee65034b1385281a5e191f405a57aad57cf7ca4b82b0654b
Instruction ID: f4a9208b4600bcf7957abc96617150db42e835d332e6dcd5bdd888d98fd855cb
Opcode Fuzzy Hash: 49e01b416526c097ee65034b1385281a5e191f405a57aad57cf7ca4b82b0654b
Instruction Fuzzy Hash: 6C7115316042119FC310EF24C8819ABB7F4EF99758F10492EF89597351EB35ED86CB96

Function 00405A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00405A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00405A40
SetWindowTextW.USER32(?,?), ref: 00405A57
GetDlgItem.USER32(?,000003EA), ref: 00405A6C
SetWindowTextW.USER32(00000000,?), ref: 00405A72
GetDlgItem.USER32(?,000003E9), ref: 00405A82
SetWindowTextW.USER32(00000000,?), ref: 00405A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00405AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00405AC3
GetWindowRect.USER32(?,?), ref: 00405ACC
_wcslen.LIBCMT ref: 00405B33
SetWindowTextW.USER32(?,?), ref: 00405B6F
GetDesktopWindow.USER32 ref: 00405B75
GetWindowRect.USER32(00000000), ref: 00405B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00405BD3
GetClientRect.USER32(?,?), ref: 00405BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00405C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00405C2F

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: dc94136b55825fa4163c01537e1ec71627c9e6904d63494c3794a838301d6686
Instruction ID: 2836f82b77445654b065d36630555853903e0d36a60bafca8f819de0c7248e62
Opcode Fuzzy Hash: dc94136b55825fa4163c01537e1ec71627c9e6904d63494c3794a838301d6686
Instruction Fuzzy Hash: D1714C31900B09AFDB20DFA9CE85A6FBBF5FB48704F104529E542B26A0D779B944CF58

Function 0041FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0041FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0041FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0041FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0041FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0041FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0041FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0041FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0041FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0041FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0041FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0041FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0041FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0041FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0041FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0041FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0041FECC
GetCursorInfo.USER32(?), ref: 0041FEDC
GetLastError.KERNEL32 ref: 0041FF1E

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 670ae13885d2ff0f1ca2121c9f9fee13741d37ca91047ab0f04426dbe185d8ba
Instruction ID: 8c0eaf06f9077e316a6fa108da494f50590f7490de16917148c6a7bc3c809eba
Opcode Fuzzy Hash: 670ae13885d2ff0f1ca2121c9f9fee13741d37ca91047ab0f04426dbe185d8ba
Instruction Fuzzy Hash: 504163B0D043196ADB10DFBA8C8585EBFE8FF04754B50452AE119EB281DB78A942CF95

Function 004030F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040318D
_wcslen.LIBCMT ref: 004031F8

Strings

NAME, xrefs: 00403335, 00403346
INSTANCE, xrefs: 00403453
[F, xrefs: 0040339A
TEXT, xrefs: 0040347C
CLASS, xrefs: 00403188, 004031A5
REGEXPCLASS, xrefs: 00403255, 00403266
CLASSNN, xrefs: 004031F3, 00403204

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[F
API String ID: 176396367-2139206619
Opcode ID: b5812c98201a5594b3a03d46be8da5a5e456e5f4c6194f3f4fa32d65eca988e8
Instruction ID: b4f885da0b6117f4063ac6b230e009735e04f753bf91a2b04c0a1de8331008b3
Opcode Fuzzy Hash: b5812c98201a5594b3a03d46be8da5a5e456e5f4c6194f3f4fa32d65eca988e8
Instruction Fuzzy Hash: 55E1F532A00516ABCB15DF64C891BEEBFB8BF44711F54813BE456FB280DB38AE458794

Function 003C00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003C00C6

Part of subcall function 003C00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0047070C,00000FA0,FC781CF5,?,?,?,?,003E23B3,000000FF), ref: 003C011C
Part of subcall function 003C00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003E23B3,000000FF), ref: 003C0127
Part of subcall function 003C00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003E23B3,000000FF), ref: 003C0138
Part of subcall function 003C00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 003C014E
Part of subcall function 003C00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 003C015C
Part of subcall function 003C00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 003C016A
Part of subcall function 003C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003C0195
Part of subcall function 003C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003C01A0

___scrt_fastfail.LIBCMT ref: 003C00E7

Part of subcall function 003C00A3: __onexit.LIBCMT ref: 003C00A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 003C0122
InitializeConditionVariable, xrefs: 003C0148
WakeAllConditionVariable, xrefs: 003C0162
SleepConditionVariableCS, xrefs: 003C0154
kernel32.dll, xrefs: 003C0133

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 90112b0a496bbd9de9745924785ea2d8b2e2a1b60042f881dfb24ad3d0482068
Instruction ID: 6589ce5b5830f2819eeb48da78dd29387e49362104baa5a45ac1436b7894be1a
Opcode Fuzzy Hash: 90112b0a496bbd9de9745924785ea2d8b2e2a1b60042f881dfb24ad3d0482068
Instruction Fuzzy Hash: C0218136A05350EFD71A5BB4AC49F6AB394DB04B61F15013EF805F7691DB749C008F98

Function 004144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0043CC08), ref: 00414527
_wcslen.LIBCMT ref: 0041453B
_wcslen.LIBCMT ref: 00414599
_wcslen.LIBCMT ref: 004145F4
_wcslen.LIBCMT ref: 0041463F
_wcslen.LIBCMT ref: 004146A7

Part of subcall function 003BF9F2: _wcslen.LIBCMT ref: 003BF9FD

GetDriveTypeW.KERNEL32(?,00466BF0,00000061), ref: 00414743

Strings

ramdisk, xrefs: 004146F1
fixed, xrefs: 00414635, 0041463A
network, xrefs: 0041469D, 004146A2
all, xrefs: 00414531, 00414536
cdrom, xrefs: 0041458F, 00414594
unknown, xrefs: 00414708
removable, xrefs: 004145EA, 004145EF

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 6bd0e5827c1b6a20defc71d2ca102351cc282c5c8e9be2297ee57a9b16a7b609
Instruction ID: 8a7da634dbdd40d52a2cdc7ec30872954714d44af2a38248aedd49aaafe8bbd4
Opcode Fuzzy Hash: 6bd0e5827c1b6a20defc71d2ca102351cc282c5c8e9be2297ee57a9b16a7b609
Instruction Fuzzy Hash: 3AB1F1316083129FC710DF28C890AABB7E5EFE6724F50491EF596C7291D738D885CB96

Function 0043911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 003B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003B9BB2

DragQueryPoint.SHELL32(?,?), ref: 00439147

Part of subcall function 00437674: ClientToScreen.USER32(?,?), ref: 0043769A
Part of subcall function 00437674: GetWindowRect.USER32(?,?), ref: 00437710
Part of subcall function 00437674: PtInRect.USER32(?,?,00438B89), ref: 00437720

SendMessageW.USER32(?,000000B0,?,?), ref: 004391B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004391BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004391DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00439225
SendMessageW.USER32(?,000000B0,?,?), ref: 0043923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00439255
SendMessageW.USER32(?,000000B1,?,?), ref: 00439277
DragFinish.SHELL32(?), ref: 0043927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00439371

Strings

@GUI_DRAGFILE, xrefs: 00439320
@GUI_DRAGID, xrefs: 004392E9
p#G, xrefs: 004392BB
@GUI_DROPID, xrefs: 0043929E

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#G
API String ID: 221274066-2565994606
Opcode ID: ea41551ddacd03f5fc10966068c0152e6c01ef2876382606e17f81cefc36dffa
Instruction ID: 96e61e0b5b3fd3eccad2aed57530c1a54cbe71c100d3cf87002984a6cc936ffe
Opcode Fuzzy Hash: ea41551ddacd03f5fc10966068c0152e6c01ef2876382606e17f81cefc36dffa
Instruction Fuzzy Hash: D6618C71108300AFD701EF64DC85EAFBBE8EF89750F00192EF595A72A0DB749A49CB56

Function 003A326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00471990), ref: 003E2F8D
GetMenuItemCount.USER32(00471990), ref: 003E303D
GetCursorPos.USER32(?), ref: 003E3081
SetForegroundWindow.USER32(00000000), ref: 003E308A
TrackPopupMenuEx.USER32(00471990,00000000,?,00000000,00000000,00000000), ref: 003E309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003E30A9

Strings

0, xrefs: 003A327D

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 5f4fd25c0e19427bf0973f91f16a7294b2e40b3e23012e9b18bac5e93f8d5f55
Instruction ID: f0021a7dad6a7b2246b50c64e0d903dc21c9d5104045d685c28edc05eb566a88
Opcode Fuzzy Hash: 5f4fd25c0e19427bf0973f91f16a7294b2e40b3e23012e9b18bac5e93f8d5f55
Instruction Fuzzy Hash: 5E711631644265BEFB229F26CC89FAABF68FF05324F204316F5156A1E0C7B1AD50CB94

Function 00436CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00436DEB

Part of subcall function 003A6B57: _wcslen.LIBCMT ref: 003A6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00436E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00436E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00436E94
DestroyWindow.USER32(?), ref: 00436EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,003A0000,00000000), ref: 00436EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00436EFD
GetDesktopWindow.USER32 ref: 00436F16
GetWindowRect.USER32(00000000), ref: 00436F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00436F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00436F4D

Part of subcall function 003B9944: GetWindowLongW.USER32(?,000000EB), ref: 003B9952

Strings

0, xrefs: 00436D98
tooltips_class32, xrefs: 00436E58, 00436EDD

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: aafaaed627caf18b407a10f9884adb2e41e523258b6312bf753d100cbb3b05a7
Instruction ID: cb71e67071419594582a7825185350777e827cc7f7e1176d22a6214debfb3506
Opcode Fuzzy Hash: aafaaed627caf18b407a10f9884adb2e41e523258b6312bf753d100cbb3b05a7
Instruction Fuzzy Hash: 70717AB4104241AFDB21CF18D845BABBBE9FB89304F14542EFA9997260C774A946CF29

Function 0041C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0041C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0041C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0041C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0041C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0041C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0041C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0041C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0041C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0041C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0041C5F0
InternetCloseHandle.WININET(00000000), ref: 0041C5FB

Strings

, xrefs: 0041C575

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: cb4d714424c103d1c4ca76244ffdfb5312f5d4f0fd5ccce956d5a23621cdf0ba
Instruction ID: 6791a0c74ee515c7c0fb20cef3b29f7f9596d5719c84520882225d89b82afcea
Opcode Fuzzy Hash: cb4d714424c103d1c4ca76244ffdfb5312f5d4f0fd5ccce956d5a23621cdf0ba
Instruction Fuzzy Hash: F2515CB1540205BFDB218F61CDC8ABB7BBDFB08754F00442AF94596250DB38E9849B69

Function 0043856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00438592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004385A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004385AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004385BA
GlobalLock.KERNEL32(00000000), ref: 004385C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004385D7
GlobalUnlock.KERNEL32(00000000), ref: 004385E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004385E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004385F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0043FC38,?), ref: 00438611
GlobalFree.KERNEL32(00000000), ref: 00438621
GetObjectW.GDI32(?,00000018,?), ref: 00438641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00438671
DeleteObject.GDI32(?), ref: 00438699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004386AF

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c5767d1c443a3c1ef1a5ede648b97c7d5981e3c03fd72f2c7e6e774d85ad41dc
Instruction ID: c3a257f48d76e4db6c5561f406dfc74bb236600e91580d2de8d630d4facead73
Opcode Fuzzy Hash: c5767d1c443a3c1ef1a5ede648b97c7d5981e3c03fd72f2c7e6e774d85ad41dc
Instruction Fuzzy Hash: 09411975600208BFDB119FA5CC89EABBBB8FF89711F109069F905E7260DB349901DB68

Function 004114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00411502
VariantCopy.OLEAUT32(?,?), ref: 0041150B
VariantClear.OLEAUT32(?), ref: 00411517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004115FB
VarR8FromDec.OLEAUT32(?,?), ref: 00411657
VariantInit.OLEAUT32(?), ref: 00411708
SysFreeString.OLEAUT32(?), ref: 0041178C
VariantClear.OLEAUT32(?), ref: 004117D8
VariantClear.OLEAUT32(?), ref: 004117E7
VariantInit.OLEAUT32(00000000), ref: 00411823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00411625
Default, xrefs: 004116AF

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: d1c687d37780c45a751b3319487b34c446c24a8b2602f02024dabda1ed445a12
Instruction ID: d95a5ef5e4365d6b433fba8efdbd0df15647efab2054d4bd200e233575fa9746
Opcode Fuzzy Hash: d1c687d37780c45a751b3319487b34c446c24a8b2602f02024dabda1ed445a12
Instruction Fuzzy Hash: 30D10031A00515EBDB009F64D884BFAB7B6BF45700F50805BE646AB6A0DB38DC81DB6A

Function 0042B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 0042C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0042B6AE,?,?), ref: 0042C9B5
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042C9F1
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042CA68
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0042B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0042B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0042B80A
RegCloseKey.ADVAPI32(?), ref: 0042B87E
RegCloseKey.ADVAPI32(?), ref: 0042B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0042B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0042B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0042B922
FreeLibrary.KERNEL32(00000000), ref: 0042B983
RegCloseKey.ADVAPI32(00000000), ref: 0042B994

Strings

RegDeleteKeyExW, xrefs: 0042B8FE
advapi32.dll, xrefs: 0042B8ED

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 185b36a5c6eac1843c223fb5346e31e1063dde6b1697659ecc47852a5c072d37
Instruction ID: 9b78f770c9a065e63c6b528641616d36d8c2a662ac010487c2c975fd0b41b9a4
Opcode Fuzzy Hash: 185b36a5c6eac1843c223fb5346e31e1063dde6b1697659ecc47852a5c072d37
Instruction Fuzzy Hash: AEC19B34204211AFD715DF14D495F2ABBE5FF85308F54849DE4AA8B3A2CB39EC46CB86

Function 0042255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004225D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004225E8
CreateCompatibleDC.GDI32(?), ref: 004225F4
SelectObject.GDI32(00000000,?), ref: 00422601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0042266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004226AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004226D0
SelectObject.GDI32(?,?), ref: 004226D8
DeleteObject.GDI32(?), ref: 004226E1
DeleteDC.GDI32(?), ref: 004226E8
ReleaseDC.USER32(00000000,?), ref: 004226F3

Strings

(, xrefs: 0042268D

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 8cf977c1432992ac8de4dc8cb62edcb3cc1de23b621cc16df88d3c10ea5b7465
Instruction ID: a610a1e6fc4c62303778391155af3b4410c4b2f8ca1bfbd7c25da7f62649df79
Opcode Fuzzy Hash: 8cf977c1432992ac8de4dc8cb62edcb3cc1de23b621cc16df88d3c10ea5b7465
Instruction Fuzzy Hash: 96611376E00219EFCF14CFA4D984AAEBBB5FF48310F20842AE955A7250D374A941CFA4

Function 003DDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 003DDAA1

Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD659
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD66B
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD67D
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD68F
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD6A1
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD6B3
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD6C5
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD6D7
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD6E9
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD6FB
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD70D
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD71F
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD731

_free.LIBCMT ref: 003DDA96

Part of subcall function 003D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000), ref: 003D29DE
Part of subcall function 003D29C8: GetLastError.KERNEL32(00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000,00000000), ref: 003D29F0

_free.LIBCMT ref: 003DDAB8
_free.LIBCMT ref: 003DDACD
_free.LIBCMT ref: 003DDAD8
_free.LIBCMT ref: 003DDAFA
_free.LIBCMT ref: 003DDB0D
_free.LIBCMT ref: 003DDB1B
_free.LIBCMT ref: 003DDB26
_free.LIBCMT ref: 003DDB5E
_free.LIBCMT ref: 003DDB65
_free.LIBCMT ref: 003DDB82
_free.LIBCMT ref: 003DDB9A

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: d1a8a17c117902ccb9d36eb53222d9071be21bb2064c0305a9c22b702a507209
Instruction ID: f70859866067eb71e8d257646cf248ea4a88fbefc414250ddf34f999b3483661
Opcode Fuzzy Hash: d1a8a17c117902ccb9d36eb53222d9071be21bb2064c0305a9c22b702a507209
Instruction Fuzzy Hash: 523127336046059FEB23AA39F845B6A77E9BB11314F16841BF459DB391EB31AC509B20

Function 0040365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0040369C
_wcslen.LIBCMT ref: 004036A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00403797
GetClassNameW.USER32(?,?,00000400), ref: 0040380C
GetDlgCtrlID.USER32(?), ref: 0040385D
GetWindowRect.USER32(?,?), ref: 00403882
GetParent.USER32(?), ref: 004038A0
ScreenToClient.USER32(00000000), ref: 004038A7
GetClassNameW.USER32(?,?,00000100), ref: 00403921
GetWindowTextW.USER32(?,?,00000400), ref: 0040395D

Strings

%s%u, xrefs: 00403734

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 7d132f093711efa666cc23125c26cbbb64a70e35e271c7a92f86ca170a643371
Instruction ID: fcd2eb23dd793ce094932065df43bbb7e29e527e00ea6b656471ff3102144e0e
Opcode Fuzzy Hash: 7d132f093711efa666cc23125c26cbbb64a70e35e271c7a92f86ca170a643371
Instruction Fuzzy Hash: B791B271204606AFD715DF24C885FAABBACFF44311F00853AF999E2290DB38AA45CB95

Function 00404954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00404994
GetWindowTextW.USER32(?,?,00000400), ref: 004049DA
_wcslen.LIBCMT ref: 004049EB
CharUpperBuffW.USER32(?,00000000), ref: 004049F7
_wcsstr.LIBVCRUNTIME ref: 00404A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00404A64
GetWindowTextW.USER32(?,?,00000400), ref: 00404A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00404AE6
GetClassNameW.USER32(?,?,00000400), ref: 00404B20
GetWindowRect.USER32(?,?), ref: 00404B8B

Strings

ThumbnailClass, xrefs: 00404A6F, 00404AF1

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 68aaa4d791bbc9be6d5c29ba81f5c428b0f26e9997ebc42c67f6ba429bca580a
Instruction ID: edc2c711f9593472e22426604dabc1d3a5dbcc8bc9d669e6d8e44d02687bd4af
Opcode Fuzzy Hash: 68aaa4d791bbc9be6d5c29ba81f5c428b0f26e9997ebc42c67f6ba429bca580a
Instruction Fuzzy Hash: 1591BFB11082059BDB04DF14C985FAB77E8EF84314F04847AFE85AA2D6DB38ED45CBA5

Function 00438D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003B9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00438D5A
GetFocus.USER32 ref: 00438D6A
GetDlgCtrlID.USER32(00000000), ref: 00438D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00438E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00438ECF
GetMenuItemCount.USER32(?), ref: 00438EEC
GetMenuItemID.USER32(?,00000000), ref: 00438EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00438F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00438F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00438FA1

Strings

0, xrefs: 00438E9F

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: b137d1077dfe30646d91a7d1e02b77621dfc13b101b42e755217330ed3657ecb
Instruction ID: d201a0ce6a05b0d3acf256b93a9cc5ac270fe3c449ab30380bcc4ab049a37d82
Opcode Fuzzy Hash: b137d1077dfe30646d91a7d1e02b77621dfc13b101b42e755217330ed3657ecb
Instruction Fuzzy Hash: A181AF71504311AFD710DF24C885AABBBE9FB8C314F14192EF995E7291DB38D901CB6A

Function 0040DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0040DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0040DC46
_wcslen.LIBCMT ref: 0040DC50
_wcsstr.LIBVCRUNTIME ref: 0040DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0040DCBC

Strings

%u.%u.%u.%u, xrefs: 0040DD9A
\VarFileInfo\Translation, xrefs: 0040DCB4
StringFileInfo\, xrefs: 0040DC8F
DefaultLangCodepage, xrefs: 0040DD1F
04090000, xrefs: 0040DCF2

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 3134fd2e52f7ff5627e17fc08978ef7d7903da592466bdc7861bd4d48a23af5a
Instruction ID: 8701963dfcf13c102c00b7629164a1192076774ca1bbd22e409ee8f1afef94c9
Opcode Fuzzy Hash: 3134fd2e52f7ff5627e17fc08978ef7d7903da592466bdc7861bd4d48a23af5a
Instruction Fuzzy Hash: 4441D2729402117AEB16A7B49C47FBF766CEF55710F10006AF900FA182EB78E90197A9

Function 0042CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0042CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0042CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0042CD48

Part of subcall function 0042CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0042CCAA
Part of subcall function 0042CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0042CCBD
Part of subcall function 0042CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0042CCCF
Part of subcall function 0042CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0042CD05
Part of subcall function 0042CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0042CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0042CCF3

Strings

RegDeleteKeyExW, xrefs: 0042CCC9
advapi32.dll, xrefs: 0042CCB8

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: ed41dd44a551a5e32bd3ad9c009024017579a642967e73e733b31ed715413671
Instruction ID: 3de11a0a80c1ba161ccd2b37d1e287f863130df146706dade34e65187ef8ce40
Opcode Fuzzy Hash: ed41dd44a551a5e32bd3ad9c009024017579a642967e73e733b31ed715413671
Instruction Fuzzy Hash: A3318075A01128BBDB209BA1ECC8EFFBB7CEF05750F000166A905E3240D6789E45DBA8

Function 00413D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00413D40
_wcslen.LIBCMT ref: 00413D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00413D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00413DBE
RemoveDirectoryW.KERNEL32(?), ref: 00413DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00413E55
CloseHandle.KERNEL32(00000000), ref: 00413E60
CloseHandle.KERNEL32(00000000), ref: 00413E6B

Strings

\, xrefs: 00413D77
:, xrefs: 00413D82
\??\%s, xrefs: 00413D5B

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: decde630599e6d16043ece01bff69a25e4dc4c52c12ecc9133dbbbdbb8cfab3f
Instruction ID: 8bcb868f02e4550c3237c0a21393cd92a57e759b972973f6a02923b305808633
Opcode Fuzzy Hash: decde630599e6d16043ece01bff69a25e4dc4c52c12ecc9133dbbbdbb8cfab3f
Instruction Fuzzy Hash: 8431A672900219ABDB219FA0DC89FEF37BDEF88701F1041B6F509E6190E77497848B68

Function 0040E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0040E6B4

Part of subcall function 003BE551: timeGetTime.WINMM(?,?,0040E6D4), ref: 003BE555

Sleep.KERNEL32(0000000A), ref: 0040E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0040E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0040E727
SetActiveWindow.USER32 ref: 0040E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0040E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040E773
Sleep.KERNEL32(000000FA), ref: 0040E77E
IsWindow.USER32 ref: 0040E78A
EndDialog.USER32(00000000), ref: 0040E79B

Strings

BUTTON, xrefs: 0040E719

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 5f7500b68968bba32c6c64cfd5211943b33b0229897d4f788d1c6327bd2f2e96
Instruction ID: af0ce38dcf9990f5bd6680aaecee24974ba3d6416d1017e4bba82811041a9ce8
Opcode Fuzzy Hash: 5f7500b68968bba32c6c64cfd5211943b33b0229897d4f788d1c6327bd2f2e96
Instruction Fuzzy Hash: DE21A474200200AFEB006F26EDC9A263B69F754349F641837F91AB22F1DBB99C509B1C

Function 0040E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0040EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0040EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0040EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0040EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0040EAA7

Strings

alias PlayMe, xrefs: 0040EA36
close PlayMe, xrefs: 0040EA6E, 0040EA9B
play PlayMe wait, xrefs: 0040EA91
status PlayMe mode, xrefs: 0040EA58
play PlayMe, xrefs: 0040EAA2
open , xrefs: 0040EA0C

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 7f4d75f8e166d8128b6b693def4787abe8384f55d59b1c26c8fcf0f8e75e788c
Instruction ID: da10adef6cbff220bdf3091305d73c81e39a54a030b20782dfb436bec1732408
Opcode Fuzzy Hash: 7f4d75f8e166d8128b6b693def4787abe8384f55d59b1c26c8fcf0f8e75e788c
Instruction Fuzzy Hash: 4111A771B5021979D710A762DC4AEFF6A7CEBD2B00F14083B7801B60D0EFB40919C9B5

Function 00405CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00405CE2
GetWindowRect.USER32(00000000,?), ref: 00405CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00405D59
GetDlgItem.USER32(?,00000002), ref: 00405D69
GetWindowRect.USER32(00000000,?), ref: 00405D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00405DCF
GetDlgItem.USER32(?,000003E9), ref: 00405DDD
GetWindowRect.USER32(00000000,?), ref: 00405DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00405E31
GetDlgItem.USER32(?,000003EA), ref: 00405E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00405E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00405E67

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 13ace6e1a6b15096f57f166ff1881416f0d2daa08bfdab1fbda7e262a3c8f5f3
Instruction ID: 2be87b58101cf934be9d5ec05496e16c5a1b58d4f0f39f4f2da63dac3b2b5e1a
Opcode Fuzzy Hash: 13ace6e1a6b15096f57f166ff1881416f0d2daa08bfdab1fbda7e262a3c8f5f3
Instruction Fuzzy Hash: 71510CB1A00615AFDB18CFA8DD89AAEBBB5EF48310F148139F915F6290D7749E00CF54

Function 003B8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 003B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003B8BE8,?,00000000,?,?,?,?,003B8BBA,00000000,?), ref: 003B8FC5

DestroyWindow.USER32(?), ref: 003B8C81
KillTimer.USER32(00000000,?,?,?,?,003B8BBA,00000000,?), ref: 003B8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 003F6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,003B8BBA,00000000,?), ref: 003F69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,003B8BBA,00000000,?), ref: 003F69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,003B8BBA,00000000), ref: 003F69D4
DeleteObject.GDI32(00000000), ref: 003F69E6

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: e8e5eadb0459c72ca0392a16a9b1105847083d38f826a6e873f534bab4bbae7f
Instruction ID: 7083e9088151983b7ea48545704c144088d6a236c493dc6fa427a7d39991c1c0
Opcode Fuzzy Hash: e8e5eadb0459c72ca0392a16a9b1105847083d38f826a6e873f534bab4bbae7f
Instruction Fuzzy Hash: 6C61CBB1102605DFCB269F18C949BB6BBF9FB4031AF15442DE2469AD70CB71A881DF98

Function 003B9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 003B9944: GetWindowLongW.USER32(?,000000EB), ref: 003B9952

GetSysColor.USER32(0000000F), ref: 003B9862

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: cea24e61f7e2803ed4f20842ff7217eb014307495e10d435cc04c27752e42ba4
Instruction ID: 59885ae78aa508b36f87dad7bc35b1c0067239a1a313ec6cd5d171003c7948e0
Opcode Fuzzy Hash: cea24e61f7e2803ed4f20842ff7217eb014307495e10d435cc04c27752e42ba4
Instruction Fuzzy Hash: 44418131104654AFDF225F389C88BF93BB5AB06334F254616FBA69B5E1D7319C42DB10

Function 003D8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.<, xrefs: 003D903A, 003D8FD0, 003D8FF2

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: .<
API String ID: 0-2261328457
Opcode ID: 0c0e066797d80318ba9dfc608e2cf0f01af1ffb603c9f61f28e32967befb345b
Instruction ID: 0802b572b18964438e24d3ce3ebda42b9ba9df9504e31d71cc1c2ba039e4e132
Opcode Fuzzy Hash: 0c0e066797d80318ba9dfc608e2cf0f01af1ffb603c9f61f28e32967befb345b
Instruction Fuzzy Hash: 0BC1D376A04249AFDB13DFA8F841BADBBB5BF09310F15409BF418AB392C7709941CB61

Function 004096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,003EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00409717
LoadStringW.USER32(00000000,?,003EF7F8,00000001), ref: 00409720

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,003EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00409742
LoadStringW.USER32(00000000,?,003EF7F8,00000001), ref: 00409745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00409866

Strings

Error: , xrefs: 0040981D
%s (%d) : ==> %s: %s %s, xrefs: 0040984A
Line %d (File "%s"):, xrefs: 0040978F
Line %d:, xrefs: 004097A0
^ ERROR, xrefs: 004097FB

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 11f631f6fb0859ffb0335d7c125b5a2d74e72057f6b7ddf20ade8150f38492ff
Instruction ID: 55669efb921fe5f498efc755527c48322de471a1c25236d87306e2ec92fe900d
Opcode Fuzzy Hash: 11f631f6fb0859ffb0335d7c125b5a2d74e72057f6b7ddf20ade8150f38492ff
Instruction Fuzzy Hash: FA415E72900219AACF06FBE1CD86EEE7778EF15340F104066F50576092EB396F49CB65

Function 004006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 003A6B57: _wcslen.LIBCMT ref: 003A6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004007A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004007BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004007DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00400804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0040082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00400837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0040083C

Strings

SOFTWARE\Classes\, xrefs: 0040070E
\IPC$, xrefs: 00400784
\CLSID, xrefs: 00400724

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 673009e13b0560d28d859f5668a7b32d3005b0cd0abc4474a231b5c80ec94aba
Instruction ID: 5f1bf343b23e293e2317fe30e332fcff3f0adf2f94a7f9c7d1ad1417ccd573b9
Opcode Fuzzy Hash: 673009e13b0560d28d859f5668a7b32d3005b0cd0abc4474a231b5c80ec94aba
Instruction Fuzzy Hash: EF41F876C10229ABDF16EFA4DC959EEB778FF04350F14416AE901B71A1EB349E04CBA0

Function 00423C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00423C5C
CoInitialize.OLE32(00000000), ref: 00423C8A
CoUninitialize.OLE32 ref: 00423C94
_wcslen.LIBCMT ref: 00423D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00423DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00423ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00423F0E
CoGetObject.OLE32(?,00000000,0043FB98,?), ref: 00423F2D
SetErrorMode.KERNEL32(00000000), ref: 00423F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00423FC4
VariantClear.OLEAUT32(?), ref: 00423FD8

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 04428d68703df1ee80bdd62f8a6de7efa0301550fe9781ebf806688c713d3d39
Instruction ID: 1eca5fa2d7f2687796508f5444b463c44704e4a5ca1fee784b05aee40c02fbc1
Opcode Fuzzy Hash: 04428d68703df1ee80bdd62f8a6de7efa0301550fe9781ebf806688c713d3d39
Instruction Fuzzy Hash: C1C143716082119FC700DF28D88492BB7F9FF89749F40492EF98A9B211D738EE06CB56

Function 00417A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00417AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00417B8F
SHGetDesktopFolder.SHELL32(?), ref: 00417BA3
CoCreateInstance.OLE32(0043FD08,00000000,00000001,00466E6C,?), ref: 00417BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00417C74
CoTaskMemFree.OLE32(?,?), ref: 00417CCC
SHBrowseForFolderW.SHELL32(?), ref: 00417D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00417D7A
CoTaskMemFree.OLE32(00000000), ref: 00417D81
CoTaskMemFree.OLE32(00000000), ref: 00417DD6
CoUninitialize.OLE32 ref: 00417DDC

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 3b0008f2d22b61f3afdbace577ddda47c1762f59694e6d2860fdb7d0aa848bfc
Instruction ID: dbc5db3e986008b02a30c3a8be11093ae13527d45e112268186321955cb03983
Opcode Fuzzy Hash: 3b0008f2d22b61f3afdbace577ddda47c1762f59694e6d2860fdb7d0aa848bfc
Instruction Fuzzy Hash: A8C12B75A04109AFCB14DF64C884DAEBBF9FF49304B1484A9E916AB361D734EE81CB94

Function 0043541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00435504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00435515
CharNextW.USER32(00000158), ref: 00435544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00435585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0043559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004355AC

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 3620b3a48c4fb185aafd928d9d3b7e825ce0fe0154e3bc267baae4161509046a
Instruction ID: 7722237046d400825e3090a6a6f5514e16f146a12a728404a93000532ea8236f
Opcode Fuzzy Hash: 3620b3a48c4fb185aafd928d9d3b7e825ce0fe0154e3bc267baae4161509046a
Instruction Fuzzy Hash: C161ADB1900608BBDF10DF54CC85AFF3BB9EF0D320F106156F925AA290D7789A81DB69

Function 003FFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 003FFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 003FFB08
VariantInit.OLEAUT32(?), ref: 003FFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 003FFB3A
VariantCopy.OLEAUT32(?,?), ref: 003FFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 003FFBA1
VariantClear.OLEAUT32(?), ref: 003FFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 003FFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003FFBCC
VariantClear.OLEAUT32(?), ref: 003FFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003FFBE9

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 0fd6f51258f8e232135793e05a70ab89de3a85ec77a8b977244f748273e688f7
Instruction ID: 675e5c4f564e6a21de6241250522695c58cfcd1cf9be9a01c17d8eed20a3d1bd
Opcode Fuzzy Hash: 0fd6f51258f8e232135793e05a70ab89de3a85ec77a8b977244f748273e688f7
Instruction Fuzzy Hash: C2415F35A002199FCF05DFA8D8949BEBBB9EF18344F008079E915AB261CB34ED45CF90

Function 00409C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00409CA1
GetAsyncKeyState.USER32(000000A0), ref: 00409D22
GetKeyState.USER32(000000A0), ref: 00409D3D
GetAsyncKeyState.USER32(000000A1), ref: 00409D57
GetKeyState.USER32(000000A1), ref: 00409D6C
GetAsyncKeyState.USER32(00000011), ref: 00409D84
GetKeyState.USER32(00000011), ref: 00409D96
GetAsyncKeyState.USER32(00000012), ref: 00409DAE
GetKeyState.USER32(00000012), ref: 00409DC0
GetAsyncKeyState.USER32(0000005B), ref: 00409DD8
GetKeyState.USER32(0000005B), ref: 00409DEA

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 064892c78ce1381130a5e74d9446ee06768147a98b488f2c9e926e66be8d9290
Instruction ID: bdc5a8c402e34a795823b8b0e05b921e638237799105216bba14aab1c9a246c7
Opcode Fuzzy Hash: 064892c78ce1381130a5e74d9446ee06768147a98b488f2c9e926e66be8d9290
Instruction Fuzzy Hash: 8E4195349487CA69FF31966084443A7BEA06F51344F08807BDAC6767C3D7BD9DC4879A

Function 0042055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004205BC
inet_addr.WSOCK32(?), ref: 0042061C
gethostbyname.WSOCK32(?), ref: 00420628
IcmpCreateFile.IPHLPAPI ref: 00420636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004206C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004206E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004207B9
WSACleanup.WSOCK32 ref: 004207BF

Strings

Ping, xrefs: 00420676

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: aaaed48cec58a6198bfa58da06cf622b0593e738db01cc67579024287834cd0b
Instruction ID: df559fb28d0f3d04a21437edd660dc934c47a2efadf238e0b7191df5beb3c8c8
Opcode Fuzzy Hash: aaaed48cec58a6198bfa58da06cf622b0593e738db01cc67579024287834cd0b
Instruction Fuzzy Hash: C3919B35604211AFD720DF15D888F1ABBE0EF85318F5485AAE4699B7A3C738ED41CF86

Function 00428CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00428CF3

Part of subcall function 00408E54: _wcslen.LIBCMT ref: 00408E77

_wcslen.LIBCMT ref: 00428D4E
_wcslen.LIBCMT ref: 00428D9C
_wcslen.LIBCMT ref: 00428DDC
_wcslen.LIBCMT ref: 00428E6E

Strings

winapi, xrefs: 00428D96, 00428D9B
cdecl, xrefs: 00428D48, 00428D4D
none, xrefs: 00428E65, 00428E6A
stdcall, xrefs: 00428DD6, 00428DDB

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: b39538a8b9bcb5742abd246c046f4af9f8aec1b0f91049710b8072814dae21b9
Instruction ID: 44bf10b4878a644449f116a942a737ce04179e9a65b9e0c224984aeb977767c9
Opcode Fuzzy Hash: b39538a8b9bcb5742abd246c046f4af9f8aec1b0f91049710b8072814dae21b9
Instruction Fuzzy Hash: CB51C132B011269BCB14DF68D9409BEB3A5BF65324BA1422EE426EB3C5DF38DD40C794

Function 0042372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00423774
CoUninitialize.OLE32 ref: 0042377F
CoCreateInstance.OLE32(?,00000000,00000017,0043FB78,?), ref: 004237D9
IIDFromString.OLE32(?,?), ref: 0042384C
VariantInit.OLEAUT32(?), ref: 004238E4
VariantClear.OLEAUT32(?), ref: 00423936

Strings

Invalid parameter, xrefs: 00423865
Failed to create object, xrefs: 004237E4, 0042389A
NULL Pointer assignment, xrefs: 0042381E

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 558332cc939a017b7aef6d83d66cf5f73fb68e81dd13404f9c9247e3bb1ba1dd
Instruction ID: e6012a1cd5728f76efe79131d2ee5a7f81086ecb6fffc02ab8334748b8f034c1
Opcode Fuzzy Hash: 558332cc939a017b7aef6d83d66cf5f73fb68e81dd13404f9c9247e3bb1ba1dd
Instruction Fuzzy Hash: CB61DE70708321AFD311EF14D888B5AB7F4EF89706F50481AF5859B291D778EE48CB9A

Function 00438B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003B9BB2

Part of subcall function 003B912D: GetCursorPos.USER32(?), ref: 003B9141
Part of subcall function 003B912D: ScreenToClient.USER32(00000000,?), ref: 003B915E
Part of subcall function 003B912D: GetAsyncKeyState.USER32(00000001), ref: 003B9183
Part of subcall function 003B912D: GetAsyncKeyState.USER32(00000002), ref: 003B919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00438B6B
ImageList_EndDrag.COMCTL32 ref: 00438B71
ReleaseCapture.USER32 ref: 00438B77
SetWindowTextW.USER32(?,00000000), ref: 00438C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00438C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00438CFF

Strings

p#G, xrefs: 00438C71
@GUI_DRAGFILE, xrefs: 00438C9A
@GUI_DROPID, xrefs: 00438C51

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#G
API String ID: 1924731296-2487220254
Opcode ID: 671d83ad6104394049e78c517c38b15d1e199d5aeb8c638d8530f290c11779b3
Instruction ID: f68a06a48c2b9686e2119cb896ad3d4a0297c937bb595c8dd8fb4909bd87eb08
Opcode Fuzzy Hash: 671d83ad6104394049e78c517c38b15d1e199d5aeb8c638d8530f290c11779b3
Instruction Fuzzy Hash: 08517EB1104304AFD704EF14DC96FAA77E4FB88714F00162EFA566B2E1DB74A944CB66

Function 00413388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004133CF

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004133F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00413504
Error: , xrefs: 004134D1
Line %d (File "%s"):, xrefs: 00413443, 0041345C
Incorrect parameters to object property !, xrefs: 004134AB
"%s" (%d) : ==> %s:, xrefs: 00413522
^ ERROR , xrefs: 0041349E

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: baac9557fccb78ea7646a6e13e1aeb702f05f999cd8c1c7dc3b260d959b57470
Instruction ID: 6ada7c641f59ecf679ddbff279dbc50655617171818e0a182992072d5f10b988
Opcode Fuzzy Hash: baac9557fccb78ea7646a6e13e1aeb702f05f999cd8c1c7dc3b260d959b57470
Instruction Fuzzy Hash: 6A51BF31900219BADF16EBE0CD46EEEB778EF05344F204066F405761A2EB392F98CB65

Function 0040B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0040B5FC
_wcslen.LIBCMT ref: 0040B608
_wcslen.LIBCMT ref: 0040B64D
_wcslen.LIBCMT ref: 0040B68C
_wcslen.LIBCMT ref: 0040B6C7

Strings

APPEND, xrefs: 0040B6C1, 0040B6C6
KEYS, xrefs: 0040B647, 0040B64C
REMOVE, xrefs: 0040B602, 0040B607
EXISTS, xrefs: 0040B686, 0040B68B

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: d0028e2769f3d20d01c323f82b1c506ef4f0b201736c3bb005f5aab89b2b5a3b
Instruction ID: 7934b067292c458a468e08e90f06a742dc9b02d0239dec9ee0b054ba857939e0
Opcode Fuzzy Hash: d0028e2769f3d20d01c323f82b1c506ef4f0b201736c3bb005f5aab89b2b5a3b
Instruction Fuzzy Hash: 5841E532A001279ACB105F7D88905BF77A5EBA0754B254A3BE421EB3C0E73ACD81C7D9

Function 00415393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004153A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00415416
GetLastError.KERNEL32 ref: 00415420
SetErrorMode.KERNEL32(00000000,READY), ref: 004154A7

Strings

INVALID, xrefs: 00415459
READONLY, xrefs: 00415452
READY, xrefs: 00415460, 00415468
NOTREADY, xrefs: 0041544B
UNKNOWN, xrefs: 00415444

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: b567eb0f0f9fd99c0183a1957472a12fe2404a17fb1f051e8ab03fb6c77059ad
Instruction ID: 4d89bb0425ce0adf094a505938959399a2ffa88f0429c8533da10178c7b874f0
Opcode Fuzzy Hash: b567eb0f0f9fd99c0183a1957472a12fe2404a17fb1f051e8ab03fb6c77059ad
Instruction Fuzzy Hash: D5319A35A00604DFCB11DF68D884BEABBB4EB85305F14806AE405DB392EB79DDC6CB95

Function 00433C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00433C79
SetMenu.USER32(?,00000000), ref: 00433C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00433D10
IsMenu.USER32(?), ref: 00433D24
CreatePopupMenu.USER32 ref: 00433D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00433D5B
DrawMenuBar.USER32 ref: 00433D63

Strings

F, xrefs: 00433D4E
0, xrefs: 00433C54

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: a9a0ac2c96ca606849ee7a12e44f29d677ccdd985748475ae55f5036310069eb
Instruction ID: d6ada5d6a22f6998ca93b78bf6168ba3d9afffce205708789b7c04200763d3f4
Opcode Fuzzy Hash: a9a0ac2c96ca606849ee7a12e44f29d677ccdd985748475ae55f5036310069eb
Instruction Fuzzy Hash: 01414AB9A01209EFDB14CF64D884EEA7BB5FF49351F141029F946A7360D774AA10CF98

Function 00401EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 00403CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00403CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00401F64
GetDlgCtrlID.USER32 ref: 00401F6F
GetParent.USER32 ref: 00401F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00401F8E
GetDlgCtrlID.USER32(?), ref: 00401F97
GetParent.USER32(?), ref: 00401FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00401FAE

Strings

ComboBox, xrefs: 00401EEC
ListBox, xrefs: 00401F21

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: d64c636206531a846266bdb94336ffd23829524f4c7318c5826a4d1ef8f3ebc4
Instruction ID: 888cb2ff503e6d09cea0e5b53c6027103e2e1d1454048744d8a72f0b4cd593c1
Opcode Fuzzy Hash: d64c636206531a846266bdb94336ffd23829524f4c7318c5826a4d1ef8f3ebc4
Instruction Fuzzy Hash: 2E21CF71900214BBCF05AFA0CC85EEEBBB8EF06350F104166F961B72E1DB385908DB68

Function 00433A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00433A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00433AA0
GetWindowLongW.USER32(?,000000F0), ref: 00433AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00433AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00433B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00433BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00433BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00433BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00433BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00433C13

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 548a153e97e779b950f3ef2f277ec884f0c3075451d54773041163589c9545ff
Instruction ID: d1f1b4e79a1fb6dffce8590996a017a8c6f719a0cc4f2c5b59e39deef2d1d6f8
Opcode Fuzzy Hash: 548a153e97e779b950f3ef2f277ec884f0c3075451d54773041163589c9545ff
Instruction Fuzzy Hash: 82617CB5900248AFDB10DF68CC81EEE77B8EB09700F1051AAFA15A73A2C774AE45DB54

Function 0040B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0040B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0040A1E1,?,00000001), ref: 0040B165
GetWindowThreadProcessId.USER32(00000000), ref: 0040B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0040A1E1,?,00000001), ref: 0040B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0040A1E1,?,00000001), ref: 0040B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0040A1E1,?,00000001), ref: 0040B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0040A1E1,?,00000001), ref: 0040B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0040A1E1,?,00000001), ref: 0040B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0040A1E1,?,00000001), ref: 0040B21D

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: c62e38e02ddccd153977d85c9962fb3295f52531bd3b7f9fea663cc15ce34c81
Instruction ID: 13d2362a6080c2ed01788669f9034893ebf28b30a03b860172cf9ac2f0e063dd
Opcode Fuzzy Hash: c62e38e02ddccd153977d85c9962fb3295f52531bd3b7f9fea663cc15ce34c81
Instruction Fuzzy Hash: B4319371540204BFDB109F64DC89B6E7BA9FB61356F10483AF905E63D0D7B899808FAC

Function 003D2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003D2C94

Part of subcall function 003D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000), ref: 003D29DE
Part of subcall function 003D29C8: GetLastError.KERNEL32(00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000,00000000), ref: 003D29F0

_free.LIBCMT ref: 003D2CA0
_free.LIBCMT ref: 003D2CAB
_free.LIBCMT ref: 003D2CB6
_free.LIBCMT ref: 003D2CC1
_free.LIBCMT ref: 003D2CCC
_free.LIBCMT ref: 003D2CD7
_free.LIBCMT ref: 003D2CE2
_free.LIBCMT ref: 003D2CED
_free.LIBCMT ref: 003D2CFB

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ea64cddd3dd496f8e3033c63211423faad9333478f737b8f4b6548da0034d65d
Instruction ID: 45ea39fa0ff8b617b8cdb3acba249ff89d40f3ae2acd4a588b5f1175d8718828
Opcode Fuzzy Hash: ea64cddd3dd496f8e3033c63211423faad9333478f737b8f4b6548da0034d65d
Instruction Fuzzy Hash: D0119676100108AFCB02EF54E852CDE3BA5FF16350F4144A6F9485F322D731EE60AB90

Function 00417DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00417FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00417FC1
GetFileAttributesW.KERNEL32(?), ref: 00417FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00418005
SetCurrentDirectoryW.KERNEL32(?), ref: 00418017
SetCurrentDirectoryW.KERNEL32(?), ref: 00418060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004180B0

Strings

*.*, xrefs: 00418066

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: dacd7adc6c3bbb02124332d33df68ba65ee260dc4b2979210a9872ac6f8234ea
Instruction ID: 7ab184d8286487bb84215e5e24dd9185a61e120d115292d17c48f4bb468b6688
Opcode Fuzzy Hash: dacd7adc6c3bbb02124332d33df68ba65ee260dc4b2979210a9872ac6f8234ea
Instruction Fuzzy Hash: CE8180725083459BCB20EF14C884AABB7E8FF89314F14486FF885DB250EB39DD858B56

Function 003A5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 003A5C7A

Part of subcall function 003A5D0A: GetClientRect.USER32(?,?), ref: 003A5D30
Part of subcall function 003A5D0A: GetWindowRect.USER32(?,?), ref: 003A5D71
Part of subcall function 003A5D0A: ScreenToClient.USER32(?,?), ref: 003A5D99

GetDC.USER32 ref: 003E46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003E4708
SelectObject.GDI32(00000000,00000000), ref: 003E4716
SelectObject.GDI32(00000000,00000000), ref: 003E472B
ReleaseDC.USER32(?,00000000), ref: 003E4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003E47C4

Strings

U, xrefs: 003E4693

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 54eb4d00e690cc6a87a66144c9abdcb070bd131c5b998f53eb9d133f874b860a
Instruction ID: 0f0a3a8104cfa1588fea16557f52f7909139fa97b40f12e03c35bfbcd88188a6
Opcode Fuzzy Hash: 54eb4d00e690cc6a87a66144c9abdcb070bd131c5b998f53eb9d133f874b860a
Instruction Fuzzy Hash: D171F030400255EFCF228F65C984ABA7BB5FF4E325F154369ED656A2AAC3318881DF90

Function 0041359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004135E4

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

LoadStringW.USER32(00472390,?,00000FFF,?), ref: 0041360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00413724
Error: , xrefs: 004136EF
Line %d (File "%s"):, xrefs: 0041366B
"%s" (%d) : ==> %s:, xrefs: 00413742
^ ERROR, xrefs: 004136C9

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: a79c8f2e47cd38c24afcd68fd7d4debbad9ff83dab99f7d2f4ad30859a5686d8
Instruction ID: edf4452e5fd01d3ce2929dc150d886e47e14abcb9deabf8aaabb8d783e7c0ff4
Opcode Fuzzy Hash: a79c8f2e47cd38c24afcd68fd7d4debbad9ff83dab99f7d2f4ad30859a5686d8
Instruction Fuzzy Hash: 90519F71900219BADF16EFA0CC42EEEBB38EF05341F144126F515761A2EB341B99DFA9

Function 0041C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0041C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0041C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0041C2CA
GetLastError.KERNEL32 ref: 0041C322
SetEvent.KERNEL32(?), ref: 0041C336
InternetCloseHandle.WININET(00000000), ref: 0041C341

Strings

, xrefs: 0041C2BB

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8806408821ca41e1558cb39915bbb368ad75b8c2c855b58c5c61546cd8aca004
Instruction ID: 07fce0a917f2901ff2977c139ac8c833923c2aecc6e68b3d2704a8f53c798172
Opcode Fuzzy Hash: 8806408821ca41e1558cb39915bbb368ad75b8c2c855b58c5c61546cd8aca004
Instruction Fuzzy Hash: AF31A2B1540208AFD7219F65CCC8AEB7BFCEB49744F10852EF856D2240DB38DD858BA9

Function 0040989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003E3AAF,?,?,Bad directive syntax error,0043CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004098BC
LoadStringW.USER32(00000000,?,003E3AAF,?), ref: 004098C3

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00409987

Strings

Error: , xrefs: 00409955
Line %d (File "%s"):, xrefs: 0040992D
Line %d:, xrefs: 00409912
., xrefs: 0040996D
%s (%d) : ==> %s.: %s %s, xrefs: 004098F1

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b64c9c0833a782f65351718ba0d2b619435566272a97c568bbca0a522756b881
Instruction ID: f5f73dedee925d544187d068f9674e6e5990a5ce9f25d51f5d11ffbd43b67287
Opcode Fuzzy Hash: b64c9c0833a782f65351718ba0d2b619435566272a97c568bbca0a522756b881
Instruction Fuzzy Hash: 4721A032D0021AABCF12AF90CC0AFEE7739FF19304F04446AF5157A0A2EB359A18CB55

Function 0040209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004020AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004020C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0040214D

Strings

details, xrefs: 004020FB
list, xrefs: 0040212F
SHELLDLL_DefView, xrefs: 004020CC
smallicons, xrefs: 00402115
largeicons, xrefs: 004020E1

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 5acba7149dfc032e685eaf898a52a076a211f5d59503e08e44dd338d83044125
Instruction ID: 3fc56472513419668c1b937f56ec6edc055a7c0ad5a3a85df40ce0caabbb9143
Opcode Fuzzy Hash: 5acba7149dfc032e685eaf898a52a076a211f5d59503e08e44dd338d83044125
Instruction Fuzzy Hash: F611C17A688706B9FA1626209C0BEA7779C9B05724F20013BFA04B91D2FAB97C52561D

Function 003DCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 003DCEB7
_free.LIBCMT ref: 003DCF22
_free.LIBCMT ref: 003DCF48
_free.LIBCMT ref: 003DCF71
_free.LIBCMT ref: 003DCFA9
_free.LIBCMT ref: 003DCFDA
_free.LIBCMT ref: 003DD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 003DD09C
_free.LIBCMT ref: 003DD0B5

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 609574e9cc03b9642dbf23a9258364b76d6a6bbe89059f64fe5b3b993175eeff
Instruction ID: 13cd215db18a260d9dc6b29b112ecbc9de180c822a5d93cc312c3dd3dfa6dcde
Opcode Fuzzy Hash: 609574e9cc03b9642dbf23a9258364b76d6a6bbe89059f64fe5b3b993175eeff
Instruction Fuzzy Hash: 246126B3925302AFDB33AFB4B885AAA7BA9AF05310F05416FF9449B381D7319D41D750

Function 003B8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 003F6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003F68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003F68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 003F68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003F68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,003B8874,00000000,00000000,00000000,000000FF,00000000), ref: 003F6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 003F691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,003B8874,00000000,00000000,00000000,000000FF,00000000), ref: 003F692D

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: adb64b27dccd561d648a5a39fef78758926a52d49ea5bb98478700bc7ade42e4
Instruction ID: 9cfe1cbaa1101e5ac39121194e59976bcf0a39effc0552766eb470b646548a85
Opcode Fuzzy Hash: adb64b27dccd561d648a5a39fef78758926a52d49ea5bb98478700bc7ade42e4
Instruction Fuzzy Hash: 66519FB0600209EFDB21CF25CC96FAA7BB9FF44754F104528FA16A76A0DB70E991DB50

Function 0041C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0041C182
GetLastError.KERNEL32 ref: 0041C195
SetEvent.KERNEL32(?), ref: 0041C1A9

Part of subcall function 0041C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0041C272
Part of subcall function 0041C253: GetLastError.KERNEL32 ref: 0041C322
Part of subcall function 0041C253: SetEvent.KERNEL32(?), ref: 0041C336
Part of subcall function 0041C253: InternetCloseHandle.WININET(00000000), ref: 0041C341

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 8c164ed7fbd708b3b1f89ef2d1980fc2fb8f1ec5d3f1739d6b83bb33044e6f4e
Instruction ID: 70028cc5ba43088e6073bab0ab1c4c0719307ee255c30ca20d903655e36b8bba
Opcode Fuzzy Hash: 8c164ed7fbd708b3b1f89ef2d1980fc2fb8f1ec5d3f1739d6b83bb33044e6f4e
Instruction Fuzzy Hash: 1331A371980601BFDB219FA5DD84AABBBF9FF18300B00546EF95692610C734E854DFA8

Function 004025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00403A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00403A57
Part of subcall function 00403A3D: GetCurrentThreadId.KERNEL32 ref: 00403A5E
Part of subcall function 00403A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004025B3), ref: 00403A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004025BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004025DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004025DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004025E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00402601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00402605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0040260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00402623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00402627

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 12b6dc7a8cb1ebefae1a78869921199e68c6f19b4f444977780130883e7aa1a1
Instruction ID: c52432a92790e778ea98707fcdd21af39e386d05378f9825adb1369813ac1b85
Opcode Fuzzy Hash: 12b6dc7a8cb1ebefae1a78869921199e68c6f19b4f444977780130883e7aa1a1
Instruction Fuzzy Hash: 9601B131390210BBFB106B699CCAF593E59DB4AB12F101026F318BE0D1C9F224449E6E

Function 00401803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00401449,?,?,00000000), ref: 0040180C
HeapAlloc.KERNEL32(00000000,?,00401449,?,?,00000000), ref: 00401813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00401449,?,?,00000000), ref: 00401828
GetCurrentProcess.KERNEL32(?,00000000,?,00401449,?,?,00000000), ref: 00401830
DuplicateHandle.KERNEL32(00000000,?,00401449,?,?,00000000), ref: 00401833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00401449,?,?,00000000), ref: 00401843
GetCurrentProcess.KERNEL32(00401449,00000000,?,00401449,?,?,00000000), ref: 0040184B
DuplicateHandle.KERNEL32(00000000,?,00401449,?,?,00000000), ref: 0040184E
CreateThread.KERNEL32(00000000,00000000,00401874,00000000,00000000,00000000), ref: 00401868

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 81a0a3695e7fc6ba3adece8c6e9561eb67eb5078eea46ceceba4ee73d95610d4
Instruction ID: 1c2eee257fbb7ad4a3a4a72839d85a4d81d633495402ab1cf62c9d63f3403bd1
Opcode Fuzzy Hash: 81a0a3695e7fc6ba3adece8c6e9561eb67eb5078eea46ceceba4ee73d95610d4
Instruction Fuzzy Hash: 3101AC75240304BFEA10AB65DC89F573B6CEB89B11F005421FA05EB1A1C6749C109F24

Function 003D3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 003D3F0B
__alldvrm.LIBCMT ref: 003D410C
__alldvrm.LIBCMT ref: 003D412E

Strings

}}<, xrefs: 003D40CD
}}<, xrefs: 003D3E96, 003D3EF1, 003D3F0A, 003D4090
}}<, xrefs: 003D3E8A

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}<$}}<$}}<
API String ID: 1036877536-1894432127
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 968f8a436d4f429c2e28fff9ef2c7b1f4a153eae24a46a9cdf1db467072631f8
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 32A12473E002869FDB278F28D8917AEBBE9EF61350F19416EE5859B381C2388D81C751

Function 0042A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0040D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0040D501
Part of subcall function 0040D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0040D50F
Part of subcall function 0040D4DC: CloseHandle.KERNELBASE(00000000), ref: 0040D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0042A16D
GetLastError.KERNEL32 ref: 0042A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0042A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0042A268
GetLastError.KERNEL32(00000000), ref: 0042A273
CloseHandle.KERNEL32(00000000), ref: 0042A2C4

Strings

SeDebugPrivilege, xrefs: 0042A18F

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: db92edf967cd062671da51e4c3fd663c0d185668cf8482a31f087559b90067b7
Instruction ID: e2d07adaab44e7c725acd4aec5816168b259f2db68fb7b4a485633310c7d5e7d
Opcode Fuzzy Hash: db92edf967cd062671da51e4c3fd663c0d185668cf8482a31f087559b90067b7
Instruction Fuzzy Hash: E061AD302042529FD720DF14D494F26BBE1AF44318F58849DE8668F7A3C77AEC55CB96

Function 00433886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00433925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0043393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00433954
_wcslen.LIBCMT ref: 00433999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004339C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004339F4

Strings

SysListView32, xrefs: 004338F7

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 0e23ac55c79335dbb3b963341d7f33e2f360a73dafefaf411536521275138c9e
Instruction ID: 97d6a9bdd931b8303aeab7e19ac08d604e99a096e07f32669d1563e04db90d3f
Opcode Fuzzy Hash: 0e23ac55c79335dbb3b963341d7f33e2f360a73dafefaf411536521275138c9e
Instruction Fuzzy Hash: 5341A171A00218ABEB219F64CC45FEB7BA9EF0C354F10112AF958E7291D7759D80CB94

Function 0040BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0040BCFD
IsMenu.USER32(00000000), ref: 0040BD1D
CreatePopupMenu.USER32 ref: 0040BD53
GetMenuItemCount.USER32(016E6538), ref: 0040BDA4
InsertMenuItemW.USER32(016E6538,?,00000001,00000030), ref: 0040BDCC

Strings

2, xrefs: 0040BD37
0, xrefs: 0040BCA8

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 7562488aa2a718f249cd077f74d1614f838dd5bac15c6885bc373078421d0bca
Instruction ID: 569ca6a6e73839d58a55cbb3b447dac6ffcdaff8830c89f061050e255617b289
Opcode Fuzzy Hash: 7562488aa2a718f249cd077f74d1614f838dd5bac15c6885bc373078421d0bca
Instruction Fuzzy Hash: 49519C70A00206EBDB11DFA9C884BAEBBE5EF45314F14423AE851B72D0D7789941CBAD

Function 003C2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 003C2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 003C2D53
_ValidateLocalCookies.LIBCMT ref: 003C2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 003C2E0C
_ValidateLocalCookies.LIBCMT ref: 003C2E61

Strings

&H<, xrefs: 003C2DFE, 003C2E07, 003C2E18
csm, xrefs: 003C2DF6

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H<$csm
API String ID: 1170836740-2692662189
Opcode ID: e91ea5290bbfb4aa566fd38ce2bde86e173bd1abe89201570ed17d499ba4e45d
Instruction ID: d5d7b551be428dc9c0c56cce59d41d2ac98676b7768cde8477165468b5457e05
Opcode Fuzzy Hash: e91ea5290bbfb4aa566fd38ce2bde86e173bd1abe89201570ed17d499ba4e45d
Instruction Fuzzy Hash: B641A334A00209ABCF11DF68C849F9FBBA5BF44324F158169E825EB252DB319E15CB91

Function 0040C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0040C913

Strings

info, xrefs: 0040C8B4
warning, xrefs: 0040C8FC
question, xrefs: 0040C8CC
stop, xrefs: 0040C8E4
blank, xrefs: 0040C895

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 61c24a9cc461592f2e298c4e3f159e91b220a4f95b16da5981b0e025a7ef2af6
Instruction ID: f23ec5bc3c4509ddd30e4d15ac1361ff274994292d79abd636ea1b93dd4ec7dc
Opcode Fuzzy Hash: 61c24a9cc461592f2e298c4e3f159e91b220a4f95b16da5981b0e025a7ef2af6
Instruction Fuzzy Hash: C4112B76689306FAE7056B149CC2EAB279CDF15315B20413FF904F62C2E7786D0153AD

Function 0040DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0040DE42
gethostname.WSOCK32(?,00000100), ref: 0040DE5C
gethostbyname.WSOCK32(?), ref: 0040DE69
inet_ntoa.WSOCK32(?), ref: 0040DEAB
_strcat.LIBCMT ref: 0040DEB9
WSACleanup.WSOCK32 ref: 0040DEDE

Strings

0.0.0.0, xrefs: 0040DE87

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 86b5a828894152a2e47faf196447b4134a613e4aeb2766a2bec06c860e9d9723
Instruction ID: 984ad9bc1464aa79bf7a65dca95e023cdd61fdf7f3b8ef2f5995d26e2ffd3f22
Opcode Fuzzy Hash: 86b5a828894152a2e47faf196447b4134a613e4aeb2766a2bec06c860e9d9723
Instruction Fuzzy Hash: 9711E132904115ABCB25BBA0DC4AEEF77ACDB11711F00017AF505FA1D1EF799A858BA8

Function 0040ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0040ED2A
_wcslen.LIBCMT ref: 0040ED3B
_wcslen.LIBCMT ref: 0040ED79
_wcslen.LIBCMT ref: 0040EDAF
_wcslen.LIBCMT ref: 0040EDDF
_wcslen.LIBCMT ref: 0040EDEF
_wcslen.LIBCMT ref: 0040EE2B
_wcslen.LIBCMT ref: 0040EE5A

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: c476e1b9aefc70702912c4485b21a70431a3358da45d530d23f6a5b169b73dc6
Instruction ID: cf65b18c56c928277632d96baf1db032e405b799b951b2f39693b8e25f66ff3b
Opcode Fuzzy Hash: c476e1b9aefc70702912c4485b21a70431a3358da45d530d23f6a5b169b73dc6
Instruction Fuzzy Hash: C441A365C1011875CB12EBB5C88AECFB7A8AF45310F50886AF518F7162FB34D655C3E9

Function 003BF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,003F682C,00000004,00000000,00000000), ref: 003BF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,003F682C,00000004,00000000,00000000), ref: 003FF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,003F682C,00000004,00000000,00000000), ref: 003FF454

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e5dc07115bf83816e1aab446f6dd1fdc835d31070375f65483605319c009afc1
Instruction ID: c601ed16078f96572bb6fc000f3ebd7f515f830ecfa404577a1f8ad4ced90922
Opcode Fuzzy Hash: e5dc07115bf83816e1aab446f6dd1fdc835d31070375f65483605319c009afc1
Instruction Fuzzy Hash: E8411831608680FEC73B9B2D8C887BA7B95AF5631CF15643DE78766D60C731A880DB11

Function 00432D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00432D1B
GetDC.USER32(00000000), ref: 00432D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00432D2E
ReleaseDC.USER32(00000000,00000000), ref: 00432D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00432D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00432D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00435A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00432DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00432DE1

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: b47701cc55e161813a2d6314af986943099c13cb9c63b6be82a5ee760cfd13f5
Instruction ID: c8ff134d6e0277581398eff177ba3f4d1bfd8ac94c11edc6cdd9296bcbaf68aa
Opcode Fuzzy Hash: b47701cc55e161813a2d6314af986943099c13cb9c63b6be82a5ee760cfd13f5
Instruction Fuzzy Hash: 9A318072201214BFEB114F50CC8AFEB3FADEF09755F045065FE48AA291C6B59C51CBA8

Function 00405622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00405637
_memcmp.LIBVCRUNTIME ref: 00405659
_memcmp.LIBVCRUNTIME ref: 00405671
_memcmp.LIBVCRUNTIME ref: 00405684
_memcmp.LIBVCRUNTIME ref: 0040569E
_memcmp.LIBVCRUNTIME ref: 004056B1
_memcmp.LIBVCRUNTIME ref: 004056C9
_memcmp.LIBVCRUNTIME ref: 004056E4

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c402720adaaac4ee533c0df7d35a1906387282ffde2fb2d9702147adbf70b8a5
Instruction ID: 9e3b75ea010724389bb5f503869a8374363d7f27ee83a7e45d8ef185f2b022ef
Opcode Fuzzy Hash: c402720adaaac4ee533c0df7d35a1906387282ffde2fb2d9702147adbf70b8a5
Instruction Fuzzy Hash: F7212865A40A0877D20455208E82FBB334CFE26388F501437FD08AE6C2F73AED159EAD

Function 00424FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00425007
NULL Pointer assignment, xrefs: 0042502E, 00425383

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 5e099eb0730d66bbbf1312274adf4f5966399f68cc541352166d5f7fcc92cf15
Instruction ID: 232189fcb9211675c6ae88241a25c90232888f2e0e9b89793dd8ebfe0f1dc20a
Opcode Fuzzy Hash: 5e099eb0730d66bbbf1312274adf4f5966399f68cc541352166d5f7fcc92cf15
Instruction Fuzzy Hash: 76D1A071B0061A9FDF10CF98E880BAEB7B5BF48344F54806AE915AB381E774DD41CBA4

Function 003E1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,003E17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 003E15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003E1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,003E17FB,?,003E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003E16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003E16FB

Part of subcall function 003D3820: RtlAllocateHeap.NTDLL(00000000,?,00471444,?,003BFDF5,?,?,003AA976,00000010,00471440,003A13FC,?,003A13C6,?,003A1129), ref: 003D3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,003E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003E1777
__freea.LIBCMT ref: 003E17A2
__freea.LIBCMT ref: 003E17AE

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: b3cb9c871e0b25ad8ac93daa40b1adc07d525bfc9f0817d63876b4021bf53ac3
Instruction ID: a31ef1898c1aa1e268f4f7b3ce876149544b08c8a9415ca8470e98b2b894cfb5
Opcode Fuzzy Hash: b3cb9c871e0b25ad8ac93daa40b1adc07d525bfc9f0817d63876b4021bf53ac3
Instruction Fuzzy Hash: BE91C672E002A69ADF228F76C881EEE7BB5AF45710F194769E801E72C1D735DD44CB60

Function 00424523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00424648
VariantInit.OLEAUT32(?), ref: 00424749
VariantClear.OLEAUT32(?), ref: 00424753
VariantClear.OLEAUT32(?), ref: 004247B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0042472C
Null Object assignment in FOR..IN loop, xrefs: 004245D8, 00424706, 004247BE

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 01eda4fb0fb237b084d5d48b982b519d3c8220fbc8173203f7c7c65e05a7f1ad
Instruction ID: 2002acd2d66689edc96852eb29423560910d86cbe2af9ff1eea8eedf08115d42
Opcode Fuzzy Hash: 01eda4fb0fb237b084d5d48b982b519d3c8220fbc8173203f7c7c65e05a7f1ad
Instruction Fuzzy Hash: 8F919371A00225AFDF20CFA5D844FAFBBB8EF86714F10855AF515AB280D7789941CFA4

Function 00411187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0041125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00411284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004112A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004112D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0041135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004113C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00411430

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 72265dc4b1d90ffbeb1f3d395ef48fac8755fc2516b17693d982df3300666965
Instruction ID: ada8e3125044e1dd3d7c48dc9f5b1b5b7cc70aaeb14401aa21f108bb491f9cd2
Opcode Fuzzy Hash: 72265dc4b1d90ffbeb1f3d395ef48fac8755fc2516b17693d982df3300666965
Instruction Fuzzy Hash: 34912671A002199FDB01DFA4D884BFEB7B5FF45714F14402AEA01EB2A1D778A981CF99

Function 003B948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5c0e996fae05dce471ca976eca2451533a6367ce7689dfb4a92f0f353dc8d951
Instruction ID: 38bcddd4719c59717dd16acba27f865518173538992aab0a6f130280c1b50423
Opcode Fuzzy Hash: 5c0e996fae05dce471ca976eca2451533a6367ce7689dfb4a92f0f353dc8d951
Instruction Fuzzy Hash: 68916971D40219EFCB16CFA9CC84AEEBBB8FF49324F148456E615B7251D374AA41CBA0

Function 00423947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0042396B
CharUpperBuffW.USER32(?,?), ref: 00423A7A
_wcslen.LIBCMT ref: 00423A8A
VariantClear.OLEAUT32(?), ref: 00423C1F

Part of subcall function 00410CDF: VariantInit.OLEAUT32(00000000), ref: 00410D1F
Part of subcall function 00410CDF: VariantCopy.OLEAUT32(?,?), ref: 00410D28
Part of subcall function 00410CDF: VariantClear.OLEAUT32(?), ref: 00410D34

Strings

AUTOIT.ERROR, xrefs: 00423A80, 00423A85
Incorrect Parameter format, xrefs: 004239A6, 00423BA1

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 49fe47c65a6f3abbff4ed683d12f6f6cc36f0754b192ed815b96d6f3ad09163f
Instruction ID: d66e608501fa3b14dedceabb4fb70d8968872d23830b93e2734ceee8a8854124
Opcode Fuzzy Hash: 49fe47c65a6f3abbff4ed683d12f6f6cc36f0754b192ed815b96d6f3ad09163f
Instruction Fuzzy Hash: 6F9165756083119FC700EF24D48096ABBE4FF89314F04882EF88A9B351DB38EE45CB96

Function 00424BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0040000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,003FFF41,80070057,?,?,?,0040035E), ref: 0040002B
Part of subcall function 0040000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003FFF41,80070057,?,?), ref: 00400046
Part of subcall function 0040000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003FFF41,80070057,?,?), ref: 00400054
Part of subcall function 0040000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003FFF41,80070057,?), ref: 00400064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00424C51
_wcslen.LIBCMT ref: 00424D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00424DCF
CoTaskMemFree.OLE32(?), ref: 00424DDA

Strings

NULL Pointer assignment, xrefs: 00424E23, 00424E52

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 2d26ffd265d9261955110aa6b357c473356936b336e0f656a1e607162f0a55fd
Instruction ID: 0e0386e66f2cfb03805de32f1e34fdb9e99b7f012aaf28500c6822b7df31c25b
Opcode Fuzzy Hash: 2d26ffd265d9261955110aa6b357c473356936b336e0f656a1e607162f0a55fd
Instruction Fuzzy Hash: D8912671D00229AFDF15DFA4D881AEEB7B8FF48304F50816AE915BB241DB389A45CF64

Function 004320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00432183
GetMenuItemCount.USER32(00000000), ref: 004321B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004321DD
_wcslen.LIBCMT ref: 00432213
GetMenuItemID.USER32(?,?), ref: 0043224D
GetSubMenu.USER32(?,?), ref: 0043225B

Part of subcall function 00403A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00403A57
Part of subcall function 00403A3D: GetCurrentThreadId.KERNEL32 ref: 00403A5E
Part of subcall function 00403A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004025B3), ref: 00403A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004322E3

Part of subcall function 0040E97B: Sleep.KERNEL32 ref: 0040E9F3

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 5e743fe25b4331f2b9791470c41ad4a2a7effc6e61dbf4b3d603bfbfa6378483
Instruction ID: 941506635308971e7d34904a5a718e368464f474ceaae419ff4c9c9b4e40cae3
Opcode Fuzzy Hash: 5e743fe25b4331f2b9791470c41ad4a2a7effc6e61dbf4b3d603bfbfa6378483
Instruction Fuzzy Hash: 0671AF35A00215AFCB11EF64C981AAEB7F1EF4D310F1094AAE916FB351D778ED418B94

Function 0040AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040AEF9
GetKeyboardState.USER32(?), ref: 0040AF0E
SetKeyboardState.USER32(?), ref: 0040AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0040AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0040AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0040AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0040B020

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1299dfce9ef73ab23abefaa01f2efe37a76270fc239d79dc75d8ab0828f4618d
Instruction ID: f6b91e0cf5d6d1637bd32f162d5995f1336e43e8b96792ae84184ce6e27a9a3a
Opcode Fuzzy Hash: 1299dfce9ef73ab23abefaa01f2efe37a76270fc239d79dc75d8ab0828f4618d
Instruction Fuzzy Hash: D951B4A06047D63DFB368334C845BBB7EA99B06304F0885AAE1D5655C2C3BCACD4D799

Function 0040ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0040AD19
GetKeyboardState.USER32(?), ref: 0040AD2E
SetKeyboardState.USER32(?), ref: 0040AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0040ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0040ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0040AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0040AE38

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c3600d5b4c6129068d7a5d19e558d911e8b47b74264f7b4d3b6cb73057f7f75e
Instruction ID: 2da1397768b04de001af7f66cbd87115695ee67f03b7927b56f7cee0efe9f4c5
Opcode Fuzzy Hash: c3600d5b4c6129068d7a5d19e558d911e8b47b74264f7b4d3b6cb73057f7f75e
Instruction Fuzzy Hash: 4051E4A15447D13DFB328334CC85B7B7E995F46300F0884AAE1D5669C2D2BCECA8D79A

Function 003D542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(003E3CD6,?,?,?,?,?,?,?,?,003D5BA3,?,?,003E3CD6,?,?), ref: 003D5470
__fassign.LIBCMT ref: 003D54EB
__fassign.LIBCMT ref: 003D5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,003E3CD6,00000005,00000000,00000000), ref: 003D552C
WriteFile.KERNEL32(?,003E3CD6,00000000,003D5BA3,00000000,?,?,?,?,?,?,?,?,?,003D5BA3,?), ref: 003D554B
WriteFile.KERNEL32(?,?,00000001,003D5BA3,00000000,?,?,?,?,?,?,?,?,?,003D5BA3,?), ref: 003D5584

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 57807862d1e9a389af525bec7734a5d657c2da953fa97a13171fbb8aa21fc72f
Instruction ID: d98e2f5a675d717a074a9000fb700d8987bff1eb67670a18018459403e99e302
Opcode Fuzzy Hash: 57807862d1e9a389af525bec7734a5d657c2da953fa97a13171fbb8aa21fc72f
Instruction Fuzzy Hash: 0A51D7719006499FDB12CFA8E881AEEBBF9EF09300F14411BF556E7391D7309A41CB60

Function 004210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0042304E: inet_addr.WSOCK32(?), ref: 0042307A
Part of subcall function 0042304E: _wcslen.LIBCMT ref: 0042309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00421112
WSAGetLastError.WSOCK32 ref: 00421121
WSAGetLastError.WSOCK32 ref: 004211C9
closesocket.WSOCK32(00000000), ref: 004211F9

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 58e0af90ac755396ed007fa2b5d19fdb22e7e542ceb1e6e568a7998ecb008854
Instruction ID: acf3ff6c155c22310db818a584a13eb73091ee5c6323ae544844026af9a07b2a
Opcode Fuzzy Hash: 58e0af90ac755396ed007fa2b5d19fdb22e7e542ceb1e6e568a7998ecb008854
Instruction Fuzzy Hash: 7241D731600214AFDB109F14D885BBAB7E9FF45314F54806AFD15AB291C778AE41CBE5

Function 0040CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0040CF22,?), ref: 0040DDFD

Part of subcall function 0040DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0040CF22,?), ref: 0040DE16

lstrcmpiW.KERNEL32(?,?), ref: 0040CF45
MoveFileW.KERNEL32(?,?), ref: 0040CF7F
_wcslen.LIBCMT ref: 0040D005
_wcslen.LIBCMT ref: 0040D01B
SHFileOperationW.SHELL32(?), ref: 0040D061

Strings

\*.*, xrefs: 0040CFF3

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 4c2fa0f077dd90f5c785acf4b287ea178ec0969dee40806ea32947ed838fd3f5
Instruction ID: c2e5193e7ac4a0a6e6c8bd70fe0fd4d729ba691681f81270c497df80124d6d47
Opcode Fuzzy Hash: 4c2fa0f077dd90f5c785acf4b287ea178ec0969dee40806ea32947ed838fd3f5
Instruction Fuzzy Hash: 62415771D452199EDF12EBA4D981EDE77B8AF08340F1000FBE505FB181EB38AA48CB55

Function 00432DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00432E1C
GetWindowLongW.USER32(?,000000F0), ref: 00432E4F
GetWindowLongW.USER32(?,000000F0), ref: 00432E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00432EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00432EE0
GetWindowLongW.USER32(?,000000F0), ref: 00432EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00432F0B

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: b85aba25872b8289ac5f072a7cf4058b5ce0eed81cdc8bd65b5fea75b778e208
Instruction ID: 6f25e561f6f36a59effc36464a0118387242dba42b77e05f048c539da22206d9
Opcode Fuzzy Hash: b85aba25872b8289ac5f072a7cf4058b5ce0eed81cdc8bd65b5fea75b778e208
Instruction Fuzzy Hash: 3D312631604250AFEB20CF18DE86F6637E0FB4E710F142166FA049F2B1CBB5A881DB49

Function 00407726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00407769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0040778F
SysAllocString.OLEAUT32(00000000), ref: 00407792
SysAllocString.OLEAUT32(?), ref: 004077B0
SysFreeString.OLEAUT32(?), ref: 004077B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004077DE
SysAllocString.OLEAUT32(?), ref: 004077EC

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 0098ed2189c15d02860ad7e4588674e315650c1a687c30523e27c1d36d2f775b
Instruction ID: d507e32f8843ac2a45cb0d69c72e3c0f0f0bdef8a9b6c475680a4a104e4e0acb
Opcode Fuzzy Hash: 0098ed2189c15d02860ad7e4588674e315650c1a687c30523e27c1d36d2f775b
Instruction Fuzzy Hash: A821DB76A04219AFDF10DFA8CC84CBB77ACEB093647004036FA04EB290D674FC418B69

Function 004077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00407842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00407868
SysAllocString.OLEAUT32(00000000), ref: 0040786B
SysAllocString.OLEAUT32 ref: 0040788C
SysFreeString.OLEAUT32 ref: 00407895
StringFromGUID2.OLE32(?,?,00000028), ref: 004078AF
SysAllocString.OLEAUT32(?), ref: 004078BD

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2e220268dd542d3d50f5369215d52f43434673fa791eab4a3c051d4975ebb0fe
Instruction ID: 75a4dec4a1fd4f54f5160675ca9d9bc91b18b06998f894eae968217a3f7e2e0a
Opcode Fuzzy Hash: 2e220268dd542d3d50f5369215d52f43434673fa791eab4a3c051d4975ebb0fe
Instruction Fuzzy Hash: 3F216532A04104AFDB10AFA8DC88DAB77ACEB097607108136F915EB2A1D674EC41CB69

Function 004104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004104F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0041052E

Strings

nul, xrefs: 00410567

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 4f1f2a3f7f06e178fd0517450461dc5c6ced684d2e8a3e882244264835affbf4
Instruction ID: 145d72a42586ad04991780144b7e1ce65f16895cc5e7e854402c1ab7c2558239
Opcode Fuzzy Hash: 4f1f2a3f7f06e178fd0517450461dc5c6ced684d2e8a3e882244264835affbf4
Instruction Fuzzy Hash: 04216D75500305ABDB209F69DC44BDA7BA5AF44764F204A2AFCA1E62E0D7B499D0CF28

Function 004105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004105C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00410601

Strings

nul, xrefs: 00410639

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 2d8672ecfc06b39add9118174b09bfc5bfc3323becf01e75e994211e0455db9b
Instruction ID: a46a248581df07818427fc7e585e2e32f8cb80c20544b48a7eee06c580adc576
Opcode Fuzzy Hash: 2d8672ecfc06b39add9118174b09bfc5bfc3323becf01e75e994211e0455db9b
Instruction Fuzzy Hash: F02183755003059BDB209F69DC44ADB77E4AF95724F200A1AFCA1E72D0D7F498E1CB18

Function 004340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003A604C
Part of subcall function 003A600E: GetStockObject.GDI32(00000011), ref: 003A6060
Part of subcall function 003A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 003A606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00434112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0043411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0043412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00434139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00434145

Strings

Msctls_Progress32, xrefs: 004340E3

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3da530a8d64584b4cc5cff9c0a691d350e987fe88154917c11dbdbeff5ac4fdf
Instruction ID: 0ce9cd443a2882665454825cac0b4e4bbff33d7f628d47543f6dc52a119371a6
Opcode Fuzzy Hash: 3da530a8d64584b4cc5cff9c0a691d350e987fe88154917c11dbdbeff5ac4fdf
Instruction Fuzzy Hash: 4D11B2B2140219BEEF119F64CC86EE77F6DEF08798F015111FA18A6150CB769C61DBA8

Function 003DD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003DD7A3: _free.LIBCMT ref: 003DD7CC

_free.LIBCMT ref: 003DD82D

Part of subcall function 003D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000), ref: 003D29DE
Part of subcall function 003D29C8: GetLastError.KERNEL32(00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000,00000000), ref: 003D29F0

_free.LIBCMT ref: 003DD838
_free.LIBCMT ref: 003DD843
_free.LIBCMT ref: 003DD897
_free.LIBCMT ref: 003DD8A2
_free.LIBCMT ref: 003DD8AD
_free.LIBCMT ref: 003DD8B8

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 265cc5e0cbabb33a9fba450bf46c42fe4c22b2b3fd43c6cfef40796dc1aabeb9
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D8113A72540B04AAD623BFB0EC47FCB7BDCBF11700F400826B29DAA292DB76B5159660

Function 0040DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0040DA74
LoadStringW.USER32(00000000), ref: 0040DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0040DA91
LoadStringW.USER32(00000000), ref: 0040DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0040DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0040DAB9

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 15c6de713d94d2fd72d97f43ab22f1530df3e9d780d1399765cfb4126b80a0d6
Instruction ID: f4edd72c886a2f16d28da89602b03ac74e676985764b843026b4a06d4c73324c
Opcode Fuzzy Hash: 15c6de713d94d2fd72d97f43ab22f1530df3e9d780d1399765cfb4126b80a0d6
Instruction Fuzzy Hash: 0A0162F29002087FEB109BE09DC9EE7326CE708301F4054A6B716F2081EA789E844F79

Function 0041096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(016DD448,016DD448), ref: 0041097B
EnterCriticalSection.KERNEL32(016DD428,00000000), ref: 0041098D
TerminateThread.KERNEL32(?,000001F6), ref: 0041099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 004109A9
CloseHandle.KERNEL32(?), ref: 004109B8
InterlockedExchange.KERNEL32(016DD448,000001F6), ref: 004109C8
LeaveCriticalSection.KERNEL32(016DD428), ref: 004109CF

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 33143b0e301424a9d5cd04bbf52ad5686c147b6c9e0845420057295f5a233265
Instruction ID: ccfc7efa956971b071b7d541538613a290665ad9462b22404ab3366e3e458765
Opcode Fuzzy Hash: 33143b0e301424a9d5cd04bbf52ad5686c147b6c9e0845420057295f5a233265
Instruction Fuzzy Hash: 88F0CD71442512ABE7515B94EEC9AD77A25BF05702F402066F101608A1C7B594B5CF98

Function 00421C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00421DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00421DE1
WSAGetLastError.WSOCK32 ref: 00421DF2
htons.WSOCK32(?), ref: 00421EDB
inet_ntoa.WSOCK32(?), ref: 00421E8C

Part of subcall function 004039E8: _strlen.LIBCMT ref: 004039F2

Part of subcall function 00423224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0041EC0C), ref: 00423240

_strlen.LIBCMT ref: 00421F35

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: b0deee7b95d6e6d2bee31906abd3b02c1de8e5020112991a9381632f82b58c35
Instruction ID: ad8f46c3f30fbf75a906a5f951a054a1714f04f5960ecc9a36973ef54d81c7e2
Opcode Fuzzy Hash: b0deee7b95d6e6d2bee31906abd3b02c1de8e5020112991a9381632f82b58c35
Instruction Fuzzy Hash: 75B1EE31204310AFC324DF24D881E2ABBA5AF95318F98895DF4665F3E2CB35ED42CB91

Function 003A5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 003A5D30
GetWindowRect.USER32(?,?), ref: 003A5D71
ScreenToClient.USER32(?,?), ref: 003A5D99
GetClientRect.USER32(?,?), ref: 003A5ED7
GetWindowRect.USER32(?,?), ref: 003A5EF8

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 79134518b911e8e4356a984dbdea29b7622419195bbfdc47672ad2cc859bd9a1
Instruction ID: ae98e0f2237d918b4aef6f5181ac5ca634407581093a804e1c93cf5ac5e24380
Opcode Fuzzy Hash: 79134518b911e8e4356a984dbdea29b7622419195bbfdc47672ad2cc859bd9a1
Instruction Fuzzy Hash: 6CB19D35A0078ADBDB15CFA9C480BEEB7F1FF58310F14851AE8A9D7690D734AA50CB54

Function 003D01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 003D00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003D00D6
__allrem.LIBCMT ref: 003D00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003D010B
__allrem.LIBCMT ref: 003D0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003D0140

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 54d44792d601d2b78498f741d16ed2c9ff53ceb528949c21ed6a11ca27406ecf
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: F681E377A00706AFE726AE29DC41B6AB3A9EF41B24F25462FF451DB781E770DD008790

Function 003D61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003C82D9,003C82D9,?,?,?,003D644F,00000001,00000001,8BE85006), ref: 003D6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,003D644F,00000001,00000001,8BE85006,?,?,?), ref: 003D62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003D63D8
__freea.LIBCMT ref: 003D63E5

Part of subcall function 003D3820: RtlAllocateHeap.NTDLL(00000000,?,00471444,?,003BFDF5,?,?,003AA976,00000010,00471440,003A13FC,?,003A13C6,?,003A1129), ref: 003D3852

__freea.LIBCMT ref: 003D63EE
__freea.LIBCMT ref: 003D6413

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 189bad5694d1e6787f1159cc1baef2fd222590038b0277de1b970d43be69d3a5
Instruction ID: a5dcaba8f2705cf400a542aa1cc614471f4ce1fdc3105eaa343b68273640f46e
Opcode Fuzzy Hash: 189bad5694d1e6787f1159cc1baef2fd222590038b0277de1b970d43be69d3a5
Instruction Fuzzy Hash: 6451F373A00216ABDB278F64EC82EAF77A9EB44710F16472AFC25DA251DB34DC44D660

Function 0042BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 0042C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0042B6AE,?,?), ref: 0042C9B5
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042C9F1
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042CA68
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0042BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0042BD25
RegCloseKey.ADVAPI32(00000000), ref: 0042BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0042BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0042BDF3
RegCloseKey.ADVAPI32(?), ref: 0042BDFF

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 5b4025fc75e0b494304efb7d95603dc3bef7055ba18ec1b84fcd1bf882d9e456
Instruction ID: 3f13aa60461a1231c6e23a0b82f017b7b1b0433eaf822a6c117cb630aa83254c
Opcode Fuzzy Hash: 5b4025fc75e0b494304efb7d95603dc3bef7055ba18ec1b84fcd1bf882d9e456
Instruction Fuzzy Hash: D381CC30208241AFC715DF24D881E6BBBE5FF85308F54886EF5598B2A2CB35ED45CB92

Function 003FF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 003FF7B9
SysAllocString.OLEAUT32(00000001), ref: 003FF860
VariantCopy.OLEAUT32(003FFA64,00000000), ref: 003FF889
VariantClear.OLEAUT32(003FFA64), ref: 003FF8AD
VariantCopy.OLEAUT32(003FFA64,00000000), ref: 003FF8B1
VariantClear.OLEAUT32(?), ref: 003FF8BB

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 34cddb5523203f80ec2b644417989264e753696c45a849d9f5760140df86123b
Instruction ID: 5eeb9ab8b3d3cddb6ae824cf3664108a46381801159a2b3aeaf1cb61abcc969c
Opcode Fuzzy Hash: 34cddb5523203f80ec2b644417989264e753696c45a849d9f5760140df86123b
Instruction Fuzzy Hash: 5551D635500318FECF22AB65D895B3AB3A8EF45310F249467EE05EF296DBB08C40DB56

Function 0041910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 003A7620: _wcslen.LIBCMT ref: 003A7625

Part of subcall function 003A6B57: _wcslen.LIBCMT ref: 003A6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004194E5
_wcslen.LIBCMT ref: 00419506
_wcslen.LIBCMT ref: 0041952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00419585

Strings

X, xrefs: 00419412

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 42f19ea9e74d2abca6a94c4f0644bc84f369b2e9915527c7e2e0813867dd84a9
Instruction ID: 74543240a7319418163efc4879d404daa715c38d473a1e08d7c6baab3ed6e389
Opcode Fuzzy Hash: 42f19ea9e74d2abca6a94c4f0644bc84f369b2e9915527c7e2e0813867dd84a9
Instruction Fuzzy Hash: B4E1B1316083009FC715DF24C891AAAB7E5FF86314F04896EF8999B3A2DB34DD45CB96

Function 003B920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 003B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003B9BB2

BeginPaint.USER32(?,?,?), ref: 003B9241
GetWindowRect.USER32(?,?), ref: 003B92A5
ScreenToClient.USER32(?,?), ref: 003B92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003B92D3
EndPaint.USER32(?,?,?,?,?), ref: 003B9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003F71EA

Part of subcall function 003B9339: BeginPath.GDI32(00000000), ref: 003B9357

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 7be1907ca209416c16051218b7d8be35078746730d1b6e4c1666014b91741beb
Instruction ID: 865f61c88c2813e48367b2e71163736d1ebd54d5e8d042f6ab7de451d1c5bb57
Opcode Fuzzy Hash: 7be1907ca209416c16051218b7d8be35078746730d1b6e4c1666014b91741beb
Instruction Fuzzy Hash: DD419FB1104204AFD712DF28CC85FBA7BA8EB49324F14066AFB989B6B1C7319845DB65

Function 004107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0041080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00410847
EnterCriticalSection.KERNEL32(?), ref: 00410863
LeaveCriticalSection.KERNEL32(?), ref: 004108DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004108F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00410921

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 39ff258b0b240e0f653a9aeddd25acbd653fba5b2754456348c8781235d39ee6
Instruction ID: 358158edacd6e39bf33041dbee34d99de0399a246fdad965eb0ff48b299c2fca
Opcode Fuzzy Hash: 39ff258b0b240e0f653a9aeddd25acbd653fba5b2754456348c8781235d39ee6
Instruction Fuzzy Hash: DF417B71900205EFDF15AF64DC85AAA7779FF04304F1040B9ED00AE296DB74DEA0DBA4

Function 004381DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,003FF3AB,00000000,?,?,00000000,?,003F682C,00000004,00000000,00000000), ref: 0043824C
EnableWindow.USER32(?,00000000), ref: 00438272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004382D1
ShowWindow.USER32(?,00000004), ref: 004382E5
EnableWindow.USER32(?,00000001), ref: 0043830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0043832F

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f4b85541a17ae41089962fd31a1fdf7508d1811e6f220a6a016c964b8a7d3b3a
Instruction ID: 76bc8611c43b91da5f159bba5104100165383127a62aef36d21b09f4524b099d
Opcode Fuzzy Hash: f4b85541a17ae41089962fd31a1fdf7508d1811e6f220a6a016c964b8a7d3b3a
Instruction Fuzzy Hash: FA418474601744AFDB11CF15C895BA6BBE0BB0D714F1861BEFA185B372CB36A841CB58

Function 00404C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00404CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00404CEA
_wcslen.LIBCMT ref: 00404D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00404D10
_wcsstr.LIBVCRUNTIME ref: 00404D1A

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 6c4417726de7a6d057062bb973fe14d680d0d8e3a8b3dc2d1917b2e6e4e4d10d
Instruction ID: c329de15916345a579704e0a9a82f6ea4ac5c4f95b2340d01a2dec6ccc24ec09
Opcode Fuzzy Hash: 6c4417726de7a6d057062bb973fe14d680d0d8e3a8b3dc2d1917b2e6e4e4d10d
Instruction Fuzzy Hash: C721D7B12042007BFB165B35AC4AE7B7B9CDF85750F10403AFA05EA2D1DA75DD0197A4

Function 0041581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 003A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003A3A97,?,?,003A2E7F,?,?,?,00000000), ref: 003A3AC2

_wcslen.LIBCMT ref: 0041587B
CoInitialize.OLE32(00000000), ref: 00415995
CoCreateInstance.OLE32(0043FCF8,00000000,00000001,0043FB68,?), ref: 004159AE
CoUninitialize.OLE32 ref: 004159CC

Strings

.lnk, xrefs: 00415876, 004158C1, 00415985

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 3aacda585111bf74bcdd49a26aca7167edacc2520a3b0ae3859bc30051717595
Instruction ID: f289b5fcc503dd32eb516601e8abed3ecc53556820895bb688109a52b0bfd081
Opcode Fuzzy Hash: 3aacda585111bf74bcdd49a26aca7167edacc2520a3b0ae3859bc30051717595
Instruction Fuzzy Hash: 36D15570608701DFC714EF24C480AAABBE1EF8A714F14885EF8899B361D735EC85CB96

Function 0040175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00400FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00400FCA
Part of subcall function 00400FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00400FD6
Part of subcall function 00400FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00400FE5
Part of subcall function 00400FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00400FEC
Part of subcall function 00400FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00401002

GetLengthSid.ADVAPI32(?,00000000,00401335), ref: 004017AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004017BA
HeapAlloc.KERNEL32(00000000), ref: 004017C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004017DA
GetProcessHeap.KERNEL32(00000000,00000000,00401335), ref: 004017EE
HeapFree.KERNEL32(00000000), ref: 004017F5

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: e4beea1bcf3e48f9cbceb575b3931093d67cc856680050ce9a164fbeb492049e
Instruction ID: fa6cd50e243ef2f8e9fdadbb1159ea9118c79f725ea1555cab43b86155ebbf92
Opcode Fuzzy Hash: e4beea1bcf3e48f9cbceb575b3931093d67cc856680050ce9a164fbeb492049e
Instruction Fuzzy Hash: F6117C32500205EFDB149FA4CC89BAFBBB9EB46355F10402AF481B72A1D739A944DB68

Function 004014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004014FF
OpenProcessToken.ADVAPI32(00000000), ref: 00401506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00401515
CloseHandle.KERNEL32(00000004), ref: 00401520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0040154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00401563

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 2d17e8cd9dc002425f647639a997e8eb59437404bf4df2871355c4ec871ad96c
Instruction ID: 29b4032e1be978f65fbf576e92331ab11ff67c25467a4a3c5363e6ffd91f2563
Opcode Fuzzy Hash: 2d17e8cd9dc002425f647639a997e8eb59437404bf4df2871355c4ec871ad96c
Instruction Fuzzy Hash: B2112972500249ABDF119FA8DE89BDE7BA9EF48744F044025FE05B21A0C3758E65DB64

Function 003C3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,003C3379,003C2FE5), ref: 003C3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003C339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003C33B7
SetLastError.KERNEL32(00000000,?,003C3379,003C2FE5), ref: 003C3409

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2e9f7c283deb522ee8d683a51249c274cd48cea41e6d9f5613daf64d552a1387
Instruction ID: d45023347d08c4f1c01d3f0ed1e73429bbaf9937bc203ae930c125f468bc8d6b
Opcode Fuzzy Hash: 2e9f7c283deb522ee8d683a51249c274cd48cea41e6d9f5613daf64d552a1387
Instruction Fuzzy Hash: 4701B13360D351AEA62727B57CD5F662A94EB15379720823EF410C92F0EF614D115788

Function 003D2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,003D5686,003E3CD6,?,00000000,?,003D5B6A,?,?,?,?,?,003CE6D1,?,00468A48), ref: 003D2D78
_free.LIBCMT ref: 003D2DAB
_free.LIBCMT ref: 003D2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,003CE6D1,?,00468A48,00000010,003A4F4A,?,?,00000000,003E3CD6), ref: 003D2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,003CE6D1,?,00468A48,00000010,003A4F4A,?,?,00000000,003E3CD6), ref: 003D2DEC
_abort.LIBCMT ref: 003D2DF2

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 76e4aadc679724c307068f7db9b5fd371cd8c75ea21f747ccb7cbeab1ad427d8
Instruction ID: 18c2481ea0f9d110aee2baa96667ee640d37741574cbe762b99a6ee22fe9b840
Opcode Fuzzy Hash: 76e4aadc679724c307068f7db9b5fd371cd8c75ea21f747ccb7cbeab1ad427d8
Instruction Fuzzy Hash: 86F0C8339456006BC2232738BC4AE5F255BAFE27A1F26442BF874A73D2EF748C115275

Function 00438A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 003B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003B9693
Part of subcall function 003B9639: SelectObject.GDI32(?,00000000), ref: 003B96A2
Part of subcall function 003B9639: BeginPath.GDI32(?), ref: 003B96B9
Part of subcall function 003B9639: SelectObject.GDI32(?,00000000), ref: 003B96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00438A4E
LineTo.GDI32(?,00000003,00000000), ref: 00438A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00438A70
LineTo.GDI32(?,00000000,00000003), ref: 00438A80
EndPath.GDI32(?), ref: 00438A90
StrokePath.GDI32(?), ref: 00438AA0

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: dea062a542b89c69e875b79cc84c9c88073d5caaa10dc8a550edc6d0c02445fb
Instruction ID: b44bc660fd47eef673169a1858d196d582c534812953d61714ceef7e6ad4d044
Opcode Fuzzy Hash: dea062a542b89c69e875b79cc84c9c88073d5caaa10dc8a550edc6d0c02445fb
Instruction Fuzzy Hash: 7611DB7600014DFFDF129F94DC88FAA7F6DEB08354F048026BA19AA1A1C7719D55DFA4

Function 004051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00405218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00405229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00405230
ReleaseDC.USER32(00000000,00000000), ref: 00405238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0040524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00405261

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: a56e03805ee9d3ef66525f8dcb7c350bddc278c9c6b6bc013d12355f5fff2e47
Instruction ID: 281be4146405ac23a2565d31a1f99ea6db16d13fc9dba3fd5f16512ca5373b9e
Opcode Fuzzy Hash: a56e03805ee9d3ef66525f8dcb7c350bddc278c9c6b6bc013d12355f5fff2e47
Instruction Fuzzy Hash: CB014F75A00718BBEB109BB59C89A5FBFB8EF48751F044076FA04FB291D6709801CFA4

Function 003A1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 003A1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 003A1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 003A1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 003A1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 003A1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 003A1C22

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: fb5fa47fd3f1c240c941509ee4745580c12e341943449d0e6e833e29cb54fda1
Instruction ID: 258ab8f8d418c075327f3554b6419e0cb46bdbcc018295849bf645e8f81410bd
Opcode Fuzzy Hash: fb5fa47fd3f1c240c941509ee4745580c12e341943449d0e6e833e29cb54fda1
Instruction Fuzzy Hash: EF0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 0040EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0040EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0040EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0040EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0040EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0040EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0040EB75

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e6fdabc6df7100a99c6af7ca35db75005e359a4fdd0acd3627918e7c2a44a30c
Instruction ID: e8497a623a8bfa1725d9be241b783b4ef407534c1a15684f2bb5677c71635bfe
Opcode Fuzzy Hash: e6fdabc6df7100a99c6af7ca35db75005e359a4fdd0acd3627918e7c2a44a30c
Instruction Fuzzy Hash: 03F03072140158BBE72157629C4EEEF3A7CEFCAB11F005169F601E1191D7A05A01DBB9

Function 003F7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 003F7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 003F7469
GetWindowDC.USER32(?), ref: 003F7475
GetPixel.GDI32(00000000,?,?), ref: 003F7484
ReleaseDC.USER32(?,00000000), ref: 003F7496
GetSysColor.USER32(00000005), ref: 003F74B0

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: f53e0d0479162b14efb9ca58ff813b0c105312b7dcac326f39308dfa8b8addd3
Instruction ID: 751aedabeb1e12e97b4e09ac981e11e2a86d8267a07ebba5e007bc7da7c8336d
Opcode Fuzzy Hash: f53e0d0479162b14efb9ca58ff813b0c105312b7dcac326f39308dfa8b8addd3
Instruction Fuzzy Hash: E0014B31400619FFEB515F64DC49BAA7BB5FB04311F611174FA25A21A1CB311E51AB54

Function 00401874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040187F
UnloadUserProfile.USERENV(?,?), ref: 0040188B
CloseHandle.KERNEL32(?), ref: 00401894
CloseHandle.KERNEL32(?), ref: 0040189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004018A5
HeapFree.KERNEL32(00000000), ref: 004018AC

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a735688888b463eb12860a209a138e1c5b0a97d34bda1c12ae6f5092a92794fb
Instruction ID: 7f9be66856812bead706162d9385f8b0fc05e28a479105ae9691098f9ac9f26a
Opcode Fuzzy Hash: a735688888b463eb12860a209a138e1c5b0a97d34bda1c12ae6f5092a92794fb
Instruction Fuzzy Hash: 0BE0E536004101BBEB016FA1ED8C90ABF39FF49B22B109230F625A1070CB329430EF58

Function 003ABBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003ABEB3

Strings

D%GD%G, xrefs: 003ABCA5
D%G, xrefs: 003ABDED, 003ABD91, 003ABD1B
D%G, xrefs: 003ABE9A
D%G, xrefs: 003ABCA2

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%G$D%G$D%G$D%GD%G
API String ID: 1385522511-4070170118
Opcode ID: a73b7eb9aa71444ffe41ee2920ad16313ba26c9bf0c1426a260dfdf0d258780b
Instruction ID: b66fecc450b114ea68b814916b5e962ee5afff2a80b1245567bbe9e30a4c7f1a
Opcode Fuzzy Hash: a73b7eb9aa71444ffe41ee2920ad16313ba26c9bf0c1426a260dfdf0d258780b
Instruction Fuzzy Hash: C1914975A0020ADFCB19CF98C090AAAF7F5FF5A310B25816ED945AB352D771AD81CB90

Function 00427B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 003C0242: EnterCriticalSection.KERNEL32(0047070C,00471884,?,?,003B198B,00472518,?,?,?,003A12F9,00000000), ref: 003C024D
Part of subcall function 003C0242: LeaveCriticalSection.KERNEL32(0047070C,?,003B198B,00472518,?,?,?,003A12F9,00000000), ref: 003C028A

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 003C00A3: __onexit.LIBCMT ref: 003C00A9

__Init_thread_footer.LIBCMT ref: 00427BFB

Part of subcall function 003C01F8: EnterCriticalSection.KERNEL32(0047070C,?,?,003B8747,00472514), ref: 003C0202
Part of subcall function 003C01F8: LeaveCriticalSection.KERNEL32(0047070C,?,003B8747,00472514), ref: 003C0235

Strings

+T?, xrefs: 00427E2E
5, xrefs: 00427C78
G, xrefs: 00427C7F
Variable must be of type 'Object'., xrefs: 00427C3A

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T?$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2299519154
Opcode ID: 75bb586852e57b611fb38d59392deb657cbc8b8551cc0dcd7c9a383fe7552047
Instruction ID: df45c5e28d9b83268eadba698bc8b6cfa0bf4024fab7fe9ab0563061713f0547
Opcode Fuzzy Hash: 75bb586852e57b611fb38d59392deb657cbc8b8551cc0dcd7c9a383fe7552047
Instruction Fuzzy Hash: B6918C70704219EFCB15EF55E8909AEB7B1FF45304F90805AF806AB392DB78AE41CB59

Function 0040C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A7620: _wcslen.LIBCMT ref: 003A7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0040C6EE
_wcslen.LIBCMT ref: 0040C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0040C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0040C7CA

Strings

0, xrefs: 0040C6AF

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 2b9b29d397a69b7f6b69fe03777ae3717d5e2fb74bf6e62f77620a09ea382743
Instruction ID: 7648c2db41d8bd8ed04207a300ac29a8efa3c85a5196577a740adb5545502214
Opcode Fuzzy Hash: 2b9b29d397a69b7f6b69fe03777ae3717d5e2fb74bf6e62f77620a09ea382743
Instruction Fuzzy Hash: 8051BD71604302DBD725AF28C8C5BAB77E8AB45314F040B3AF995E72E0DB78D9058B5A

Function 0042AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0042AEA3

Part of subcall function 003A7620: _wcslen.LIBCMT ref: 003A7625

GetProcessId.KERNEL32(00000000), ref: 0042AF38
CloseHandle.KERNEL32(00000000), ref: 0042AF67

Strings

<, xrefs: 0042AE6B
@, xrefs: 0042AE72

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: f935f9227dc9dc58c419d1eb3b9e355f5699e84bc89d37cbcf104ad766d47127
Instruction ID: 418c70dd52d53664135dbec6c5d93de70ca99ad6d97a659ea2948e68ef4963c7
Opcode Fuzzy Hash: f935f9227dc9dc58c419d1eb3b9e355f5699e84bc89d37cbcf104ad766d47127
Instruction Fuzzy Hash: A7716671A00628DFCB15EF54D484A9EBBF0FF09310F05849AE816AB362CB78ED45CB95

Function 0040719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00407206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0040723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0040724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004072CF

Strings

DllGetClassObject, xrefs: 00407242

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ff18f4197ac7448a32b1c0900830704b6dc8b1e6314f36d99e5691193c187320
Instruction ID: d21e1138cc04a31bdee89ef8e2a8d4580ac2514743ed5ae8d356f4033e346558
Opcode Fuzzy Hash: ff18f4197ac7448a32b1c0900830704b6dc8b1e6314f36d99e5691193c187320
Instruction Fuzzy Hash: BD41A371A04204EFDB15CF54C884A9A7BA9EF44310F1580BEFD05AF28AD7B8ED45CBA5

Function 00433D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00433E35
IsMenu.USER32(?), ref: 00433E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00433E92
DrawMenuBar.USER32 ref: 00433EA5

Strings

0, xrefs: 00433D89

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: c9ef528ba36e12fc8402eb0e865d1938b38095ad6d6d39b7fd0dab5953c74b60
Instruction ID: c698198093fecd594b2961a7bcf23289706a3ce13b56a7c0868cb1519f448bc2
Opcode Fuzzy Hash: c9ef528ba36e12fc8402eb0e865d1938b38095ad6d6d39b7fd0dab5953c74b60
Instruction Fuzzy Hash: 714168B5A00209EFDB10DF54D885EAABBB9FF48361F04512AE905AB350D734EE41CF64

Function 00401DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 00403CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00403CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00401E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00401E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00401EA9

Part of subcall function 003A6B57: _wcslen.LIBCMT ref: 003A6B6A

Strings

ComboBox, xrefs: 00401DF0
ListBox, xrefs: 00401E25

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 9893f1513555066bcf2e0f474a8c9f52b7f8b47b8d99357e80478ea1095883f2
Instruction ID: 28ff97fa23df4e6fbac4cef4a1b4b28d4c52720e467c45fa1c08949d259b2e3d
Opcode Fuzzy Hash: 9893f1513555066bcf2e0f474a8c9f52b7f8b47b8d99357e80478ea1095883f2
Instruction Fuzzy Hash: 76210571A00104BFDB15AB64DC86DFFB7B8EF46364F14412AF825BB2E1DB3C490A8664

Function 00432F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00432F8D
LoadLibraryW.KERNEL32(?), ref: 00432F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00432FA9
DestroyWindow.USER32(?), ref: 00432FB1

Strings

SysAnimate32, xrefs: 00432F68

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: caa6e1ea32d2a1624d9c307f8b1ecfb19d4e5501de424ff71c4eee2e9c9420fe
Instruction ID: 472721d549008af9f0e03b19612d36e61c0f9877d094e7b0e1d1928b67bf7b2c
Opcode Fuzzy Hash: caa6e1ea32d2a1624d9c307f8b1ecfb19d4e5501de424ff71c4eee2e9c9420fe
Instruction Fuzzy Hash: B021F071204205ABEB104F64DD81FBB37BDEF5D328F10222AF910D2290D3B5DC81A768

Function 003C4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,003C4D1E,003D28E9,?,003C4CBE,003D28E9,004688B8,0000000C,003C4E15,003D28E9,00000002), ref: 003C4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003C4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,003C4D1E,003D28E9,?,003C4CBE,003D28E9,004688B8,0000000C,003C4E15,003D28E9,00000002,00000000), ref: 003C4DC3

Strings

CorExitProcess, xrefs: 003C4D98
mscoree.dll, xrefs: 003C4D86

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 8cee8969fd3960fa5cb93640f88dc608303a58e907ac6e3a9b08abaa7ad18af6
Instruction ID: 9cd319499b6ada56c3c8975b571837663361a179409cd0742521d314c60808ab
Opcode Fuzzy Hash: 8cee8969fd3960fa5cb93640f88dc608303a58e907ac6e3a9b08abaa7ad18af6
Instruction Fuzzy Hash: 9AF0AF35A00208BBDB11AF90DC89FADBBB4EF04712F0001A9F906E2260CB745E40DB99

Function 003A4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,003A4EDD,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003A4EAE
FreeLibrary.KERNEL32(00000000,?,?,003A4EDD,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4EC0

Strings

kernel32.dll, xrefs: 003A4E94
Wow64DisableWow64FsRedirection, xrefs: 003A4EA8

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: e73dafa25cd29a64a6b6fa6cd272b6b4ec8dd840df16e056beda64331dc3b7b2
Instruction ID: 747a36ff63f3685916f0bcf7ff90a165e18af75c4e97edf40af1541a856bf647
Opcode Fuzzy Hash: e73dafa25cd29a64a6b6fa6cd272b6b4ec8dd840df16e056beda64331dc3b7b2
Instruction Fuzzy Hash: 67E08636A025229B96221B257C5CF5B6554EFC2B63B064126FC01F2104DBA4CD0156E9

Function 003A4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,003E3CDE,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003A4E74
FreeLibrary.KERNEL32(00000000,?,?,003E3CDE,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4E87

Strings

kernel32.dll, xrefs: 003A4E5B
Wow64RevertWow64FsRedirection, xrefs: 003A4E6E

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: f3600d4345033a2c28c7228ba23455564bc151051e463a1f7a8941f98703b1fb
Instruction ID: 6b1f6b9bffb8e9c98518f56070654ffb10cc1b9232d664950c1c081561bc741c
Opcode Fuzzy Hash: f3600d4345033a2c28c7228ba23455564bc151051e463a1f7a8941f98703b1fb
Instruction Fuzzy Hash: 35D0C236502621674A231B247C08E8B6A18EFC6B213060222B801F2114CFA4CD019AD8

Function 00412947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00412C05
DeleteFileW.KERNEL32(?), ref: 00412C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00412C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00412CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00412CC0

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: a045a7f691b827ba266ba1f34e0e9e388ce491cb9da4bbc163d9ec1d21d68f95
Instruction ID: 0b1c25b32fa608f3c019d913427528f41ee7962ac3b0c0eca9817e10eb890c3f
Opcode Fuzzy Hash: a045a7f691b827ba266ba1f34e0e9e388ce491cb9da4bbc163d9ec1d21d68f95
Instruction Fuzzy Hash: E6B16C72D00119ABDF11DFA4CD85EDEB7BDEF09344F0040AAF609E6141EA749E948FA5

Function 0042A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0042A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0042A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0042A468
CloseHandle.KERNEL32(?), ref: 0042A63D

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 6780f714d853413559a509e728cae78508146d40ce0346edfed02c2744bc659d
Instruction ID: 81ceabe21bd361cd2e8dd0c486332a4292884b2dc36b94965c188a90930325b1
Opcode Fuzzy Hash: 6780f714d853413559a509e728cae78508146d40ce0346edfed02c2744bc659d
Instruction Fuzzy Hash: 68A1AC71604300AFD721DF24D886F2AB7E5EF84714F54881DF99A9B392DBB4EC418B86

Function 003DBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00443700), ref: 003DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0047121C,000000FF,00000000,0000003F,00000000,?,?), ref: 003DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00471270,000000FF,?,0000003F,00000000,?), ref: 003DBC36
_free.LIBCMT ref: 003DBB7F

Part of subcall function 003D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000), ref: 003D29DE
Part of subcall function 003D29C8: GetLastError.KERNEL32(00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000,00000000), ref: 003D29F0

_free.LIBCMT ref: 003DBD4B

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 07fb7999429b93503ccd0212db86153d36aefc523982e69e74d96c8d16118a55
Instruction ID: 326e54d399fa13ebac276ad8cf564b5586da95c2ba469e95275856e2b1696578
Opcode Fuzzy Hash: 07fb7999429b93503ccd0212db86153d36aefc523982e69e74d96c8d16118a55
Instruction Fuzzy Hash: 5551C973900209EFCB12DF69AC819AAF7BCFB40350B12426BE454E73A1EB709E409B54

Function 0040E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0040CF22,?), ref: 0040DDFD

Part of subcall function 0040DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0040CF22,?), ref: 0040DE16

Part of subcall function 0040E199: GetFileAttributesW.KERNEL32(?,0040CF95), ref: 0040E19A

lstrcmpiW.KERNEL32(?,?), ref: 0040E473
MoveFileW.KERNEL32(?,?), ref: 0040E4AC
_wcslen.LIBCMT ref: 0040E5EB
_wcslen.LIBCMT ref: 0040E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0040E650

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: c9b7d695777a07d853de871a331393387f6564bca38266f12bb7343d06edea6c
Instruction ID: e4cb971366596cb769d9bc6a76d440bfe1a3ddfe10b777bdd867d9e97086ce46
Opcode Fuzzy Hash: c9b7d695777a07d853de871a331393387f6564bca38266f12bb7343d06edea6c
Instruction Fuzzy Hash: 3D5183B24083445BC725EB91DC81ADBB3DCAF85340F004D2FF589E7191EF79A688875A

Function 0042B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 0042C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0042B6AE,?,?), ref: 0042C9B5
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042C9F1
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042CA68
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0042BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0042BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0042BB63
RegCloseKey.ADVAPI32(?,?), ref: 0042BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0042BBB3

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 220cb65a6677a5d3ba1f6a0e7e152c15f42c01444dc0aa08556aa9258507c841
Instruction ID: 305245b4dd2f70208977a8da18c2facd29463fdc5b33ac3c2f9d3416323d4c65
Opcode Fuzzy Hash: 220cb65a6677a5d3ba1f6a0e7e152c15f42c01444dc0aa08556aa9258507c841
Instruction Fuzzy Hash: B361BF31208241AFC714DF14D890E2BBBE5FF85308F5485AEF4998B2A2CB35ED45CB92

Function 00408BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00408BCD
VariantClear.OLEAUT32 ref: 00408C3E
VariantClear.OLEAUT32 ref: 00408C9D
VariantClear.OLEAUT32(?), ref: 00408D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00408D3B

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 3e15332a9b462648897da73f62abd14d08caebbaa613ff2ee0f201058ebc8fe8
Instruction ID: fe06b7c4cfda68b2f682857abbf42deb438aa6a73e43ce88960baf26d9e4aae3
Opcode Fuzzy Hash: 3e15332a9b462648897da73f62abd14d08caebbaa613ff2ee0f201058ebc8fe8
Instruction Fuzzy Hash: 13518CB1A00219EFDB10CF28D884AAAB7F4FF89310B15856AE945EB350E734E911CF94

Function 00418AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00418BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00418BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00418C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00418C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00418C5F

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 415b0cc6c40edcac7aeb9c1889722fad0b04e842a663aa36ec0637973475bf8e
Instruction ID: 7835a78182179312c22d9afe9b3b7447eaa6e57443ff8eb45f4048f9a8d8aa18
Opcode Fuzzy Hash: 415b0cc6c40edcac7aeb9c1889722fad0b04e842a663aa36ec0637973475bf8e
Instruction Fuzzy Hash: A7515A35A002149FCB05DF64C881AAEBBF5FF4A314F088099E849AB362DB35ED51CB90

Function 00428EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00428F40
GetProcAddress.KERNEL32(00000000,?), ref: 00428FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00428FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00429032
FreeLibrary.KERNEL32(00000000), ref: 00429052

Part of subcall function 003BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00411043,?,7529E610), ref: 003BF6E6
Part of subcall function 003BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,003FFA64,00000000,00000000,?,?,00411043,?,7529E610,?,003FFA64), ref: 003BF70D

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: a715c9771651d4a265818f71001340c92a604c7a06ce0d91052e288d24f19e5a
Instruction ID: e09467364697d0043062da04f647f4d563fd2d3e097792a8a466e9501d752d1b
Opcode Fuzzy Hash: a715c9771651d4a265818f71001340c92a604c7a06ce0d91052e288d24f19e5a
Instruction Fuzzy Hash: 67513934A01215DFCB01DF54C4949AEBBB1FF4A314F4980AAE805AF362DB35ED86CB95

Function 00436B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00436C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00436C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00436C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0041AB79,00000000,00000000), ref: 00436C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00436CC7

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: f7c2e19e137ef5ef08783c0f67b2ab4353e3813d43bf52b2b0e35df43797b085
Instruction ID: 077e092d8cbaad20bdc41b172a5faf9397e37f6379c99cad1bd02b167ec60df1
Opcode Fuzzy Hash: f7c2e19e137ef5ef08783c0f67b2ab4353e3813d43bf52b2b0e35df43797b085
Instruction Fuzzy Hash: 7B412A35600115BFDB24CF28CC95FA6BBA4EB0D350F16A22AF995A73E0C375ED41CA48

Function 003D2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003D20C3
_free.LIBCMT ref: 003D20E3

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 654de7fdb44e1b19cbcc9558401766c8de3c5ff83dd19deb5d891971552a1ebd
Instruction ID: d7012ff4a52aa039475352b30f022e4d78e8deddba0e9a2e6bf12eed135ce43f
Opcode Fuzzy Hash: 654de7fdb44e1b19cbcc9558401766c8de3c5ff83dd19deb5d891971552a1ebd
Instruction Fuzzy Hash: FA41B633A00200AFCB25DF78D881A6EB7B5EF99314F164569E615EB351D731ED01DB81

Function 003B912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 003B9141
ScreenToClient.USER32(00000000,?), ref: 003B915E
GetAsyncKeyState.USER32(00000001), ref: 003B9183
GetAsyncKeyState.USER32(00000002), ref: 003B919D

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 79d748defc953b65519c13ce1f8cf8a56ba1d6f7aabbec8d66139d86ace9b0c6
Instruction ID: d63e536c30827bcccc13c8726ac9f3a981f446593977a20a022c5cfd2bb5458f
Opcode Fuzzy Hash: 79d748defc953b65519c13ce1f8cf8a56ba1d6f7aabbec8d66139d86ace9b0c6
Instruction Fuzzy Hash: 4041813190851AFBDF169F68C844BFEB774FF09324F21822AE625A72D0C7345954DB51

Function 00413874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004138CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00413922
TranslateMessage.USER32(?), ref: 0041394B
DispatchMessageW.USER32(?), ref: 00413955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00413966

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 6a6e0379cf37f8e44d7ff95f3ae1f337ce410a10273ee2d3797205bbcdc56118
Instruction ID: 3d3317a21b74246a3544b9e3b3598126ce1ba3a2496c46a5863eda081254dc01
Opcode Fuzzy Hash: 6a6e0379cf37f8e44d7ff95f3ae1f337ce410a10273ee2d3797205bbcdc56118
Instruction Fuzzy Hash: 563196F05143419EEB25DF349849BF73BE4AB05306F04057BD466962A0E3B8A6C5CB5A

Function 0041CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0041C21E,00000000), ref: 0041CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0041CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0041C21E,00000000), ref: 0041CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0041C21E,00000000), ref: 0041CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0041C21E,00000000), ref: 0041CFF2

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 301e13ee209039efb2013a641d3d7d2cfd4dae0ab67ff5cf5ceb7c253e7a7480
Instruction ID: edea85d1c3e507b7977fb7e8a68d33e329276b60b5e6d0bfea6ff290e7e8e45c
Opcode Fuzzy Hash: 301e13ee209039efb2013a641d3d7d2cfd4dae0ab67ff5cf5ceb7c253e7a7480
Instruction Fuzzy Hash: B2314D71540205AFDB20DFA5CCC4AEBBBF9EB14354B10446EF516E2280D734ED829B68

Function 00401901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00401915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004019C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004019C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004019DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004019E2

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2baca359f894c31f9726949b0b8323c6f55b22dc8f180cc494cb1567a01565d4
Instruction ID: 4bf0ef98fc6630edd34a04762729d9b17b3e5092f0ffc5fce824265a8ffd2863
Opcode Fuzzy Hash: 2baca359f894c31f9726949b0b8323c6f55b22dc8f180cc494cb1567a01565d4
Instruction Fuzzy Hash: F831C0B1A00219EFCB00CFA8CD99ADE3BB5EB05315F10423AF921B72E1C7749954DB94

Function 00435706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00435745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0043579D
_wcslen.LIBCMT ref: 004357AF
_wcslen.LIBCMT ref: 004357BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00435816

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 16876efb33c42645a6dc3ea63d2e49099687f24f805449752008e50c0c9fd03d
Instruction ID: 28008e590ced889464dca875d15d7ac2d8d9db88ec5f16b1d17a773433057b23
Opcode Fuzzy Hash: 16876efb33c42645a6dc3ea63d2e49099687f24f805449752008e50c0c9fd03d
Instruction Fuzzy Hash: 9021A5759046189ADB20DF64CC85BEE77B8FF18324F109217E929EA280D7748985CF55

Function 00420930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00420951
GetForegroundWindow.USER32 ref: 00420968
GetDC.USER32(00000000), ref: 004209A4
GetPixel.GDI32(00000000,?,00000003), ref: 004209B0
ReleaseDC.USER32(00000000,00000003), ref: 004209E8

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 4735d60da03464345e1afeffd2525e617f09266f76e2b0277e23626319efebc2
Instruction ID: e6f9484d375769edbd9adb4916a77ac8e25a2fab829a01a1b6226768524bd975
Opcode Fuzzy Hash: 4735d60da03464345e1afeffd2525e617f09266f76e2b0277e23626319efebc2
Instruction Fuzzy Hash: 2A218E75A00214AFD704EF65D985AAEBBF9EF49700F14807DE84AA7762CB34AC44CB94

Function 003DCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 003DCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003DCDE9

Part of subcall function 003D3820: RtlAllocateHeap.NTDLL(00000000,?,00471444,?,003BFDF5,?,?,003AA976,00000010,00471440,003A13FC,?,003A13C6,?,003A1129), ref: 003D3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 003DCE0F
_free.LIBCMT ref: 003DCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003DCE31

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 9e362528522f8586cb07d31008f71e83c85402fe2af250b89603c774bc26ebd6
Instruction ID: 512d4f5e4a9b6f798e797aee948e28ed2ae9a137362d007f4b6f4c77f2b12b1f
Opcode Fuzzy Hash: 9e362528522f8586cb07d31008f71e83c85402fe2af250b89603c774bc26ebd6
Instruction Fuzzy Hash: 6101D8B36212167F672216BA7C88D7BBA6DDEC6BA2315112BFD05D7300DA608E01D2B4

Function 003B9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003B9693
SelectObject.GDI32(?,00000000), ref: 003B96A2
BeginPath.GDI32(?), ref: 003B96B9
SelectObject.GDI32(?,00000000), ref: 003B96E2

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 76da8bf315652731fdb49851e0e5429e36f18cb2f4cfb07cadb088d2f0a4d289
Instruction ID: a3db00e63e40faafa6005cbf4740330a1acdb4a0a87329469766494c5630653a
Opcode Fuzzy Hash: 76da8bf315652731fdb49851e0e5429e36f18cb2f4cfb07cadb088d2f0a4d289
Instruction Fuzzy Hash: 972171B1802309EFDB129F68DC557E97BB8BB10329F110227F714A65B0D3705892CF98

Function 00405711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00405726
_memcmp.LIBVCRUNTIME ref: 00405744
_memcmp.LIBVCRUNTIME ref: 00405757
_memcmp.LIBVCRUNTIME ref: 0040576F
_memcmp.LIBVCRUNTIME ref: 00405787

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 505a7ce9730d790c867ba0fa53c70f0d3c885d7f1b49117104fc4d6c17efe74a
Instruction ID: a772ff09f3da3df6f3b74946ba5f4f6672162f84e41266919aef21b95b97bae7
Opcode Fuzzy Hash: 505a7ce9730d790c867ba0fa53c70f0d3c885d7f1b49117104fc4d6c17efe74a
Instruction Fuzzy Hash: 3A01D6A5681605BAD70855109E42FBB634CEB25398F100036FD04AF682F638ED15A6A9

Function 003D2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,003CF2DE,003D3863,00471444,?,003BFDF5,?,?,003AA976,00000010,00471440,003A13FC,?,003A13C6), ref: 003D2DFD
_free.LIBCMT ref: 003D2E32
_free.LIBCMT ref: 003D2E59
SetLastError.KERNEL32(00000000,003A1129), ref: 003D2E66
SetLastError.KERNEL32(00000000,003A1129), ref: 003D2E6F

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2893db95fb07adaa219bbc8455d2e94f5225f926a0060ec2f6479ea3317d29e8
Instruction ID: 63fe8efb206cce014a9979a6b267b156bab821caeafae1904e0d0effd9ab3fa8
Opcode Fuzzy Hash: 2893db95fb07adaa219bbc8455d2e94f5225f926a0060ec2f6479ea3317d29e8
Instruction Fuzzy Hash: EA01F4336456006BC6132734BC85D6B275DABF23B2B26443BF825A7392EBB4CC154121

Function 0040000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,003FFF41,80070057,?,?,?,0040035E), ref: 0040002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003FFF41,80070057,?,?), ref: 00400046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003FFF41,80070057,?,?), ref: 00400054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003FFF41,80070057,?), ref: 00400064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003FFF41,80070057,?,?), ref: 00400070

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 1d1c373d45dfa4a8bfbf573a2b7271a66bb56fbd50457ebc5e06f4044ac66b7e
Instruction ID: 1e9ba822aa236b9818bcb5a6626a114c8d156bb6b524c6b35bd3bf75a1974100
Opcode Fuzzy Hash: 1d1c373d45dfa4a8bfbf573a2b7271a66bb56fbd50457ebc5e06f4044ac66b7e
Instruction Fuzzy Hash: 9C01A276600204BFDB105F68EC48FAA7AEDEF44752F245135F905F2250DB79DE408BA4

Function 0040E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0040E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0040E9A5
Sleep.KERNEL32(00000000), ref: 0040E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0040E9B7
Sleep.KERNEL32 ref: 0040E9F3

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 38c61114b4d5c06e6a5f7ded9a3b6373c68750818ea177dba82c7ceea4c78b8b
Instruction ID: 27b24c4345fdc41f1dcef9754af59b48704b13f36ae39aec3e23b69051d93407
Opcode Fuzzy Hash: 38c61114b4d5c06e6a5f7ded9a3b6373c68750818ea177dba82c7ceea4c78b8b
Instruction Fuzzy Hash: 4C015271C0162DDBCF009FE6DD996DEBB78FF09701F000966E502B2291CB389565DBAA

Function 004010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00401114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00400B9B,?,?,?), ref: 00401120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00400B9B,?,?,?), ref: 0040112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00400B9B,?,?,?), ref: 00401136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0040114D

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 49e8e7b4df3669508f838bae9518e49a4b7acdddb419439f43207ede3a81edde
Instruction ID: 08e415be5de0b21e0dfe012a65a2cd66f51d2fd3e1e11f4c439799fb8781c806
Opcode Fuzzy Hash: 49e8e7b4df3669508f838bae9518e49a4b7acdddb419439f43207ede3a81edde
Instruction Fuzzy Hash: D9011975200215BFDB155FA5DC89A6B3B6EEF893A0B204429FA45E73A0DB31DC009B64

Function 00400FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00400FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00400FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00400FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00400FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00401002

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2ba99b9b0c132d1098cb1c0033d5c6870b948b8b3689a527ede00494255fc215
Instruction ID: 31096d3e23ff7a29fd1a07b66e51378a2e6ad88b0d77f3fd4488fdffc72dce3f
Opcode Fuzzy Hash: 2ba99b9b0c132d1098cb1c0033d5c6870b948b8b3689a527ede00494255fc215
Instruction Fuzzy Hash: E7F06D35240301EBEB224FA4DC8DF5B3BADEF89762F104425FA85E72A1CA74DC508B64

Function 00401014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0040102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00401036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00401045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0040104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00401062

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 97e9d2fc559076cddddfaa24f0987800955446a523bdd4ab04bfa1760776b292
Instruction ID: d9599d2c819b07def7672eaf9488c96b8766bb41fb7932b48464ddb9047302b2
Opcode Fuzzy Hash: 97e9d2fc559076cddddfaa24f0987800955446a523bdd4ab04bfa1760776b292
Instruction Fuzzy Hash: 60F06D35240301EBEB215FA4EC89F5B3BADEF89761F100425FA85F72A0CA74D8508B64

Function 0041030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0041017D,?,004132FC,?,00000001,003E2592,?), ref: 00410324
CloseHandle.KERNEL32(?,?,?,?,0041017D,?,004132FC,?,00000001,003E2592,?), ref: 00410331
CloseHandle.KERNEL32(?,?,?,?,0041017D,?,004132FC,?,00000001,003E2592,?), ref: 0041033E
CloseHandle.KERNEL32(?,?,?,?,0041017D,?,004132FC,?,00000001,003E2592,?), ref: 0041034B
CloseHandle.KERNEL32(?,?,?,?,0041017D,?,004132FC,?,00000001,003E2592,?), ref: 00410358
CloseHandle.KERNEL32(?,?,?,?,0041017D,?,004132FC,?,00000001,003E2592,?), ref: 00410365

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fd79626b85aaf0d8e5385f70096a280725b6c0ca1c4b512d5f73ecf80db534d7
Instruction ID: b38640b3f918ee533f41c0fff424d9ba8ed5d47329abb38d9189be5542d28f41
Opcode Fuzzy Hash: fd79626b85aaf0d8e5385f70096a280725b6c0ca1c4b512d5f73ecf80db534d7
Instruction Fuzzy Hash: 5D01A272800B199FC730AF66D880453F7F5BF503153158A3FD5A652A31C3B5A995DF84

Function 003DD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003DD752

Part of subcall function 003D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000), ref: 003D29DE
Part of subcall function 003D29C8: GetLastError.KERNEL32(00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000,00000000), ref: 003D29F0

_free.LIBCMT ref: 003DD764
_free.LIBCMT ref: 003DD776
_free.LIBCMT ref: 003DD788
_free.LIBCMT ref: 003DD79A

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 86f6f85e9cd5f9f206823724b9af13c90e816eb650cb5a729ff741039fe34dc0
Instruction ID: 857818c2426ec1c9f74e25b4c83def33af8cceb2f28b7dba127ea5fb84a72d22
Opcode Fuzzy Hash: 86f6f85e9cd5f9f206823724b9af13c90e816eb650cb5a729ff741039fe34dc0
Instruction Fuzzy Hash: D9F04F73540204AB8622FF64F9C1C2777DDBB45310B950857F098DB601D730FC808A65

Function 00405C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00405C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00405C6F
MessageBeep.USER32(00000000), ref: 00405C87
KillTimer.USER32(?,0000040A), ref: 00405CA3
EndDialog.USER32(?,00000001), ref: 00405CBD

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 637970d5c65c312db375eb2d6a6896a3b0761c64d320f28669a34388d30fd266
Instruction ID: c7cedf559bb32d530ce4a310f6d40499f7e8755aa3026da69104e02491b63036
Opcode Fuzzy Hash: 637970d5c65c312db375eb2d6a6896a3b0761c64d320f28669a34388d30fd266
Instruction Fuzzy Hash: 030144315047049BFB215B10DD8FFA777B8EB00705F04157AA552B10E1D7B859448F55

Function 003D22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003D22BE

Part of subcall function 003D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000), ref: 003D29DE
Part of subcall function 003D29C8: GetLastError.KERNEL32(00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000,00000000), ref: 003D29F0

_free.LIBCMT ref: 003D22D0
_free.LIBCMT ref: 003D22E3
_free.LIBCMT ref: 003D22F4
_free.LIBCMT ref: 003D2305

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6db5a16e5922c9a4ae9bff2438440a94ccfa9df4877cb0a18cf5234e5fbac129
Instruction ID: d30f45ccf0f04bbfed907eb3296c917187868811ab0d2f32c48f3f2cc0ceb446
Opcode Fuzzy Hash: 6db5a16e5922c9a4ae9bff2438440a94ccfa9df4877cb0a18cf5234e5fbac129
Instruction Fuzzy Hash: 37F05472401110CB8623BF78BC5181A3B64F7297517010567F418D7372DB7104A1BFED

Function 003B95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 003B95D4
StrokeAndFillPath.GDI32(?,?,003F71F7,00000000,?,?,?), ref: 003B95F0
SelectObject.GDI32(?,00000000), ref: 003B9603
DeleteObject.GDI32 ref: 003B9616
StrokePath.GDI32(?), ref: 003B9631

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1dd1517e04323d593bb63effd5ad51210d286939cf8986b30935abe6ecc9ded6
Instruction ID: d1bc68366b62a787df1974bbb82a3c05b9f5d39b6e70663e2ec751a3f3efe9a5
Opcode Fuzzy Hash: 1dd1517e04323d593bb63effd5ad51210d286939cf8986b30935abe6ecc9ded6
Instruction Fuzzy Hash: 1EF037B1006248EBDB265F69ED5CBA43F75AB01336F048235F729694F0C7348992DF28

Function 003D0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 003D10F9
__freea.LIBCMT ref: 003D1117

Part of subcall function 003D1537: _free.LIBCMT ref: 003D154F

Strings

am/pm, xrefs: 003D117A
a/p, xrefs: 003D11DE

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: cc57e26e50c93bab9797c694858bb0de31904fad00b34c5f66fd8c6a0adfab11
Instruction ID: 9f61ed5bb479147dc147330100b7f7e4e8386707ad02dd463001ae2587f61f19
Opcode Fuzzy Hash: cc57e26e50c93bab9797c694858bb0de31904fad00b34c5f66fd8c6a0adfab11
Instruction Fuzzy Hash: 70D1F27B900206EBDB2B9F68E845BFAB7B5EF05700F29011BE9019BB51D3759D80CB91

Function 004261D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 003C0242: EnterCriticalSection.KERNEL32(0047070C,00471884,?,?,003B198B,00472518,?,?,?,003A12F9,00000000), ref: 003C024D
Part of subcall function 003C0242: LeaveCriticalSection.KERNEL32(0047070C,?,003B198B,00472518,?,?,?,003A12F9,00000000), ref: 003C028A

Part of subcall function 003C00A3: __onexit.LIBCMT ref: 003C00A9

__Init_thread_footer.LIBCMT ref: 00426238

Part of subcall function 003C01F8: EnterCriticalSection.KERNEL32(0047070C,?,?,003B8747,00472514), ref: 003C0202
Part of subcall function 003C01F8: LeaveCriticalSection.KERNEL32(0047070C,?,003B8747,00472514), ref: 003C0235

Part of subcall function 0041359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004135E4
Part of subcall function 0041359C: LoadStringW.USER32(00472390,?,00000FFF,?), ref: 0041360A

Strings

x#G, xrefs: 00426353
x#G, xrefs: 0042633A
x#G, xrefs: 0042636F

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#G$x#G$x#G
API String ID: 1072379062-3675027381
Opcode ID: 5a74bc3dbce68a74fd09b231ba769c87a9af1316c2a27829ba20af6778e6c2cd
Instruction ID: 9973d1ab0c99f659fb18e0cafbc8bbf7319540fb13ae1d7863d0ef641c6097d2
Opcode Fuzzy Hash: 5a74bc3dbce68a74fd09b231ba769c87a9af1316c2a27829ba20af6778e6c2cd
Instruction Fuzzy Hash: 4BC1BD31A00115AFCB15EF58D890EBEB7B9EF48300F51806AF945AB391DB74ED85CBA4

Function 003D5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO:, xrefs: 003D5BA8, 003D5C6C

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: JO:
API String ID: 0-866212732
Opcode ID: 34f1c6fb84d80fe756ea1c0ca61dc43f39ea854fa58baccd04a02fb7262c4636
Instruction ID: d385854b3a35754f0f163c2ff959f07b397d9183067911dec423dc70fdfdc5b4
Opcode Fuzzy Hash: 34f1c6fb84d80fe756ea1c0ca61dc43f39ea854fa58baccd04a02fb7262c4636
Instruction Fuzzy Hash: F951BF76D10609AFDB239FA8E845FAEBFB8AF05310F15005BF405AB392D7719A01DB61

Function 003D8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 003D8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 003D8B7A
__dosmaperr.LIBCMT ref: 003D8B81

Strings

.<, xrefs: 003D8A63

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .<
API String ID: 2434981716-2261328457
Opcode ID: 2eeca1a4351e64ccb027b78bdda6c7ad5adc1744d735e7b83c2c430275f3e456
Instruction ID: b0fd8e7a7c2e808abae4a83a27c2e164fcdc1a551e9590a59fd8c86cc263ce54
Opcode Fuzzy Hash: 2eeca1a4351e64ccb027b78bdda6c7ad5adc1744d735e7b83c2c430275f3e456
Instruction Fuzzy Hash: C941A172604085AFDB279F28EC80A7D7FA5DF45304F2945ABF8848B742DE31EC029794

Function 00402716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004021D0,?,?,00000034,00000800,?,00000034), ref: 0040B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00402760

Part of subcall function 0040B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0040B3F8

Part of subcall function 0040B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0040B355
Part of subcall function 0040B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00402194,00000034,?,?,00001004,00000000,00000000), ref: 0040B365
Part of subcall function 0040B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00402194,00000034,?,?,00001004,00000000,00000000), ref: 0040B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004027CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0040281A

Strings

@, xrefs: 00402832

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: db7a8893fc2ddb1d000f3e338f51974289954595fce413c041129c90e028cd43
Instruction ID: 3d95bddae58544b07f2c8cb1591b6e77adedca732274a482619839ca23d9889f
Opcode Fuzzy Hash: db7a8893fc2ddb1d000f3e338f51974289954595fce413c041129c90e028cd43
Instruction Fuzzy Hash: 69414F76900218BFDB11DFA4CD85ADEBBB8EF05304F10406AFA55B7181DB746E45CBA4

Function 003D172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 003D1769
_free.LIBCMT ref: 003D1834
_free.LIBCMT ref: 003D183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 003D1760, 003D1767, 003D1796, 003D17CE

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 2c29c1c127f1daa5d6b6028bb7af1bf74875d84a1eb831b8984a2bc75bfb240d
Instruction ID: 64e40c154d896cded5b949922ca3d2113259594d4d0c2d5f023c7d239057e2e9
Opcode Fuzzy Hash: 2c29c1c127f1daa5d6b6028bb7af1bf74875d84a1eb831b8984a2bc75bfb240d
Instruction Fuzzy Hash: 66315076A00258BFDB22DB99E885D9EBBFCEB95310B1541A7F404EB321D7708E40DB94

Function 0040C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0040C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0040C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00471990,016E6538), ref: 0040C395

Strings

0, xrefs: 0040C2DF

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 2484f0db742b1297998977a05d638ebb3199d688435b66d156d5cf7cb86dcce2
Instruction ID: eac54e6b093edf00d88d1245ffe5123c62fc13471ffaca46d45162ebeb146f12
Opcode Fuzzy Hash: 2484f0db742b1297998977a05d638ebb3199d688435b66d156d5cf7cb86dcce2
Instruction Fuzzy Hash: F0416D31214301DFD720DF25D8C4B5ABBE4AF85314F14872EEDA5A72D1D734A904CB6A

Function 00434416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0043CC08,00000000,?,?,?,?), ref: 004344AA
GetWindowLongW.USER32 ref: 004344C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004344D7

Strings

SysTreeView32, xrefs: 0043447C

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e00038cd2db598cc1336515e10b39af236e67ae5eebee9ffd309acc088e90ab3
Instruction ID: 38408f0ddb05e261ba18f82606b11440cdef62e450c0f263c3cec7d5c5cf94fa
Opcode Fuzzy Hash: e00038cd2db598cc1336515e10b39af236e67ae5eebee9ffd309acc088e90ab3
Instruction Fuzzy Hash: E731B032200605AFDF219E38DC45BDB77A9EB48334F205326F975A22D0D778EC509B54

Function 00406E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00406EED
VariantCopyInd.OLEAUT32(?,?), ref: 00406F08
VariantClear.OLEAUT32(?), ref: 00406F12

Strings

*j@, xrefs: 00406E8B, 00406E90, 00406EF8

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j@
API String ID: 2173805711-592828569
Opcode ID: 67d0e5befbb342693eb018a7b4905ab2d4b362f908e4db7335778f97dac76398
Instruction ID: 57a3cd54a581213b80657da1c46a781969d5900135055f7dbf6f9110e7e6292a
Opcode Fuzzy Hash: 67d0e5befbb342693eb018a7b4905ab2d4b362f908e4db7335778f97dac76398
Instruction Fuzzy Hash: CA318F71704246DFCB05AFA4E8909BE7776EF46700B1104AAF9075F2A2C7389922DB99

Function 0042304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0042335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00423077,?,?), ref: 00423378

inet_addr.WSOCK32(?), ref: 0042307A
_wcslen.LIBCMT ref: 0042309B
htons.WSOCK32(00000000), ref: 00423106

Strings

255.255.255.255, xrefs: 00423095, 0042309A

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: fa4280667aaa7c2dccdc11c7f8f643b888efca78c539ab9373eeec0cc850e51c
Instruction ID: d0f8dd3dacc87448a0e33281c6539c23edad25fd8d64583a5d691be7903e90e1
Opcode Fuzzy Hash: fa4280667aaa7c2dccdc11c7f8f643b888efca78c539ab9373eeec0cc850e51c
Instruction Fuzzy Hash: F931CF353002219FCB10CF68D486EAA77B0EF14319FA4809AE8158B392DB7AEE41C775

Function 00434653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00434705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00434713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0043471A

Strings

msctls_updown32, xrefs: 00434684

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 14957d6a6d0511245875dffc7935243b6fcf05050431d36632350294efc588a3
Instruction ID: a457160b138ead54d63df264e8ccda69042c0a9a91fa8a201d3f9013de4a3ae2
Opcode Fuzzy Hash: 14957d6a6d0511245875dffc7935243b6fcf05050431d36632350294efc588a3
Instruction Fuzzy Hash: 6E215EB5600208AFEB11DF68DCC1DA737ADEB8A394B14105AFA049B3A1CB74FC51CB64

Function 004095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040961D

Strings

#notrayicon, xrefs: 004095B7
#OnAutoItStartRegister, xrefs: 004095F3
#requireadmin, xrefs: 004095D9

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: b417771072aca1199231a7d1070faa093101dee262785827c4add5d0ab11f867
Instruction ID: cb30ab0e4d1ebc40a6c38cd2481147f2a236796052290fcf24c47c8f633068f0
Opcode Fuzzy Hash: b417771072aca1199231a7d1070faa093101dee262785827c4add5d0ab11f867
Instruction Fuzzy Hash: 1321F67220451166D332BB259C02FB7B3D89F65310F14443BF949AB2C2EB7AAE46D399

Function 004337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00433840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00433850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00433876

Strings

Listbox, xrefs: 0043380F

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 73a99ec73098da9da7e7d87a9ae287eff689d70778504c850e283ac3a80b5be0
Instruction ID: 034cbbe33cd2fb0362147dc32d0918c8c897f08cc061db767a3e93218d697ce8
Opcode Fuzzy Hash: 73a99ec73098da9da7e7d87a9ae287eff689d70778504c850e283ac3a80b5be0
Instruction Fuzzy Hash: 4321FF72600218BBEF219F54CC81FBB37AEEF89760F109125F9049B290C775DC528BA4

Function 004149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00414A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00414A5C
SetErrorMode.KERNEL32(00000000,?,?,0043CC08), ref: 00414AD0

Strings

%lu, xrefs: 00414A6F

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: ff31591ca0efc1eab07189836502e572f2ae6fde8c0f61dfe70d48498effca56
Instruction ID: d54369ab4ccf484624a9573caca82fa59e71af3fc68efddb620d1524d7abad5d
Opcode Fuzzy Hash: ff31591ca0efc1eab07189836502e572f2ae6fde8c0f61dfe70d48498effca56
Instruction Fuzzy Hash: 6E31AE74A00108AFCB10DF54C880EAA7BF8EF49318F1480A9F908EF252D735EE45CB61

Function 004341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0043424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00434264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00434271

Strings

msctls_trackbar32, xrefs: 00434226

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 96360a206f8b7a805cbe20aa776df66d66f7c941b72c09eabfe920d1d556f624
Instruction ID: de01a3391ca3e89dc795cc8290a5723016f3f0cd15811befdeeba3b00a3e3bf7
Opcode Fuzzy Hash: 96360a206f8b7a805cbe20aa776df66d66f7c941b72c09eabfe920d1d556f624
Instruction Fuzzy Hash: 1811E7312402087EEF205E29CC06FEB3BACEF89764F111125FA55E61A0D275E8519714

Function 00402F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A6B57: _wcslen.LIBCMT ref: 003A6B6A

Part of subcall function 00402DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00402DC5
Part of subcall function 00402DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00402DD6
Part of subcall function 00402DA7: GetCurrentThreadId.KERNEL32 ref: 00402DDD
Part of subcall function 00402DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00402DE4

GetFocus.USER32 ref: 00402F78

Part of subcall function 00402DEE: GetParent.USER32(00000000), ref: 00402DF9

GetClassNameW.USER32(?,?,00000100), ref: 00402FC3
EnumChildWindows.USER32(?,0040303B), ref: 00402FEB

Strings

%s%d, xrefs: 00402FFF

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: a663f6e22f07c1a40fc32da86ee7fd7a69a40e82e255d1859aeea46856cda14f
Instruction ID: 051ed9a11ca36842323420c59d8894e4e497d036f644114713f59430eb977ffb
Opcode Fuzzy Hash: a663f6e22f07c1a40fc32da86ee7fd7a69a40e82e255d1859aeea46856cda14f
Instruction Fuzzy Hash: 5A11D5716002056BCF01BF618DD6EEE776AAF84304F04507AB909AB2D2DE7899058B74

Function 00435882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004358C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004358EE
DrawMenuBar.USER32(?), ref: 004358FD

Strings

0, xrefs: 0043588F

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: ed6d7488f67993186a24d8255abd950b1332d6a91be2973b536f3652aeda2236
Instruction ID: 528654e80b56b632a4a50569f3c51716a82e09dba0866b1afe2111a02fa34e5f
Opcode Fuzzy Hash: ed6d7488f67993186a24d8255abd950b1332d6a91be2973b536f3652aeda2236
Instruction Fuzzy Hash: F1016D71500218EFDB219F11DC44BEFBBB5FF49360F1090AAE949DA251DB348A94DF25

Function 003FD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 003FD3BF
FreeLibrary.KERNEL32 ref: 003FD3E5

Strings

X64, xrefs: 003FD2A8
GetSystemWow64DirectoryW, xrefs: 003FD3B9

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 0933daa0e2b137e9c747ec96d262b7b0d0c27eb8916aebe557cd7dd828b3371b
Instruction ID: f1ab20437f55e386c29cec7b54edbad613bdc2e2ec9ef371f0317ef5db564b9f
Opcode Fuzzy Hash: 0933daa0e2b137e9c747ec96d262b7b0d0c27eb8916aebe557cd7dd828b3371b
Instruction Fuzzy Hash: 27F0EC29505625ABEB3352104C9C9B93319AF10701F55D557EB03F1518D764CD446BDB

Function 0040007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace138a905c09a147da653d3c2438bd23279e6b021e7f6c9e89604d28c6eaead
Instruction ID: 3aba144dd38b621e48a62a3fee0d918e28600032c9f7eff269d104232f9f22c5
Opcode Fuzzy Hash: ace138a905c09a147da653d3c2438bd23279e6b021e7f6c9e89604d28c6eaead
Instruction Fuzzy Hash: 59C13A75A0020AAFDB15CFA4C894FAEB7B5FF48304F1085A9E905EB291D735DE41CB94

Function 0042342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00423459
CoUninitialize.OLE32 ref: 00423463
VariantInit.OLEAUT32(?), ref: 0042346E
VariantClear.OLEAUT32(?), ref: 0042371B

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: fd1fcb0a55dfd547110911e2d951fea673c3977dc59e5d9ae5244024e0b09a4a
Instruction ID: de42750af8bfe810d63bc3d5d31522f3a110b4db6243050a3887c1fdda1d14e8
Opcode Fuzzy Hash: fd1fcb0a55dfd547110911e2d951fea673c3977dc59e5d9ae5244024e0b09a4a
Instruction Fuzzy Hash: AFA16B757042109FC711EF24C885A2AB7E5FF89714F04885EF98A9B362DB38ED01CB96

Function 00400436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0043FC08,?), ref: 004005F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0043FC08,?), ref: 00400608
CLSIDFromProgID.OLE32(?,?,00000000,0043CC40,000000FF,?,00000000,00000800,00000000,?,0043FC08,?), ref: 0040062D
_memcmp.LIBVCRUNTIME ref: 0040064E

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: a8dc4cf112d6c9620ac10d9f8b04bc87d7814499a086a406a2bf08aaab67a3a2
Instruction ID: 45b90aa33db4105d0536175da45e5289226bbcc1e9dbd6340c0bdb3e934bc445
Opcode Fuzzy Hash: a8dc4cf112d6c9620ac10d9f8b04bc87d7814499a086a406a2bf08aaab67a3a2
Instruction Fuzzy Hash: 1C813B71A00109EFCB04DF94C984EEEB7B9FF89315F204569E506BB290DB75AE06CB64

Function 0042A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0042A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0042A6BA

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0042A79C
CloseHandle.KERNEL32(00000000), ref: 0042A7AB

Part of subcall function 003BCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,003E3303,?), ref: 003BCE8A

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 9c08ef86326d998e2ff3bb43716a10ae66471dd21f07e8f2419a8164e0539f6c
Instruction ID: f4a011c22227820eae318725953e2f5f24c6b5233015a5754a579927e4d234a5
Opcode Fuzzy Hash: 9c08ef86326d998e2ff3bb43716a10ae66471dd21f07e8f2419a8164e0539f6c
Instruction Fuzzy Hash: 535180715083109FD711EF24D886A6BBBE8FF89754F40892EF9859B251EB34D904CB92

Function 003E1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003E14C0

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1cc23cb59a41371800e971d71f0abfce9a5c5b40feb0fe8898f43016467f42f4
Instruction ID: 7554340c7ea92042bec2ca5ed287473ff9276e5a4db955307d647bfc9a3cc8f8
Opcode Fuzzy Hash: 1cc23cb59a41371800e971d71f0abfce9a5c5b40feb0fe8898f43016467f42f4
Instruction Fuzzy Hash: 14416F36600560ABDB236BBB9C45FBE3AB5EF42330F15072AF418DA3D2E6344C419B61

Function 00436278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004362E2
ScreenToClient.USER32(?,?), ref: 00436315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00436382

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: f9daf2c6629658800dcff08342d368c8886b2336a36ae3b4d88d163be4887f13
Instruction ID: 902652e7a1f15771b6c9b938a9f0d7a9ce2db4b962f79e0ac1a2b99ec70b46bd
Opcode Fuzzy Hash: f9daf2c6629658800dcff08342d368c8886b2336a36ae3b4d88d163be4887f13
Instruction Fuzzy Hash: DC514A75A0020AAFCB10DF68D8809AF7BB5EB49360F11916AF9159B3A0D734ED81CB54

Function 00421AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00421AFD
WSAGetLastError.WSOCK32 ref: 00421B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00421B8A
WSAGetLastError.WSOCK32 ref: 00421B94

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: e518cb07c4eb416d64891ea12df182b2c19f3efe37c56a58640245c9e62bebbf
Instruction ID: 368dc9651a5a719b1e10fb8296dcf622ddc8c0fd74c8bc70eabbf7ebe7f4ebcc
Opcode Fuzzy Hash: e518cb07c4eb416d64891ea12df182b2c19f3efe37c56a58640245c9e62bebbf
Instruction Fuzzy Hash: 9441DF34700200AFE721AF20D886F2A7BE5EF45718F548458FA1A9F7D2D776ED428B90

Function 003DB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8cb663e8f1e85f17d87d52c112f859f645f764a7de49a3654a0f11d5d4843b9
Instruction ID: 17284c73aed1503a472ece69ade16ca387d0f97a003902f742cb9d4383f50abf
Opcode Fuzzy Hash: f8cb663e8f1e85f17d87d52c112f859f645f764a7de49a3654a0f11d5d4843b9
Instruction Fuzzy Hash: D941D1B6A00254EFD726DF39D841BAABBB9EB88710F11862FF141DB782D77199018790

Function 004156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00415783
GetLastError.KERNEL32(?,00000000), ref: 004157A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004157CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004157FA

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a1a833cf74dadbb865bb9faa6711af61a600718b94a47eb353d5ab2d7385a3b1
Instruction ID: 8c2bd466d7cfcdceae4041c5cd5fd1a442f49da1d61a4d9adf039f9b9278b603
Opcode Fuzzy Hash: a1a833cf74dadbb865bb9faa6711af61a600718b94a47eb353d5ab2d7385a3b1
Instruction Fuzzy Hash: 4F412D39600610DFCB11EF15C485A5EBBE2EF8A720F188499E84A6F362CB34FD40CB95

Function 003DD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,003C6D71,00000000,00000000,003C82D9,?,003C82D9,?,00000001,003C6D71,?,00000001,003C82D9,003C82D9), ref: 003DD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003DD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 003DD9AB
__freea.LIBCMT ref: 003DD9B4

Part of subcall function 003D3820: RtlAllocateHeap.NTDLL(00000000,?,00471444,?,003BFDF5,?,?,003AA976,00000010,00471440,003A13FC,?,003A13C6,?,003A1129), ref: 003D3852

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 23e61d9643612d442769dfa7e182e4aba4bf3c853f3d0d1fb2d388f437d29555
Instruction ID: 1404218adcf8aaca62fb26b5f7890e4286a49f99a06ca6787154d1ae870b8ae4
Opcode Fuzzy Hash: 23e61d9643612d442769dfa7e182e4aba4bf3c853f3d0d1fb2d388f437d29555
Instruction Fuzzy Hash: AB31C172A0021AABDF26DF65EC91EAF7BA5EB41310F064169FC04DB250EB36DD50DB90

Function 004352C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00435352
GetWindowLongW.USER32(?,000000F0), ref: 00435375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00435382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004353A8

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 25bcaa0884f77a8d7b22ed596893c39251dfdf43387e4074c693f2d7c14ecbb1
Instruction ID: ac75f4e461b770f3fef7b28f4d1e0ae825061c37eb74e1b0f95e77cfae728f71
Opcode Fuzzy Hash: 25bcaa0884f77a8d7b22ed596893c39251dfdf43387e4074c693f2d7c14ecbb1
Instruction Fuzzy Hash: DA31C434A55A08EFEB309E14CC46BEA3765EB0C390F586113FE10962E1C7B89981DB4A

Function 0040AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0040ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0040AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0040AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0040ACC6

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 04e6a174ad3e3198acc2e86f8dfaa9c20e00630a3277cffb1919f56de5e70b65
Instruction ID: 733475d4f6f5c3ab620da0a6f0c5847a7214828d900abb74fd72f4fa65941b61
Opcode Fuzzy Hash: 04e6a174ad3e3198acc2e86f8dfaa9c20e00630a3277cffb1919f56de5e70b65
Instruction Fuzzy Hash: 50311830A087186FFB35CB658C09BFF7AA5AB45314F05423BE485762D1C37C89A1879A

Function 00437674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0043769A
GetWindowRect.USER32(?,?), ref: 00437710
PtInRect.USER32(?,?,00438B89), ref: 00437720
MessageBeep.USER32(00000000), ref: 0043778C

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f9175009ad601448f88512d08a9965702b27b7adb80a57a058dcb3aa267cd687
Instruction ID: 415f64560b22bb72d1f2e3a49accd8b26bbe4f7830afd44d1eeb5ebe8d54501b
Opcode Fuzzy Hash: f9175009ad601448f88512d08a9965702b27b7adb80a57a058dcb3aa267cd687
Instruction Fuzzy Hash: 6441ADB4605214EFCB21CF58C895EA977F4FB4D314F1850AAE5949B361C338B942CF98

Function 004316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004316EB

Part of subcall function 00403A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00403A57
Part of subcall function 00403A3D: GetCurrentThreadId.KERNEL32 ref: 00403A5E
Part of subcall function 00403A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004025B3), ref: 00403A65

GetCaretPos.USER32(?), ref: 004316FF
ClientToScreen.USER32(00000000,?), ref: 0043174C
GetForegroundWindow.USER32 ref: 00431752

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 01f95a3f02750a7e200dc2e6c1eee67953e503ac32a8ff1c18b300beba3bf4f1
Instruction ID: c3d3446b146f77a49e3321896dfbba2b38746ca705493e718b872da61ee1a94e
Opcode Fuzzy Hash: 01f95a3f02750a7e200dc2e6c1eee67953e503ac32a8ff1c18b300beba3bf4f1
Instruction Fuzzy Hash: DD315275E00149AFC701DFAAC8C1CAEBBFDEF49304B54806AE415E7251D7359E45CBA4

Function 00438FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003B9BB2

GetCursorPos.USER32(?), ref: 00439001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,003F7711,?,?,?,?,?), ref: 00439016
GetCursorPos.USER32(?), ref: 0043905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,003F7711,?,?,?), ref: 00439094

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: bd48690c81b7cfbfa7717e7332b9f9ca44f84293b3247918d59a82abf2761c15
Instruction ID: 68bfa30bb0f87b8215e81454141254cfa40cb7062c11edf6174921973dd5e538
Opcode Fuzzy Hash: bd48690c81b7cfbfa7717e7332b9f9ca44f84293b3247918d59a82abf2761c15
Instruction Fuzzy Hash: C321BF35600118FFCB298F98C898EEB3BB9EB89350F004066FA055B261C3759D91DB64

Function 0040D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0043CB68), ref: 0040D2FB
GetLastError.KERNEL32 ref: 0040D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0040D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0043CB68), ref: 0040D376

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c2940d2140838db88dda25c3d2adb85d3d318a47eb9893a6916ea9ec27f009a0
Instruction ID: 1631108fb6080d57d7b6bfcd134ae32c55db7b81b4c25c036f8e0cd466b45e4e
Opcode Fuzzy Hash: c2940d2140838db88dda25c3d2adb85d3d318a47eb9893a6916ea9ec27f009a0
Instruction Fuzzy Hash: 772191709043019FC700DF68C88146BB7E8EE5A364F104A6EF899E72E1D735D94ACB9B

Function 00401571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0040102A
Part of subcall function 00401014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00401036
Part of subcall function 00401014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00401045
Part of subcall function 00401014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0040104C
Part of subcall function 00401014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00401062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004015BE
_memcmp.LIBVCRUNTIME ref: 004015E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401617
HeapFree.KERNEL32(00000000), ref: 0040161E

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: ce5bf0212b58da367618b70df75e90b641cecb27e90a99967613e395659c6e8a
Instruction ID: b3070ed714e4afb7c5504c49b7370947f6363d0daa8d87ff7df5039dafa5d28d
Opcode Fuzzy Hash: ce5bf0212b58da367618b70df75e90b641cecb27e90a99967613e395659c6e8a
Instruction Fuzzy Hash: 4C216B31E40108AFDF14DFA4C945BEEB7B8EF84344F08486AE441BB291D735AA45DB94

Function 00432782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0043280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00432824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00432832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00432840

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 841d83d1f863fbe4e67435a6db163ed55acfce1d2c865cb8bad3998add42b8ef
Instruction ID: 5099788721b3fd45cd8a8f18f1b478db0fb59028214bec4eb37f0ecf30d5701e
Opcode Fuzzy Hash: 841d83d1f863fbe4e67435a6db163ed55acfce1d2c865cb8bad3998add42b8ef
Instruction Fuzzy Hash: 7C210331204520BFD714AF24C984FAABB95FF4A324F149259F4268B2E2C7B9FC42C794

Function 004078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00408D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0040790A,?,000000FF,?,00408754,00000000,?,0000001C,?,?), ref: 00408D8C
Part of subcall function 00408D7D: lstrcpyW.KERNEL32(00000000,?,?,0040790A,?,000000FF,?,00408754,00000000,?,0000001C,?,?,00000000), ref: 00408DB2
Part of subcall function 00408D7D: lstrcmpiW.KERNEL32(00000000,?,0040790A,?,000000FF,?,00408754,00000000,?,0000001C,?,?), ref: 00408DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00408754,00000000,?,0000001C,?,?,00000000), ref: 00407923
lstrcpyW.KERNEL32(00000000,?,?,00408754,00000000,?,0000001C,?,?,00000000), ref: 00407949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00408754,00000000,?,0000001C,?,?,00000000), ref: 00407984

Strings

cdecl, xrefs: 0040797B

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 4a010348160d5b7ecff7a43c51fee2730607fcdbcc80bfa52b9c3a2a138f5f56
Instruction ID: d54639a9b08e2e92f44dedf5466f4d604f9d05ab23317306f025cff0f1bac103
Opcode Fuzzy Hash: 4a010348160d5b7ecff7a43c51fee2730607fcdbcc80bfa52b9c3a2a138f5f56
Instruction Fuzzy Hash: 3011E47A200201ABDB159F35C845D7B77A5EF45350B10403BE942DB3A4EB359811D7AA

Function 00437CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00437D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00437D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00437D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0041B7AD,00000000), ref: 00437D6B

Part of subcall function 003B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003B9BB2

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: c66aa183e6e4270818ee72e903e1177912946a3e675ef6cb89f9d6592aa069c6
Instruction ID: af3cfaec7d6da05a95f2a008e310e0f8a1edee8fa6fbee0138a27805aa0ff0eb
Opcode Fuzzy Hash: c66aa183e6e4270818ee72e903e1177912946a3e675ef6cb89f9d6592aa069c6
Instruction Fuzzy Hash: 3711D2B1104664AFCB209F28CC04EA63BA4AF49360F11A325F979D72F0D7348951DB48

Function 00435660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004356BB
_wcslen.LIBCMT ref: 004356CD
_wcslen.LIBCMT ref: 004356D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00435816

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: ce7dd6f647ea3c56b1cd49f14f96c263749b43200730efa23321e96a80b38cb9
Instruction ID: 1f7b00818dada337baeb9c58b21a2ece3716b4a69a28a797f3b068cd00d03531
Opcode Fuzzy Hash: ce7dd6f647ea3c56b1cd49f14f96c263749b43200730efa23321e96a80b38cb9
Instruction Fuzzy Hash: 7711037160061896DB20EF65CC82BEF37BCEF19760F10502BF919D6181EB78CA84CB69

Function 003D1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe1cdffbe22d82318135f0aa3eb8e08b29be639ca1e10f694bccd1c9b8ba268
Instruction ID: 59fb9316c058d4a3210d19f1137d96db08d4f0ea04ed4a3d1f8c0f701af89abe
Opcode Fuzzy Hash: 7fe1cdffbe22d82318135f0aa3eb8e08b29be639ca1e10f694bccd1c9b8ba268
Instruction Fuzzy Hash: 6A0178B32096167FEA2226787CC0F37661EDF423B8B310326B522A53D2DB608C409160

Function 00401A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00401A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00401A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00401A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00401A8A

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7e738d7bf30a014964f64583654810e3aebc88a76bd123e30edf9ffaf5c0dac4
Instruction ID: 4532254d26270cbc232a9f83f679bd9664f792a6aaeec51aa05d5ddb140459b3
Opcode Fuzzy Hash: 7e738d7bf30a014964f64583654810e3aebc88a76bd123e30edf9ffaf5c0dac4
Instruction Fuzzy Hash: F5112E35A01219FFDB109BA5CD85F9DBB78EB04750F2000A2E500B7290D6716E50DB94

Function 0040E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0040E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0040E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0040E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040E24D

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: bc075fd87755f031dbc718171426c1898148a7ee8cd562e466755d4b26ce1704
Instruction ID: dddfc7a340519157c2f2fc4af752f8a7e1507ccf0129d2ac1a25b1f9e57f6baa
Opcode Fuzzy Hash: bc075fd87755f031dbc718171426c1898148a7ee8cd562e466755d4b26ce1704
Instruction Fuzzy Hash: D7110872904214BBD7019BAC9C49A9F7FAC9B45314F00467AFC14F32D1D274CD1087A4

Function 003CD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,003CCFF9,00000000,00000004,00000000), ref: 003CD218
GetLastError.KERNEL32 ref: 003CD224
__dosmaperr.LIBCMT ref: 003CD22B
ResumeThread.KERNEL32(00000000), ref: 003CD249

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: c8c1a1a6c75a59ac9efed530fe6e8d25f7e14cdf7d6672d2da7e42f46e2105bc
Instruction ID: 5577dc8b1f5004276996c8858074071eca5a85816edcb085aa6b8dd254a20fa1
Opcode Fuzzy Hash: c8c1a1a6c75a59ac9efed530fe6e8d25f7e14cdf7d6672d2da7e42f46e2105bc
Instruction Fuzzy Hash: 1101C076805208BBDB225BA5DC09FAA7A6DDF81330F21063DF925DA1D0CB70CD01D7A0

Function 00439EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 003B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003B9BB2

GetClientRect.USER32(?,?), ref: 00439F31
GetCursorPos.USER32(?), ref: 00439F3B
ScreenToClient.USER32(?,?), ref: 00439F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00439F7A

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: ac8e391b735aeb2e4e0077ea8022a3e6084d358050dfa975a9b6b736e3529f2a
Instruction ID: c2b7a77f42457dd8a63328d8f6c8f99992bab7ba9062bc9fe78e4cfe317c8f95
Opcode Fuzzy Hash: ac8e391b735aeb2e4e0077ea8022a3e6084d358050dfa975a9b6b736e3529f2a
Instruction Fuzzy Hash: 83115A7290011ABBDB10EFA9C885DEE77B8FB09315F105466F911E3150D778BE81CBA9

Function 003A600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003A604C
GetStockObject.GDI32(00000011), ref: 003A6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 003A606A

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 38f5cef71d57da956b73553642ccc0e483857ce6f3044715b00fb8823ef73e36
Instruction ID: 51c6c80b0cdf6e5febe6734029cf37fec6539b70444e0e1c992e77dd2ced22c6
Opcode Fuzzy Hash: 38f5cef71d57da956b73553642ccc0e483857ce6f3044715b00fb8823ef73e36
Instruction Fuzzy Hash: 5711A172105509BFEF128FA48C45EEA7B6DEF0A354F050211FA1462010C7329CA0DB90

Function 003C3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 003C3B56

Part of subcall function 003C3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 003C3AD2
Part of subcall function 003C3AA3: ___AdjustPointer.LIBCMT ref: 003C3AED

_UnwindNestedFrames.LIBCMT ref: 003C3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 003C3B7C
CallCatchBlock.LIBVCRUNTIME ref: 003C3BA4

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 999dd4153fd110d6aedeaf3f5c612939d0ab8839d9fd8798ebe4598e2e218b3d
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 2E01E932100149BBDF126E95CC46EEB7B7DEF58754F058018FE489A121D732ED61DBA0

Function 003D3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003A13C6,00000000,00000000,?,003D301A,003A13C6,00000000,00000000,00000000,?,003D328B,00000006,FlsSetValue), ref: 003D30A5
GetLastError.KERNEL32(?,003D301A,003A13C6,00000000,00000000,00000000,?,003D328B,00000006,FlsSetValue,00442290,FlsSetValue,00000000,00000364,?,003D2E46), ref: 003D30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,003D301A,003A13C6,00000000,00000000,00000000,?,003D328B,00000006,FlsSetValue,00442290,FlsSetValue,00000000), ref: 003D30BF

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 20f1fbd3ea391a882c3af51d8adcd7537bb00994c6f071e3572a1eb0ecdfae19
Instruction ID: 01f411c5edf1fc6d33120258ae2fb40e8203ae4ac1e921eac39c2081d20a0b43
Opcode Fuzzy Hash: 20f1fbd3ea391a882c3af51d8adcd7537bb00994c6f071e3572a1eb0ecdfae19
Instruction Fuzzy Hash: 0201D433742222ABCB224B78BC849677B98AF05B61B150631F907F3240C721DD01C7E5

Function 00407464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0040747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00407497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004074AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004074CA

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 7511237091bad3b649fc3f8ec5766ccf3280a6b642d1561fcc12ccb2ef04f6a1
Instruction ID: 9fcce6b8a82cbcafb09fc68ffe41be44b880ebd655e8577e1aa8fd4cd5ca8627
Opcode Fuzzy Hash: 7511237091bad3b649fc3f8ec5766ccf3280a6b642d1561fcc12ccb2ef04f6a1
Instruction Fuzzy Hash: 2211ADB5A05314ABE7208F14ED48B927BFCEB00B00F10857AE656E6191D7B4F904DBA6

Function 0040B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0040ACD3,?,00008000), ref: 0040B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0040ACD3,?,00008000), ref: 0040B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0040ACD3,?,00008000), ref: 0040B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0040ACD3,?,00008000), ref: 0040B126

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: b7d181abbad5fe1484718a3bd5a0ccaf99a468d529697666d0d840d35aa42d46
Instruction ID: bbe622cc4a0234455ad89d87b94ca99bf68c99f38428bafcb545f8717e7640de
Opcode Fuzzy Hash: b7d181abbad5fe1484718a3bd5a0ccaf99a468d529697666d0d840d35aa42d46
Instruction Fuzzy Hash: 0A116131C0151CD7CF009FE4D9986EEBB78FF09751F1040A6D941B6281CB3455519B9D

Function 00437E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00437E33
ScreenToClient.USER32(?,?), ref: 00437E4B
ScreenToClient.USER32(?,?), ref: 00437E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00437E8A

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: bdfec92c1e9014ced5992b39fdb73da818a658350c8b73384d5b36511a60cbd0
Instruction ID: 35fe851f6752d53b98df8ea8dc8c8f27e501ef1e98919b86483a024fe3356b50
Opcode Fuzzy Hash: bdfec92c1e9014ced5992b39fdb73da818a658350c8b73384d5b36511a60cbd0
Instruction Fuzzy Hash: 6C1143B9D0020AAFDB51CF98C8859EEBBF5FB08310F505066E915E2210D735AA54CF54

Function 00402DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00402DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00402DD6
GetCurrentThreadId.KERNEL32 ref: 00402DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00402DE4

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: cdbf68d905e0b09e4296a4623b8398a23fbccf5be8db35f5941fbac05e56ca21
Instruction ID: 729bc7cf0e3103a74ca24787185592e332166e6c11bb66c7faa43604361791f7
Opcode Fuzzy Hash: cdbf68d905e0b09e4296a4623b8398a23fbccf5be8db35f5941fbac05e56ca21
Instruction Fuzzy Hash: BEE06D711412247ADB201B629C4EFEB3E6CEF42BA1F001026B105F10C09AA4C841C7B5

Function 00438863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 003B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003B9693
Part of subcall function 003B9639: SelectObject.GDI32(?,00000000), ref: 003B96A2
Part of subcall function 003B9639: BeginPath.GDI32(?), ref: 003B96B9
Part of subcall function 003B9639: SelectObject.GDI32(?,00000000), ref: 003B96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00438887
LineTo.GDI32(?,?,?), ref: 00438894
EndPath.GDI32(?), ref: 004388A4
StrokePath.GDI32(?), ref: 004388B2

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 504524023d9b21c3bed314d7abd7844da793507dbdae8c8d5a6e28c7bd6461d6
Instruction ID: d384b79650beadb41a1eecbbb9e2517c667e40607871a2cda4f0b80fbebb6b3c
Opcode Fuzzy Hash: 504524023d9b21c3bed314d7abd7844da793507dbdae8c8d5a6e28c7bd6461d6
Instruction Fuzzy Hash: 7BF03A36045658FADB166F98AC09FCA3B69AF0A310F048011FB12751E2C7795551DFAD

Function 003B98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 003B98CC
SetTextColor.GDI32(?,?), ref: 003B98D6
SetBkMode.GDI32(?,00000001), ref: 003B98E9
GetStockObject.GDI32(00000005), ref: 003B98F1

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: cc848e7dd618b088790f302d812e4c599e9be4558430f7212feb5a22bb91d9a6
Instruction ID: 8f1a07b20c81bf51c5294443626f2185c8ac240de2e0765068d1b847bd43fc04
Opcode Fuzzy Hash: cc848e7dd618b088790f302d812e4c599e9be4558430f7212feb5a22bb91d9a6
Instruction Fuzzy Hash: 51E06531244244AADF215B75AC49BE83F10AB12335F048229F7F9A40E1C37146409F10

Function 0040162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00401634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004011D9), ref: 0040163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004011D9), ref: 00401648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004011D9), ref: 0040164F

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 8e5dc1b9fb355b0a6b32e193d13520b8db2ac7c83d907e34dd49adc9d80c281c
Instruction ID: 74afbdb2d2501f954c015b697208dff379518d18e082f27972def17c8b5c669c
Opcode Fuzzy Hash: 8e5dc1b9fb355b0a6b32e193d13520b8db2ac7c83d907e34dd49adc9d80c281c
Instruction Fuzzy Hash: EAE08632601211DBD7202FE09D4DB8B3B7CAF54791F144829F646E9090D7388444CB98

Function 003FD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 003FD858
GetDC.USER32(00000000), ref: 003FD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 003FD882
ReleaseDC.USER32(?), ref: 003FD8A3

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e1e86c8b7dbc927ca7f7b1900b04d90fe8163e5bc655b66465c5b6a9f95d76a3
Instruction ID: ac7201854a40b227a81aa8e2dabf32406690d7f19a913192bde66726d149869c
Opcode Fuzzy Hash: e1e86c8b7dbc927ca7f7b1900b04d90fe8163e5bc655b66465c5b6a9f95d76a3
Instruction Fuzzy Hash: FAE04FB1800204DFCF42AFA0D88D66DBFB6FB08310F10A029F946F7260C7388902AF44

Function 003FD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 003FD86C
GetDC.USER32(00000000), ref: 003FD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 003FD882
ReleaseDC.USER32(?), ref: 003FD8A3

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8c64da1c5e2c07fde8f6dd6b48f1f72fed6786c72c2b2f43b64887759cf1ca2e
Instruction ID: 0fff62672956525cbe1f6a9a483b0339bcb8bc99e2140c997f1d2df096bf84c7
Opcode Fuzzy Hash: 8c64da1c5e2c07fde8f6dd6b48f1f72fed6786c72c2b2f43b64887759cf1ca2e
Instruction Fuzzy Hash: 20E09A75900604DFCB51AFA0D88D66DBBB5FB08311F14A459F946F7260D73859029F54

Function 00414D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 003A7620: _wcslen.LIBCMT ref: 003A7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00414ED4

Strings

LPT, xrefs: 00414DFB
*, xrefs: 00414E10

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: e0daaed24bb5d38b5edad105cb41e984539b47cb92d93946700e61346fc74ce4
Instruction ID: 8008755a8fea177e89da29fe633560e3b0f79984610edd7c7ffa6e47157e22d5
Opcode Fuzzy Hash: e0daaed24bb5d38b5edad105cb41e984539b47cb92d93946700e61346fc74ce4
Instruction Fuzzy Hash: ED914175A002049FCB15DF54C484EEABBF1AF85304F19809AE4099F3A2D735EE86CB55

Function 003CE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 003CE30D

Strings

pow, xrefs: 003CE2E5, 003CE302

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 2d398b95641577dee8b683cdfb718cca890f8cc76a041bdec3a995a7a94cd6ef
Instruction ID: b8e640cfab03b74a3ea776f5b514a00b57a100c3081ad6a5ea2d1c4391e37fcc
Opcode Fuzzy Hash: 2d398b95641577dee8b683cdfb718cca890f8cc76a041bdec3a995a7a94cd6ef
Instruction Fuzzy Hash: E7515C67A0C20296CB177714ED02B793BA8EB40740F754D6EF095C63E9FB358C859B46

Function 00427771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(003F569E,00000000,?,0043CC08,?,00000000,00000000), ref: 004278DD

Part of subcall function 003A6B57: _wcslen.LIBCMT ref: 003A6B6A

CharUpperBuffW.USER32(003F569E,00000000,?,0043CC08,00000000,?,00000000,00000000), ref: 0042783B

Strings

<sF, xrefs: 004277C8

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sF
API String ID: 3544283678-1235028854
Opcode ID: 10d5ecd28254b245cc17454b7f6541ffddb78c5118e9ee9b5d5b64485ac99e29
Instruction ID: 285e4b3ada3f5a359213bc7fdc06634c4285d6c4430ed635cc02032efd3fb02e
Opcode Fuzzy Hash: 10d5ecd28254b245cc17454b7f6541ffddb78c5118e9ee9b5d5b64485ac99e29
Instruction Fuzzy Hash: 73617376A142289ACF06FBA4DC91DFEB374FF15300B84412AF542BB191EF385A45CBA5

Function 003BE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 003BE1B1

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 169ccfbfd659f40e6623482f7a29952df878218251225b7c6128378dbe68bfed
Instruction ID: 5382f00a3245a14d8b89b766090725bd213449ee83becc1b7940553d6ac04440
Opcode Fuzzy Hash: 169ccfbfd659f40e6623482f7a29952df878218251225b7c6128378dbe68bfed
Instruction Fuzzy Hash: E251323550024ADFDB17EF28C081AFA7BA8EF16310F244465EE919F6E0D6349D46CBA0

Function 003BF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 003BF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 003BF2BB

Strings

@, xrefs: 003BF2AF

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 04d432289bb9d888112b6e31aa2f541e542817a6f42c39d4e3bc31fd48368111
Instruction ID: 735d0ba195a99f44acf5fa12b44d6bf906182b32f6dead353492afa662f1c7da
Opcode Fuzzy Hash: 04d432289bb9d888112b6e31aa2f541e542817a6f42c39d4e3bc31fd48368111
Instruction Fuzzy Hash: 185153724187449FD321AF10DC86BABBBF8FB85704F81885CF199451A6EB308529CB6A

Function 00425745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004257E0
_wcslen.LIBCMT ref: 004257EC

Strings

CALLARGARRAY, xrefs: 004257E6, 004257EB

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: a9429baa3ba488e3f3fc080d9f2f51b6cfb6240ac8379efa2572759886f0ea5a
Instruction ID: 136d1f8f0f65026e09035e550ec453a3b0cb2f049aa740ad2621b80b794cff46
Opcode Fuzzy Hash: a9429baa3ba488e3f3fc080d9f2f51b6cfb6240ac8379efa2572759886f0ea5a
Instruction Fuzzy Hash: 9641D131E001199FCB04EFA9D8819FEBBB4FF59324F50806AE505AB351E7789D81CB94

Function 0041D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0041D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0041D13A

Strings

|, xrefs: 0041D10B

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 1ac2bac1f9f9d9e6e113dfd9b05b101952c24fe26d5118d69f2ccf3e04182a6e
Instruction ID: 33d471e298e7e5c70de56703fb47403df4d4b4260bcb352673585c63d7a3c27f
Opcode Fuzzy Hash: 1ac2bac1f9f9d9e6e113dfd9b05b101952c24fe26d5118d69f2ccf3e04182a6e
Instruction Fuzzy Hash: B8311972D00219ABCF16EFA4CD85EEEBFB9FF05300F000019E815AA261DB35AA46CB54

Function 0043356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00433621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0043365C

Strings

static, xrefs: 004335BC

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8c5797d4f5acaefb818bd5e1962f7327c41d9a82c41aae46cbe686a55d5f56f9
Instruction ID: 046d43ade6a94edd6c23f440669409e968a69741a0ed81b20fe1c9955587d6db
Opcode Fuzzy Hash: 8c5797d4f5acaefb818bd5e1962f7327c41d9a82c41aae46cbe686a55d5f56f9
Instruction Fuzzy Hash: B431AF71110204AEDB20DF28DC81EFB73A9FF48724F10A61EF8A5D7290DA34AD81C768

Function 00434537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0043461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00434634

Strings

', xrefs: 0043458E

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 2c56355d6faf1a186aebf63c2e0fe85bafe70ecc7fd4b3ee711fe584cf538e75
Instruction ID: c2cc33a4025c743f58dcf4156a6a3ff2edd6347ca38761fc2e2f0804a579842d
Opcode Fuzzy Hash: 2c56355d6faf1a186aebf63c2e0fe85bafe70ecc7fd4b3ee711fe584cf538e75
Instruction Fuzzy Hash: 063138B4E01309AFDB14CFA9C981BDABBB5FF49300F10506AEA04AB391D774A941CF94

Function 004331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0043327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00433287

Strings

Combobox, xrefs: 00433249

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6081db48e899949cf282fee1c84a510bbf458af1262ea13328aacd49f66a504e
Instruction ID: 09a3af8d4f5937aa6d74142608bf35d694e5688cced983928dc80af8f018d1a2
Opcode Fuzzy Hash: 6081db48e899949cf282fee1c84a510bbf458af1262ea13328aacd49f66a504e
Instruction Fuzzy Hash: 7C1104713002087FFF21DF94DC81EBB376AEB983A5F10122AF9189B390D6399D518764

Function 00433710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 003A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003A604C
Part of subcall function 003A600E: GetStockObject.GDI32(00000011), ref: 003A6060
Part of subcall function 003A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 003A606A

GetWindowRect.USER32(00000000,?), ref: 0043377A
GetSysColor.USER32(00000012), ref: 00433794

Strings

static, xrefs: 00433757

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 296c0e121fa4dad85758861a7c0c4bd93ac726ebc1cbc65f8b942a304dac8a4d
Instruction ID: b8c1fc9bf93d9f15e3151cbfbe7097da659b95566ba2bbda80d8ed0a081e0950
Opcode Fuzzy Hash: 296c0e121fa4dad85758861a7c0c4bd93ac726ebc1cbc65f8b942a304dac8a4d
Instruction Fuzzy Hash: 03113AB2610209AFDF01DFA8CC46EFA7BB8FB08315F015529F955E2250D739E8619B54

Function 0041CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0041CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0041CDA6

Strings

<local>, xrefs: 0041CD66

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 854a11f5e5aa14a39f00098696c882476b1bc2209b2cbe21cbf37df22f428472
Instruction ID: e61ebf4d17a1fc60abce9a02287b09acc77193588544dbaab91689ed4ff7e469
Opcode Fuzzy Hash: 854a11f5e5aa14a39f00098696c882476b1bc2209b2cbe21cbf37df22f428472
Instruction Fuzzy Hash: CC1106712816327AD7344B669CC4FE7BE6CEF127A4F004237B10993180D3789881D6F4

Function 00433429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004334AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004334BA

Strings

edit, xrefs: 0043348F

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 1cd15d1e39515034fe29308540fa8bf04dea98fe5b4aa0ed7897a6b229410744
Instruction ID: 8b3ff8afbc0b919ccd99b6dc16c9406816f8f4464e52abae21c3194603487580
Opcode Fuzzy Hash: 1cd15d1e39515034fe29308540fa8bf04dea98fe5b4aa0ed7897a6b229410744
Instruction Fuzzy Hash: 5A11B271100104ABEB114F64DC80AAB3769EF29379F506325F960932E0C739DC519B58

Function 00406C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00406CB6
_wcslen.LIBCMT ref: 00406CC2

Strings

STOP, xrefs: 00406CBC, 00406CC1

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: f1040c0098115450bf9e64613cd99f069ba355e5783fad657bfa19e7b69140bb
Instruction ID: cb9256d87afc8cc7585255fde522b38d5c4ae075ae72734c59630e9e87575eba
Opcode Fuzzy Hash: f1040c0098115450bf9e64613cd99f069ba355e5783fad657bfa19e7b69140bb
Instruction Fuzzy Hash: 1E0104326045268BDB219FBDDC80ABF33A4EE61710702053AE853B62D0EB39D820C654

Function 00401CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 00403CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00403CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00401D4C

Strings

ComboBox, xrefs: 00401CEB
ListBox, xrefs: 00401D16

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8ac8f529e4c897b62041871d5e5512b5600a6ba876134d3ff922e15b9c799579
Instruction ID: 98398aa65d4b3bad86688458170fbfbdc972b06a5d65b52e7b9809bb3e5c46cf
Opcode Fuzzy Hash: 8ac8f529e4c897b62041871d5e5512b5600a6ba876134d3ff922e15b9c799579
Instruction Fuzzy Hash: 2801D871641214ABCB05EFA4CC51DFF7768EF47350B14052BF8227B3D1EA3869088765

Function 00401BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 00403CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00403CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00401C46

Strings

ComboBox, xrefs: 00401BE5
ListBox, xrefs: 00401C10

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6ff611faff1501747459017001b4dc206479ca549d5aae4bd19a34ec3677811e
Instruction ID: bb7bc7f66079ac511210f4a61b9ee83a6ae2926439270bb6b1cf6e726ca2ea3a
Opcode Fuzzy Hash: 6ff611faff1501747459017001b4dc206479ca549d5aae4bd19a34ec3677811e
Instruction Fuzzy Hash: 1E01A77568510467DB19FB90C952AFF77ACDB12340F14002BB406772D1EA38DE48C6BA

Function 00401C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 00403CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00403CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00401CC8

Strings

ComboBox, xrefs: 00401C69
ListBox, xrefs: 00401C94

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 00869a72a7be4600a38f82a8414cf5617ec85a3a8b1e7e190f09a20f421a2497
Instruction ID: 04116ad0583e65abb4925b97b4a4b9b60accbdbc9bb3944d3475c9d8ead0c0fb
Opcode Fuzzy Hash: 00869a72a7be4600a38f82a8414cf5617ec85a3a8b1e7e190f09a20f421a2497
Instruction Fuzzy Hash: 8401DB7168411467DB05EB90CA11BFF77ACDB12340F140027B801772D1EA38DF09D67A

Function 003BA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003BA529

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Strings

3y?, xrefs: 003BA545, 003BA54D, 003BA552
,%G, xrefs: 003BA509

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%G$3y?
API String ID: 2551934079-1764036712
Opcode ID: 5b19dfe3c1727cf972684034ad836be8bc4451ca111c4605fe8e42d3df87b49a
Instruction ID: 1c4686b68312c7054f214f6c06bbac79dbe701e20495efa2f61fe50d3ac098aa
Opcode Fuzzy Hash: 5b19dfe3c1727cf972684034ad836be8bc4451ca111c4605fe8e42d3df87b49a
Instruction Fuzzy Hash: B0014732600E2097C627F7689D07FED3398DB06714F40406AF6066F6C2DE50AE01869B

Function 00401D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 00403CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00403CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00401DD3

Strings

ComboBox, xrefs: 00401D75
ListBox, xrefs: 00401DA0

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bffb081ad298fae199463855443a1953a78d6b306826bd5347a80b6cd24135f9
Instruction ID: 62b1ccce6bb6eebe72f399cc2fd0b2fbedafe58c4c46354913a7033b98618cb9
Opcode Fuzzy Hash: bffb081ad298fae199463855443a1953a78d6b306826bd5347a80b6cd24135f9
Instruction Fuzzy Hash: 6BF0F471A4061466DB04EBA4CC52BFF776CEF02354F04092BB822B72D1EA7869088269

Function 00438172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00473018,0047305C), ref: 004381BF
CloseHandle.KERNEL32 ref: 004381D1

Strings

\0G, xrefs: 0043818A

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0G
API String ID: 3712363035-2904157190
Opcode ID: b8e012f66b75106a30f07a27ab7c4c1cfb1190a8f1ea9b963a76750eb336d5ee
Instruction ID: 55861d195a09bf41a1a58ea3dfd95185577110151ba72b993d7d3d61f81b2ea6
Opcode Fuzzy Hash: b8e012f66b75106a30f07a27ab7c4c1cfb1190a8f1ea9b963a76750eb336d5ee
Instruction Fuzzy Hash: 0EF05EB2640340BAE2206F61AC45FB73A5CDB05752F004435BB0CE91A2D6798E50A3FD

Function 0042747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00427493
_wcslen.LIBCMT ref: 004274B9

Strings

3, 3, 16, 1, xrefs: 00427483

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: bd02b1f2de5aec56112ffa106ac0aab5381c03106126916768765b1d7c2f2ef0
Instruction ID: d09111f991fb26f835a492940e437655e66a09a36ad6877656582f274de4b8bf
Opcode Fuzzy Hash: bd02b1f2de5aec56112ffa106ac0aab5381c03106126916768765b1d7c2f2ef0
Instruction Fuzzy Hash: EAE02B02704230109232327ABCC1FBF5689CFC5790750182FF981C6366EBA88D9193A9

Function 00400B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00400B23

Strings

AutoIt, xrefs: 00400B17
Error allocating memory., xrefs: 00400B1C

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 1b4896058c3d70548c2251a332aceb0b9ccaf4e61ff21b788448803e5d89748e
Instruction ID: 364be72f2c54d885fc0cd6c4d26480f5613275f054ab3bb6524796d0e63bfd3c
Opcode Fuzzy Hash: 1b4896058c3d70548c2251a332aceb0b9ccaf4e61ff21b788448803e5d89748e
Instruction Fuzzy Hash: 2FE048312443182AD21536947C43FD97A848F09B55F20542BFB58A95C38BE6655047ED

Function 003C0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 003BF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,003C0D71,?,?,?,003A100A), ref: 003BF7CE

IsDebuggerPresent.KERNEL32(?,?,?,003A100A), ref: 003C0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,003A100A), ref: 003C0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003C0D7F

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 880b30d3ddef542dae15e35ad778850dc23ea037d4c9fb0e8c9d3539660d8e4d
Instruction ID: 5577e9b6c7920883af7a393bc0dde035ad16162ec1847a3c35e3ac002d9fc8b5
Opcode Fuzzy Hash: 880b30d3ddef542dae15e35ad778850dc23ea037d4c9fb0e8c9d3539660d8e4d
Instruction Fuzzy Hash: 4BE092746003518FD3359FBCD8497467BE0AF04744F00897EE887CA661DBB4E8488BD1

Function 003BE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003BE3D5

Strings

8%G, xrefs: 003BE3CA
0%G, xrefs: 003BE3B5

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%G$8%G
API String ID: 1385522511-2380194405
Opcode ID: 5e8117eff3dafa13dd7c8ce1e55e1bc4e70c82b6332b16fa9c095124939eabdc
Instruction ID: ad631a46c8261a0c57a56e1dbce901f1390a17f56e3cdeb0ef822d7cb12d6b2f
Opcode Fuzzy Hash: 5e8117eff3dafa13dd7c8ce1e55e1bc4e70c82b6332b16fa9c095124939eabdc
Instruction Fuzzy Hash: 17E02639400910EBC60A972CBA54ECA3395EB0432CB909179E20E8B9D39BB46C81874C

Function 00413017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0041302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00413044

Strings

aut, xrefs: 00413038

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 23094e09c3614b6a8b3eeb0c61dcfd5379b2158d4b23a049c294201bc0c71fbb
Instruction ID: 66f3e017bdfde65b3fb08ebe7c3ee0025c3e340e12c806582f83141b0a9c3977
Opcode Fuzzy Hash: 23094e09c3614b6a8b3eeb0c61dcfd5379b2158d4b23a049c294201bc0c71fbb
Instruction Fuzzy Hash: 02D05E7290032867DB20A7A4AC4EFCB3A6CDB05750F1002A2BA55E2091EAB49984CBD4

Function 003FD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003FD220

Strings

X64, xrefs: 003FD2A8
%.3d, xrefs: 003FD22B

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: e8f748c314550ed439d41364df8d880305fad9cff11e90d9771bf4c86c2f9b32
Instruction ID: 3abeb2ebece4af8aad1b4a8c3f6eab82d04fc3acbb1f34ec0835f31635aba161
Opcode Fuzzy Hash: e8f748c314550ed439d41364df8d880305fad9cff11e90d9771bf4c86c2f9b32
Instruction Fuzzy Hash: C0D01261C0810CF9CB5297D0CC4D9FAB37DBB08301F608862FA06A1841E734C548ABA2

Function 00432356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043236C
PostMessageW.USER32(00000000), ref: 00432373

Part of subcall function 0040E97B: Sleep.KERNEL32 ref: 0040E9F3

Strings

Shell_TrayWnd, xrefs: 00432365

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 010b5060a93e49a36dbc5c5274fa618d8eec4572299fa90aceb99b6e07e863f9
Instruction ID: dff22e2bd2bb97924665ebcd77eec386de104595770d66ecd780051974c2380c
Opcode Fuzzy Hash: 010b5060a93e49a36dbc5c5274fa618d8eec4572299fa90aceb99b6e07e863f9
Instruction Fuzzy Hash: 16D0C972381310BAE664A7719C4FFC676149B05B15F1159267645BA1D0D9B4A8018B5C

Function 00432322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0043233F

Part of subcall function 0040E97B: Sleep.KERNEL32 ref: 0040E9F3

Strings

Shell_TrayWnd, xrefs: 00432325

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1688d94f3f658071fac519de32ace1ff57887283d97c43892c7d285691e568ba
Instruction ID: 4b682462fc407c94382be606393291d211bae07500eb30de698468df406af829
Opcode Fuzzy Hash: 1688d94f3f658071fac519de32ace1ff57887283d97c43892c7d285691e568ba
Instruction Fuzzy Hash: 59D0C976394310B6E664A7719C4FFC67A149B00B15F1159267645BA1D0D9B4A8018B58

Function 003DBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 003DBE93
GetLastError.KERNEL32 ref: 003DBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003DBEFC

Memory Dump Source

Source File: 00000000.00000002.2136197575.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2136165666.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136290769.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136375475.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136404754.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e6154be69dfaa60c376b927b5b5e6e39c2c2d5c4aa517e1016faba4eaa178873
Instruction ID: 4ad7582ba39ef697f3112524654215a085acec150aeae398aa03cdac326c7aac
Opcode Fuzzy Hash: e6154be69dfaa60c376b927b5b5e6e39c2c2d5c4aa517e1016faba4eaa178873
Instruction Fuzzy Hash: 4741B736604246EFCF238F65EC54AAAFBA99F41310F17416AF9599B3A1DB308D01DB50

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 52.222.236.23 52.222.236.23

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2165301644.000002049449E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309602848.000002049446D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2184325335.000002049446D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2165301644.000002049449E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309602848.000002049446D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2184325335.000002049446D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2179632921.0000020492DB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160596098.0000020492DB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194476395.0000020492DB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2177396770.0000020495A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160182857.0000020495A73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2177396770.0000020495A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160182857.0000020495A73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2165301644.000002049449E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309602848.000002049446D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2184325335.000002049446D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2165301644.000002049449E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309602848.000002049446D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2184325335.000002049446D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000002.3931597558.000001F797503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000002.3931597558.000001F797503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000002.3931597558.000001F797503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000011.00000002.3931743400.000001D6AD60A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3931597558.000001F797503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.3931743400.000001D6AD60A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3931597558.000001F797503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000011.00000002.3931743400.000001D6AD60A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3931597558.000001F797503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2179632921.0000020492DB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2287732008.0000020496179000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160596098.0000020492DB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2315183707.000002048AE8B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2306573838.000002048AE95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comLMEM( equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2287732008.0000020496179000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308277124.0000020496179000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280621181.0000020496179000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2306573838.000002048AE95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comLMEM equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2179632921.0000020492DB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160596098.0000020492DB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194476395.0000020492DB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.222.236.23:443 -> 192.168.2.5:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49857 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50006 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cf40411f-ba1f-4c9b-b9c4-fb318c168abe.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cf40411f-ba1f-4c9b-b9c4-fb318c168abe.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AZRQDYL5OGRXEU0LI60O.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MZQL2Z21UWTMD50MN4IF.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre