Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1533075
MD5:	ea20340956658299c9783b15a587f3dd
SHA1:	c5fc82454c6c498e8dbf37606a294c248c072388
SHA256:	2ed0003a35615785ce56bcc7ebff71f7cfaf6df17c8074cd8d353c618d68ae8a
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6804 cmdline: "C:\Users\user\Desktop\file.exe" MD5: EA20340956658299C9783B15A587F3DD)

taskkill.exe (PID: 4012 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6392 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1732 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7120 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6196 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 5960 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6556 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7148 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6460 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ee7b042-75ea-4bb9-90d9-9066a5230ac2} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 1fbd2f6e710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7500 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3372 -parentBuildID 20230927232528 -prefsHandle 3516 -prefMapHandle 4288 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a816b74c-6ffd-4a66-bced-c718d78fb541} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 1fbe573ed10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8016 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5100 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5020 -prefMapHandle 5068 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2033a4f-4d83-4a68-a247-c70252e4d8ba} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 1fbeebd3710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6804	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_005CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_005CEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005CED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_005CED6A

Source: C:\Users\user\Desktop\file.exe

0_2_005CEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005BAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_005BAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005E9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_005E9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b4de9cb1-f
Source: file.exe, 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2a843137-8
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dbb74cf8-8
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a45a8a92-8

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001E3D5219EB7 NtQuerySystemInformation,		17_2_000001E3D5219EB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001E3D52376F2 NtQuerySystemInformation,		17_2_000001E3D52376F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005BD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_005BD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_005B1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005BE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_005BE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055BF40	0_2_0055BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C2046	0_2_005C2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00558060	0_2_00558060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B8298	0_2_005B8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0058E4FF	0_2_0058E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0058676B	0_2_0058676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E4873	0_2_005E4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055CAF0	0_2_0055CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0057CAA0	0_2_0057CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0056CC39	0_2_0056CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00586DD9	0_2_00586DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0056B119	0_2_0056B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005591C0	0_2_005591C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00571394	0_2_00571394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00571706	0_2_00571706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0057781B	0_2_0057781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0056997D	0_2_0056997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00557920	0_2_00557920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005719B0	0_2_005719B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00577A4A	0_2_00577A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00571C77	0_2_00571C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00577CA7	0_2_00577CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005DBE44	0_2_005DBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00589EEE	0_2_00589EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00571F32	0_2_00571F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001E3D5219EB7	17_2_000001E3D5219EB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001E3D52376F2	17_2_000001E3D52376F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001E3D5237732	17_2_000001E3D5237732
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001E3D5237E1C	17_2_000001E3D5237E1C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00570A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0056F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00559CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@68/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005C37B5 GetLastError,FormatMessageW,

0_2_005C37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B10BF AdjustTokenPrivileges,CloseHandle,		0_2_005B10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005B16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005C51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_005C51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005BD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_005BD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005C648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_005C648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005542A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_005542A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2352:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2191847129.000001FBED831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2191337892.000001FBEEB8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195302503.000001FBEADA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe

Virustotal: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ee7b042-75ea-4bb9-90d9-9066a5230ac2} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 1fbd2f6e710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3372 -parentBuildID 20230927232528 -prefsHandle 3516 -prefMapHandle 4288 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a816b74c-6ffd-4a66-bced-c718d78fb541} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 1fbe573ed10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5100 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5020 -prefMapHandle 5068 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2033a4f-4d83-4a68-a247-c70252e4d8ba} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 1fbeebd3710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ee7b042-75ea-4bb9-90d9-9066a5230ac2} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 1fbd2f6e710 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3372 -parentBuildID 20230927232528 -prefsHandle 3516 -prefMapHandle 4288 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a816b74c-6ffd-4a66-bced-c718d78fb541} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 1fbe573ed10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5100 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5020 -prefMapHandle 5068 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2033a4f-4d83-4a68-a247-c70252e4d8ba} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 1fbeebd3710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2184396248.000001FBE6F51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8kernel32.pdb source: firefox.exe, 0000000E.00000003.2189816476.000001FBEEFEF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8oleaut32.pdb source: firefox.exe, 0000000E.00000003.2189816476.000001FBEEFEF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2189325684.000001FBE2A86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: npmproxy.pdbUGP source: firefox.exe, 0000000E.00000003.2198541906.000001FBE2AEE000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2198688547.000001FBE2AF4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2187761114.000001FBE2A8C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8ucrtbase.pdb source: firefox.exe, 0000000E.00000003.2189816476.000001FBEEFEF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8vcruntime140_1.amd64.pdb source: firefox.exe, 0000000E.00000003.2189816476.000001FBEEFEF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2184396248.000001FBE6F51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8vcruntime140.amd64.pdb source: firefox.exe, 0000000E.00000003.2189816476.000001FBEEFEF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8gdi32full.pdb source: firefox.exe, 0000000E.00000003.2189816476.000001FBEEFEF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: npmproxy.pdb source: firefox.exe, 0000000E.00000003.2198541906.000001FBE2AEE000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2198688547.000001FBE2AF4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8cryptbase.pdb source: firefox.exe, 0000000E.00000003.2189816476.000001FBEEFEF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8msvcp_win.pdb source: firefox.exe, 0000000E.00000003.2189816476.000001FBEEFEF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2187761114.000001FBE2A8C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8kernelbase.pdb source: firefox.exe, 0000000E.00000003.2189816476.000001FBEEFEF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2185440106.000001FBE2A86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8msvcp140.amd64.pdb source: firefox.exe, 0000000E.00000003.2189816476.000001FBEEFEF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2189325684.000001FBE2A86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8Kernel.Appcore.pdb source: firefox.exe, 0000000E.00000003.2189816476.000001FBEEFEF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2185440106.000001FBE2A86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8advapi32.pdb source: firefox.exe, 0000000E.00000003.2189816476.000001FBEEFEF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8bcryptprimitives.pdb source: firefox.exe, 0000000E.00000003.2189816476.000001FBEEFEF000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005542DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00570A76 push ecx; ret

0_2_00570A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0056F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0056F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_005E1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97096

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000001E3D5219EB7 rdtsc

17_2_000001E3D5219EB7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_005BDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0058C2A2 FindFirstFileExW,	0_2_0058C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C68EE FindFirstFileW,FindClose,	0_2_005C68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_005C698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005BD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005BD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005C9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005C979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_005C9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_005C5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005542DE

Source: firefox.exe, 00000010.00000002.3299999239.00000240D6B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%
Source: firefox.exe, 00000011.00000002.3299088201.000001E3D5720000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3298282362.0000023DBD700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000011.00000002.3299088201.000001E3D5720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: firefox.exe, 00000010.00000002.3299999239.00000240D6B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: firefox.exe, 00000010.00000002.3299180079.00000240D6A21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000012.00000002.3294035055.0000023DBD29A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0Cp
Source: firefox.exe, 00000011.00000002.3299088201.000001E3D5720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: firefox.exe, 00000010.00000002.3295441432.00000240D665A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: firefox.exe, 00000011.00000002.3294482422.000001E3D4E7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: firefox.exe, 00000010.00000002.3299999239.00000240D6B00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3299088201.000001E3D5720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000001E3D5219EB7 rdtsc

17_2_000001E3D5219EB7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005CEAA2 BlockInput,

0_2_005CEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00582622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00582622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005542DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00574CE8 mov eax, dword ptr fs:[00000030h]

0_2_00574CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_005B0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00582622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00582622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0057083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0057083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005709D5 SetUnhandledExceptionFilter,	0_2_005709D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00570C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00570C21

Source: C:\Users\user\Desktop\file.exe

0_2_005B1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00592BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00592BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005BB226 SendInput,keybd_event,

0_2_005BB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_005D22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_005B0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005B1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_005B1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00570698 cpuid

0_2_00570698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005C8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_005C8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005AD27A GetUserNameW,

0_2_005AD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0058B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0058B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005542DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_005D1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_005D1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	37%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse
twitter.com	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
prod.remote-settings.prod.webservices.mozgcp.net	0%	Virustotal	Browse
dyna.wikimedia.org	0%	Virustotal	Browse
us-west1.prod.sumo.prod.webservices.mozgcp.net	0%	Virustotal	Browse
youtube-ui.l.google.com	0%	Virustotal	Browse
reddit.map.fastly.net	0%	Virustotal	Browse
prod.detectportal.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
services.addons.mozilla.org	0%	Virustotal	Browse
prod.ads.prod.webservices.mozgcp.net	0%	Virustotal	Browse
prod.content-signature-chains.prod.webservices.mozgcp.net	0%	Virustotal	Browse
push.services.mozilla.com	0%	Virustotal	Browse
ipv4only.arpa	0%	Virustotal	Browse
spocs.getpocket.com	0%	Virustotal	Browse
youtube.com	0%	Virustotal	Browse
telemetry-incoming.r53-2.services.mozilla.com	0%	Virustotal	Browse
support.mozilla.org	0%	Virustotal	Browse
content-signature-2.cdn.mozilla.net	0%	Virustotal	Browse
contile.services.mozilla.com	0%	Virustotal	Browse
www.reddit.com	0%	Virustotal	Browse
normandy-cdn.services.mozilla.com	0%	Virustotal	Browse
www.youtube.com	0%	Virustotal	Browse
www.facebook.com	0%	Virustotal	Browse
normandy.cdn.mozilla.net	0%	Virustotal	Browse
detectportal.firefox.com	0%	Virustotal	Browse
www.wikipedia.org	0%	Virustotal	Browse
shavar.services.mozilla.com	0%	Virustotal	Browse
firefox.settings.services.mozilla.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://www.amazon.com/exec/obidos/external-search/	0%	Virustotal		Browse
https://github.com/mozilla-services/screenshots	0%	Virustotal		Browse
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	0%	Virustotal		Browse
https://content-signature-2.cdn.mozilla.net/	0%	Virustotal		Browse
https://youtube.com/	0%	Virustotal		Browse
https://json-schema.org/draft/2020-12/schema/=	0%	Virustotal		Browse
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	0%	Virustotal		Browse
https://json-schema.org/draft/2019-09/schema.	0%	Virustotal		Browse
https://www.youtube.com/	0%	Virustotal		Browse
https://ok.ru/	0%	Virustotal		Browse
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	0%	Virustotal		Browse
https://www.bbc.co.uk/	0%	Virustotal		Browse
https://www.msn.com	0%	Virustotal		Browse
https://www.amazon.com/	0%	Virustotal		Browse
https://youtube.com/account?=	0%	Virustotal		Browse
https://addons.mozilla.org/firefox/addon/to-google-translate/	0%	Virustotal		Browse
https://www.iqiyi.com/	0%	Virustotal		Browse
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	0%	Virustotal		Browse
http://mozilla.org/MPL/2.0/.	0%	Virustotal		Browse
http://youtube.com/	0%	Virustotal		Browse
https://www.amazon.co.uk/	0%	Virustotal		Browse
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	0%	Virustotal		Browse
https://mail.yahoo.co.jp/compose/?To=%s	0%	Virustotal		Browse
https://duckduckgo.com/?t=ffab&q=	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
twitter.com	104.244.42.129	true	false	0%, Virustotal, Browse	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	0%, Virustotal, Browse	unknown
services.addons.mozilla.org	52.222.236.80	true	false	0%, Virustotal, Browse	unknown
dyna.wikimedia.org	185.15.59.224	true	false	0%, Virustotal, Browse	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	0%, Virustotal, Browse	unknown
contile.services.mozilla.com	34.117.188.166	true	false	0%, Virustotal, Browse	unknown
youtube.com	142.250.186.110	true	false	0%, Virustotal, Browse	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	0%, Virustotal, Browse	unknown
youtube-ui.l.google.com	142.250.186.78	true	false	0%, Virustotal, Browse	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	0%, Virustotal, Browse	unknown
reddit.map.fastly.net	151.101.65.140	true	false	0%, Virustotal, Browse	unknown
ipv4only.arpa	192.0.0.170	true	false	0%, Virustotal, Browse	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	0%, Virustotal, Browse	unknown
push.services.mozilla.com	34.107.243.93	true	false	0%, Virustotal, Browse	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	0%, Virustotal, Browse	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	0%, Virustotal, Browse	unknown
www.reddit.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
spocs.getpocket.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
support.mozilla.org	unknown	unknown	false	0%, Virustotal, Browse	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.youtube.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.facebook.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
detectportal.firefox.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
shavar.services.mozilla.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.wikipedia.org	unknown	unknown	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000E.00000003.2279224947.000001FBE3568000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2298957391.000001FBE35EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196849870.000001FBEAC7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3295492501.000001E3D51C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3295962005.0000023DBD6C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2304665408.000001FBE4591000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2192021952.000001FBED482000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2282045347.000001FBED482000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263864738.000001FBED482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2225351418.000001FBEAF16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2111257665.000001FBEAF22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2110206457.000001FBEAF23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2123104220.000001FBEAF17000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3296823914.00000240D69CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3295492501.000001E3D51F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3298468993.0000023DBD803000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.3295962005.0000023DBD68F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2266286477.000001FBEB252000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2286752915.000001FBEB252000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2240279883.000001FBEB24C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192970547.000001FBEB244000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2298099443.000001FBE3A8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2275450471.000001FBE45D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2269703297.000001FBE4E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2191847129.000001FBED831000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2093009443.000001FBE2D1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2093533729.000001FBE2D6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2093226456.000001FBE2D38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2093678562.000001FBE2D8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2092821211.000001FBE2F00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2192441393.000001FBEBFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2277406934.000001FBEBFE0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2239518059.000001FBEEABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2306427857.000001FBEEABF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2190497994.000001FBEECA0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2196453581.000001FBEACC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2093226456.000001FBE2D38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2093678562.000001FBE2D8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2092821211.000001FBE2F00000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.2197326273.000001FBE6765000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267448124.000001FBE6765000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284674203.000001FBE6769000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2093373375.000001FBE2D53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2093009443.000001FBE2D1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2093533729.000001FBE2D6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2093226456.000001FBE2D38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2092821211.000001FBE2F00000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2244335520.000001FBE5859000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2264273032.000001FBEB286000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2266286477.000001FBEB252000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2286752915.000001FBEB252000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2240279883.000001FBEB24C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192970547.000001FBEB244000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2292019287.000001FBEEA51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2240279883.000001FBEB29F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2190497994.000001FBEECA0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.2317622220.000001FBDED7D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2240279883.000001FBEB29F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3295492501.000001E3D5103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3295962005.0000023DBD60C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2163642088.000001FBE398A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162969294.000001FBE398A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2240279883.000001FBEB27C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264273032.000001FBEB27C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301792547.000001FBEB27C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2298099443.000001FBE3A8E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2299983057.000001FBEEA53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2292019287.000001FBEEA51000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000E.00000003.2307411191.000001FBEAE4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3295492501.000001E3D51C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3295962005.0000023DBD6C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2293589976.000001FBEAB60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289363039.000001FBE5455000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2163790996.000001FBE3957000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2292019287.000001FBEEA29000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2192441393.000001FBEBFE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2277406934.000001FBEBFE0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false	0%, Virustotal, Browse	unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2275852391.000001FBE3FDF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2191661782.000001FBEEB4B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3296823914.00000240D69CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3295492501.000001E3D51F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3298468993.0000023DBD803000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3296823914.00000240D69CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3295492501.000001E3D51F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3298468993.0000023DBD803000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2190497994.000001FBEECA0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000012.00000002.3295962005.0000023DBD613000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2298099443.000001FBE3A8E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3295232264.0000023DBD390000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2240279883.000001FBEB296000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301403637.000001FBEB296000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264273032.000001FBEB296000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2261010992.000001FBE49A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2198297819.000001FBE48E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2198297819.000001FBE48DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256497612.000001FBE39DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2103846383.000001FBE34DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2199020877.000001FBE48DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2136002353.000001FBE48D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2136654433.000001FBE48E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2101955580.000001FBE39E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256497612.000001FBE39C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2199340375.000001FBE47D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273059810.000001FBE4DDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2288061305.000001FBE58CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2260849656.000001FBE4955000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2276382370.000001FBE3E80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196885643.000001FBEAC32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312116532.000001FBE39DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2103846383.000001FBE34F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269868489.000001FBE48E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2123104220.000001FBEAF70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225351418.000001FBEAF70000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2197326273.000001FBE6765000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267448124.000001FBE6765000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284674203.000001FBE6769000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000E.00000003.2240279883.000001FBEB293000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2197326273.000001FBE6765000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267448124.000001FBE6765000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284674203.000001FBE6769000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2195347209.000001FBEAD7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2195347209.000001FBEAD7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2240279883.000001FBEB296000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301403637.000001FBEB296000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264273032.000001FBEB296000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2225351418.000001FBEAF16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2111257665.000001FBEAF22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2110206457.000001FBEAF23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2123104220.000001FBEAF17000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2297668319.000001FBE3B0B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2190497994.000001FBEECA0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2192970547.000001FBEB232000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2275852391.000001FBE3FB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296343501.000001FBE3FB5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2114442396.000001FBE58E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2244335520.000001FBE58D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2287906540.000001FBE58F5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2163642088.000001FBE398A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162969294.000001FBE398A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2317622220.000001FBDED7D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2299983057.000001FBEEA53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2292019287.000001FBEEA51000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2307411191.000001FBEAE4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2298099443.000001FBE3A8E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2191337892.000001FBEEB8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2191576985.000001FBEEB6E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3296305102.00000240D6700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3295155548.000001E3D4FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3295049677.0000023DBD320000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2092821211.000001FBE2F00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
52.222.236.80	services.addons.mozilla.org	United States	16509	AMAZON-02US	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.186.110	youtube.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1533075
Start date and time:	2024-10-14 12:16:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@68/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 93% Number of executed functions: 41 Number of non-executed functions: 310
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.25.49.43, 35.83.8.120, 52.26.161.5, 142.250.186.78, 2.22.61.56, 2.22.61.59, 172.217.18.10, 142.250.186.42, 142.250.185.238
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 7148 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:17:07	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
52.222.236.80	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	https://hy.markkasmick.click/cx/tbSgVco_akr35UznLBgMmL_dGwr4A9B_vyg2WwEB0w1LRjKjQMyEnB89mCfTRy8oqnbpdFunqinBhx0TsHvSJdUHnbksc3kdcKecoDvVHa5LAm46atMmRo3D2CHoEu2bmOqt4Ic8O_7AE7Igwgbi5c8zmZf6Fqp_XqcjREPr7609oL7vKm8FfjGLhMetr2oxtpR3ywH4BUElgc7EI7usxj8CJYEUMktwlb7YUzPvYQ7P1PilEV0LqiXI5sm6QVF4ZGl5TIXhnQLOG0kl6WQ0miiZysBfhaNojnPTUvisUUkwOp2fYTxkXEIhZ7ESJ7qXYLxQbmy4RJVeZZZ3RY5rX8W5t8cudSM9Zx7UaxgLH56aOv81v4QfUnzroT9v7LR3jPEjzYXr2LwuykYQnzvV6boWlogU4jkPE6MocRRlRoC6uUx2e1Wseo8MqGWTT2uXo4HbQDneiMF84sQ34*3TnbAxXWu8xLbb_mAOQxUTA3T5TUUZKeU3ziolM8TSVV5Y5LQTFGtNArddwJKdWCb_cLYMxUJpZ3cqM_A	Get hash	malicious	Unknown	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	https://r.clk20.com/s.ashx?ms=clk20comb:221053_100505&e=ACCOUNTING%40SBO.CO.AT&eId=72534635&c=h&url=https%3a%2f%2fwww.digikey.at%3futm_medium%3demail%26utm_source%3dcsn%26utm_campaign%3dclk20comb:221053-100505_CSN24CMM1%26utm_content%3dDigiKeyLogo_AT%26utm_cid%3d&c=E,1,HpCcAtsbpCegpKKqJ9Y5uFcA_ydFOa8bwbyPDmQPWZrYVAHSEO4EBUFk2oBVcoOSlhj1U-BBO3hqrTRAz1S8XP6noRCD2_d6D_dY_HcwfLi_OKAuOxCdCkg,&typo=1	Get hash	malicious	Unknown	Browse	157.240.0.35
	https://tracking.ei9ie7ph.com/aff_c?offer_id=14263&aff_id=2&source=testoffer&aff_sub=testoffer	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	http://mxi.fr/json/upload/dkjxff.php?lfitf5p	Get hash	malicious	Unknown	Browse	157.240.253.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	https://hy.markkasmick.click/cx/tbSgVco_akr35UznLBgMmL_dGwr4A9B_vyg2WwEB0w1LRjKjQMyEnB89mCfTRy8oqnbpdFunqinBhx0TsHvSJdUHnbksc3kdcKecoDvVHa5LAm46atMmRo3D2CHoEu2bmOqt4Ic8O_7AE7Igwgbi5c8zmZf6Fqp_XqcjREPr7609oL7vKm8FfjGLhMetr2oxtpR3ywH4BUElgc7EI7usxj8CJYEUMktwlb7YUzPvYQ7P1PilEV0LqiXI5sm6QVF4ZGl5TIXhnQLOG0kl6WQ0miiZysBfhaNojnPTUvisUUkwOp2fYTxkXEIhZ7ESJ7qXYLxQbmy4RJVeZZZ3RY5rX8W5t8cudSM9Zx7UaxgLH56aOv81v4QfUnzroT9v7LR3jPEjzYXr2LwuykYQnzvV6boWlogU4jkPE6MocRRlRoC6uUx2e1Wseo8MqGWTT2uXo4HbQDneiMF84sQ34*3TnbAxXWu8xLbb_mAOQxUTA3T5TUUZKeU3ziolM8TSVV5Y5LQTFGtNArddwJKdWCb_cLYMxUJpZ3cqM_A	Get hash	malicious	Unknown	Browse	34.117.77.79
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	http://mxi.fr/json/upload/dkjxff.php?lfitf5p	Get hash	malicious	Unknown	Browse	34.117.39.58
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
AMAZON-02US	https://eshailor56718.wixsite.com/my-site	Get hash	malicious	Unknown	Browse	99.86.4.79
	http://bdvonline-personasv.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	18.245.46.22
	https://rajdharia.wixsite.com/my-site	Get hash	malicious	Unknown	Browse	99.86.4.105
	https://eshailor56718.wixsite.com/my-site	Get hash	malicious	Unknown	Browse	99.86.4.125
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	https://hy.markkasmick.click/cx/tbSgVco_akr35UznLBgMmL_dGwr4A9B_vyg2WwEB0w1LRjKjQMyEnB89mCfTRy8oqnbpdFunqinBhx0TsHvSJdUHnbksc3kdcKecoDvVHa5LAm46atMmRo3D2CHoEu2bmOqt4Ic8O_7AE7Igwgbi5c8zmZf6Fqp_XqcjREPr7609oL7vKm8FfjGLhMetr2oxtpR3ywH4BUElgc7EI7usxj8CJYEUMktwlb7YUzPvYQ7P1PilEV0LqiXI5sm6QVF4ZGl5TIXhnQLOG0kl6WQ0miiZysBfhaNojnPTUvisUUkwOp2fYTxkXEIhZ7ESJ7qXYLxQbmy4RJVeZZZ3RY5rX8W5t8cudSM9Zx7UaxgLH56aOv81v4QfUnzroT9v7LR3jPEjzYXr2LwuykYQnzvV6boWlogU4jkPE6MocRRlRoC6uUx2e1Wseo8MqGWTT2uXo4HbQDneiMF84sQ34*3TnbAxXWu8xLbb_mAOQxUTA3T5TUUZKeU3ziolM8TSVV5Y5LQTFGtNArddwJKdWCb_cLYMxUJpZ3cqM_A	Get hash	malicious	Unknown	Browse	65.9.66.122
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.48
	http://puzzlewood.net	Get hash	malicious	Unknown	Browse	34.255.212.122
	http://www.umb-re.com	Get hash	malicious	Unknown	Browse	99.86.4.105
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	99.84.87.0
ATGS-MMD-ASUS	https://eshailor56718.wixsite.com/my-site	Get hash	malicious	Unknown	Browse	34.149.206.255
	https://rajdharia.wixsite.com/my-site	Get hash	malicious	Unknown	Browse	34.149.206.255
	https://eshailor56718.wixsite.com/my-site	Get hash	malicious	Unknown	Browse	34.149.206.255
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	http://www.umb-re.com	Get hash	malicious	Unknown	Browse	34.49.229.81
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	56.139.251.143
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	33.20.40.34
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	56.244.108.32
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	https://eshailor56718.wixsite.com/my-site	Get hash	malicious	Unknown	Browse	34.149.206.255
	https://rajdharia.wixsite.com/my-site	Get hash	malicious	Unknown	Browse	34.149.206.255
	https://eshailor56718.wixsite.com/my-site	Get hash	malicious	Unknown	Browse	34.149.206.255
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	http://www.umb-re.com	Get hash	malicious	Unknown	Browse	34.49.229.81
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	56.139.251.143
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	33.20.40.34
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	56.244.108.32
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_23468261-2687-490c-83fd-1541d34d82cb.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.175049881557137
Encrypted:	false
SSDEEP:	192:RKMiQ6QkQvcbhbVbTbfbRbObtbyEl7nwrHJA6wnSrDtTkd/Sv:RPdFvvcNhnzFSJQrujnSrDhkd/S
MD5:	ECD78D650E55EB2846C465CC7F4D768D
SHA1:	C4E17F5DD785CD6B835332F11D38FDCAB2D8129A
SHA-256:	986B281FAEAA5D44E27C025D762D8E06EAE1A11D78C3E5A02D73BD3089698974
SHA-512:	CFA9DD520D7DFEC797BD1C25351484DD78AC0F9304637901D83F0EB0335CC0EC475B0C54378D1F3F67B756D5A3DA1F9DC5FC299C3B70A4A4799068CBB2CF3B43
Malicious:	false
Preview:	{"type":"uninstall","id":"23468261-2687-490c-83fd-1541d34d82cb","creationDate":"2024-10-14T11:31:18.433Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_23468261-2687-490c-83fd-1541d34d82cb.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.175049881557137
Encrypted:	false
SSDEEP:	192:RKMiQ6QkQvcbhbVbTbfbRbObtbyEl7nwrHJA6wnSrDtTkd/Sv:RPdFvvcNhnzFSJQrujnSrDhkd/S
MD5:	ECD78D650E55EB2846C465CC7F4D768D
SHA1:	C4E17F5DD785CD6B835332F11D38FDCAB2D8129A
SHA-256:	986B281FAEAA5D44E27C025D762D8E06EAE1A11D78C3E5A02D73BD3089698974
SHA-512:	CFA9DD520D7DFEC797BD1C25351484DD78AC0F9304637901D83F0EB0335CC0EC475B0C54378D1F3F67B756D5A3DA1F9DC5FC299C3B70A4A4799068CBB2CF3B43
Malicious:	false
Preview:	{"type":"uninstall","id":"23468261-2687-490c-83fd-1541d34d82cb","creationDate":"2024-10-14T11:31:18.433Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.923647354280182
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNWq9gxeh:8S+OVPUFRbOdwNIOdYpjvY1Q6LoG8P
MD5:	B78F603CD651EF60B70FB85E976FDBDF
SHA1:	971EEAD55E5A297A12A804CDC8BDC2B8087E8119
SHA-256:	5AC6C0DD5CA7F8A4CF4C2D9904B1C70AEB6B86E8937CC7D2ADE5D8B23373FC9D
SHA-512:	1CBC4E19CBC7DF79445B14164DD2F63CB07215009284EAF1475A227555EFB290ED6051A1A02E9F14B94BC1077EBBCF863D6865ACD9B16393BFC71EA3B5F41473
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.923647354280182
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNWq9gxeh:8S+OVPUFRbOdwNIOdYpjvY1Q6LoG8P
MD5:	B78F603CD651EF60B70FB85E976FDBDF
SHA1:	971EEAD55E5A297A12A804CDC8BDC2B8087E8119
SHA-256:	5AC6C0DD5CA7F8A4CF4C2D9904B1C70AEB6B86E8937CC7D2ADE5D8B23373FC9D
SHA-512:	1CBC4E19CBC7DF79445B14164DD2F63CB07215009284EAF1475A227555EFB290ED6051A1A02E9F14B94BC1077EBBCF863D6865ACD9B16393BFC71EA3B5F41473
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07328876685279
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki3Xl/:DLhesh7Owd4+jit
MD5:	7055AE118E97C0712F4BFD5DE7FCE086
SHA1:	07EDDD314E1EB419EF89FAED09EAA7BACC5758B2
SHA-256:	DC01730762D276CB727EAF31B9BFD742316840F824BC495FE33A60E25D5AA2D7
SHA-512:	5646857046D476F17EC5DF4C401B8161748BEAACFE73E2A96A80565D94748DEDAFA76139E0DFD5CA3CC8645AC10B3EE2C346A60D9DDE364891F14D26932ED783
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035699946889726504
Encrypted:	false
SSDEEP:	3:GtlstFcq1j+uFLkJ94tlstFcq1j+uFLkJltlJ89//alEl:GtWtesCuN+4tWtesCuNmXJ89XuM
MD5:	DD96C766DE2C2920F80C4FC4C1E20FC8
SHA1:	581B044AF72501C92C9C5F1193702B4344975F70
SHA-256:	455D0FF1AEAF572E42FD19A8C59CD92D74982B35D4A5AD21179FF46B5BEDBD0C
SHA-512:	087AD7873035386825A4FB43D77241EE3110103CDD23CEC306C4EF5424D9DE1D971B1283D482BC6BDCE2182B19D1E3B0A76E7856AD98E610D48E68BA88482B7E
Malicious:	false
Preview:	..-........................[....$Ko.).yC...K....-........................[....$Ko.).yC...K..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03987425719201705
Encrypted:	false
SSDEEP:	3:Ol1SLRNhyllfNnE8u+v/rl8rEXsxdwhml8XW3R2:KsRNMfE8Rrl8dMhm93w
MD5:	ED1571033571A9C83E5418272D713068
SHA1:	D164C170588134BA4FA9D24E1E8825E057540464
SHA-256:	8DD48F93360D45A13020E5F054BA4B9FD158E258861B49E8F30D5F2D2766C1EF
SHA-512:	7C42E89BBB47B84A7E7FD5C8A9C5FE788657FA4B1AD4DA9AC8E599C192EDD254E4862B084C1F1152DFCDC5FFE486354BF6A8E39D57D5C3B767BF19C2FA41CAB9
Malicious:	false
Preview:	7....-...........$Ko.).yE.'.wM):.........$Ko.).y......[................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	modified
Size (bytes):	13187
Entropy (8bit):	5.477872507439923
Encrypted:	false
SSDEEP:	192:JnPOeRnLYbBp6jJ0aX+q6SEXKXuNIZ5RHWNBw8dqSl:tDe2JUx2aoHEwB0
MD5:	1A3115E0BACA1C6BC98C4A9A4CC6614E
SHA1:	70EDE43F41726E395BBF4B97257335D0BC010491
SHA-256:	E46DE178F2A522ED844AE1CB1C03ED7FF146294C24BD6B85247C99692BD1DBBB
SHA-512:	2366BB1410576550E66754F73AAA6EBA0E0481EB52333E13597910F33F059D65DD9214D3A412305B36CD2BFEEE50103EAA4E5F884BC7559F64855B2EDCE266D7
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728905449);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728905449);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728905449);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172890

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477872507439923
Encrypted:	false
SSDEEP:	192:JnPOeRnLYbBp6jJ0aX+q6SEXKXuNIZ5RHWNBw8dqSl:tDe2JUx2aoHEwB0
MD5:	1A3115E0BACA1C6BC98C4A9A4CC6614E
SHA1:	70EDE43F41726E395BBF4B97257335D0BC010491
SHA-256:	E46DE178F2A522ED844AE1CB1C03ED7FF146294C24BD6B85247C99692BD1DBBB
SHA-512:	2366BB1410576550E66754F73AAA6EBA0E0481EB52333E13597910F33F059D65DD9214D3A412305B36CD2BFEEE50103EAA4E5F884BC7559F64855B2EDCE266D7
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728905449);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728905449);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728905449);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172890

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1558
Entropy (8bit):	6.343783451526954
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSqPYkLXnIr6y/pnxQwRcWT5sKmgb93eHVpjO+bamhujJwO2c0TiVmm:GUpOxwkAnRcoegp3erjxb4Jwc3zBtND
MD5:	AFA026B53CBD262B1EF27243C6F3390A
SHA1:	BD7320D6332B8579199E191B326D956331C506A6
SHA-256:	E6FFEA843D507C0511BD6B45F186A374B06DDBD0FEF128B42D63FD5C2A63F87D
SHA-512:	28D7844B471CBEE3B253771CF50B8EE87E796E90D4FE3C9D970B6013DAB2742469CBD93B78335045E3B68C5C1E162B647B1D90ED42FECD662C4AD961C1E033D6
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{996a7dc1-08fe-4dbe-b78d-28e5095363b4}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1728905455990,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P18429...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...25594,"originA...."firs

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1558
Entropy (8bit):	6.343783451526954
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSqPYkLXnIr6y/pnxQwRcWT5sKmgb93eHVpjO+bamhujJwO2c0TiVmm:GUpOxwkAnRcoegp3erjxb4Jwc3zBtND
MD5:	AFA026B53CBD262B1EF27243C6F3390A
SHA1:	BD7320D6332B8579199E191B326D956331C506A6
SHA-256:	E6FFEA843D507C0511BD6B45F186A374B06DDBD0FEF128B42D63FD5C2A63F87D
SHA-512:	28D7844B471CBEE3B253771CF50B8EE87E796E90D4FE3C9D970B6013DAB2742469CBD93B78335045E3B68C5C1E162B647B1D90ED42FECD662C4AD961C1E033D6
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{996a7dc1-08fe-4dbe-b78d-28e5095363b4}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1728905455990,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P18429...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...25594,"originA...."firs

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1558
Entropy (8bit):	6.343783451526954
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSqPYkLXnIr6y/pnxQwRcWT5sKmgb93eHVpjO+bamhujJwO2c0TiVmm:GUpOxwkAnRcoegp3erjxb4Jwc3zBtND
MD5:	AFA026B53CBD262B1EF27243C6F3390A
SHA1:	BD7320D6332B8579199E191B326D956331C506A6
SHA-256:	E6FFEA843D507C0511BD6B45F186A374B06DDBD0FEF128B42D63FD5C2A63F87D
SHA-512:	28D7844B471CBEE3B253771CF50B8EE87E796E90D4FE3C9D970B6013DAB2742469CBD93B78335045E3B68C5C1E162B647B1D90ED42FECD662C4AD961C1E033D6
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{996a7dc1-08fe-4dbe-b78d-28e5095363b4}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1728905455990,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P18429...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...25594,"originA...."firs

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029156909304342
Encrypted:	false
SSDEEP:	96:ycMMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:DTEr5NX0z3DhRe
MD5:	F3787E3B2C14194A802EFF2DDB8A19A3
SHA1:	6C9AF392B98D5890D3A8D62DCBE6274BF0F54774
SHA-256:	B58C7B00938EA852EEE0899CF8A291CE1613CEEBFD58A1E75045FE4B10A0794F
SHA-512:	535CFB50F6371F034554766E8EFD6922F7EA56DE65F2B02DDA3FD483BF8E061F1CDE5E0B8ABAB48F573B38BB73B70A6D3AE2684BC3D49EE2666149428F90475A
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-14T11:30:28.345Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029156909304342
Encrypted:	false
SSDEEP:	96:ycMMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:DTEr5NX0z3DhRe
MD5:	F3787E3B2C14194A802EFF2DDB8A19A3
SHA1:	6C9AF392B98D5890D3A8D62DCBE6274BF0F54774
SHA-256:	B58C7B00938EA852EEE0899CF8A291CE1613CEEBFD58A1E75045FE4B10A0794F
SHA-512:	535CFB50F6371F034554766E8EFD6922F7EA56DE65F2B02DDA3FD483BF8E061F1CDE5E0B8ABAB48F573B38BB73B70A6D3AE2684BC3D49EE2666149428F90475A
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-14T11:30:28.345Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584664680818664
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	ea20340956658299c9783b15a587f3dd
SHA1:	c5fc82454c6c498e8dbf37606a294c248c072388
SHA256:	2ed0003a35615785ce56bcc7ebff71f7cfaf6df17c8074cd8d353c618d68ae8a
SHA512:	1e0ec755b2e0bfca1b10b5040303cedaefb53b3f7d39627a053d3b2097ed1bdfbc4a384af1fa612f8d9b160eef2b3dfce8e97508e0f9235f9e6b854eb50b513e
SSDEEP:	12288:GqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/T0:GqDEvCTbMWu7rQYlBQcBiT6rprG8ab0
TLSH:	19159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x670CEC4A [Mon Oct 14 10:02:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F7DA0817DE3h
jmp 00007F7DA08176EFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7DA08178CDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7DA081789Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F7DA081A48Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F7DA081A4D8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F7DA081A4C1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	31f23cee035129e702951db975efac0c	False	0.31561511075949367	data	5.373855892590251	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 12:17:02.771230936 CEST	49712	443	192.168.2.5	35.190.72.216
Oct 14, 2024 12:17:02.771277905 CEST	443	49712	35.190.72.216	192.168.2.5
Oct 14, 2024 12:17:02.774087906 CEST	49712	443	192.168.2.5	35.190.72.216
Oct 14, 2024 12:17:02.778997898 CEST	49712	443	192.168.2.5	35.190.72.216
Oct 14, 2024 12:17:02.779014111 CEST	443	49712	35.190.72.216	192.168.2.5
Oct 14, 2024 12:17:03.280965090 CEST	443	49712	35.190.72.216	192.168.2.5
Oct 14, 2024 12:17:03.282439947 CEST	49712	443	192.168.2.5	35.190.72.216
Oct 14, 2024 12:17:03.294351101 CEST	49712	443	192.168.2.5	35.190.72.216
Oct 14, 2024 12:17:03.294370890 CEST	443	49712	35.190.72.216	192.168.2.5
Oct 14, 2024 12:17:03.294512033 CEST	49712	443	192.168.2.5	35.190.72.216
Oct 14, 2024 12:17:03.294816971 CEST	443	49712	35.190.72.216	192.168.2.5
Oct 14, 2024 12:17:03.295686007 CEST	49712	443	192.168.2.5	35.190.72.216
Oct 14, 2024 12:17:03.333995104 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:03.338836908 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:03.344964981 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:03.345074892 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:03.346652031 CEST	49714	443	192.168.2.5	142.250.186.110
Oct 14, 2024 12:17:03.346676111 CEST	443	49714	142.250.186.110	192.168.2.5
Oct 14, 2024 12:17:03.346817017 CEST	49715	443	192.168.2.5	142.250.186.110
Oct 14, 2024 12:17:03.346892118 CEST	443	49715	142.250.186.110	192.168.2.5
Oct 14, 2024 12:17:03.347425938 CEST	49714	443	192.168.2.5	142.250.186.110
Oct 14, 2024 12:17:03.347440958 CEST	49715	443	192.168.2.5	142.250.186.110
Oct 14, 2024 12:17:03.348776102 CEST	49714	443	192.168.2.5	142.250.186.110
Oct 14, 2024 12:17:03.348793983 CEST	443	49714	142.250.186.110	192.168.2.5
Oct 14, 2024 12:17:03.349935055 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:03.350094080 CEST	49715	443	192.168.2.5	142.250.186.110
Oct 14, 2024 12:17:03.350127935 CEST	443	49715	142.250.186.110	192.168.2.5
Oct 14, 2024 12:17:03.636900902 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:03.636961937 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:03.637074947 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:03.638500929 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:03.638518095 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:03.808943987 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:03.856817961 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:03.999733925 CEST	443	49715	142.250.186.110	192.168.2.5
Oct 14, 2024 12:17:04.000571012 CEST	49715	443	192.168.2.5	142.250.186.110
Oct 14, 2024 12:17:04.000579119 CEST	443	49715	142.250.186.110	192.168.2.5
Oct 14, 2024 12:17:04.000590086 CEST	443	49715	142.250.186.110	192.168.2.5
Oct 14, 2024 12:17:04.001574993 CEST	49715	443	192.168.2.5	142.250.186.110
Oct 14, 2024 12:17:04.005698919 CEST	49715	443	192.168.2.5	142.250.186.110
Oct 14, 2024 12:17:04.005708933 CEST	443	49715	142.250.186.110	192.168.2.5
Oct 14, 2024 12:17:04.005776882 CEST	49715	443	192.168.2.5	142.250.186.110
Oct 14, 2024 12:17:04.005898952 CEST	443	49715	142.250.186.110	192.168.2.5
Oct 14, 2024 12:17:04.006021023 CEST	49715	443	192.168.2.5	142.250.186.110
Oct 14, 2024 12:17:04.010360956 CEST	443	49714	142.250.186.110	192.168.2.5
Oct 14, 2024 12:17:04.011352062 CEST	443	49714	142.250.186.110	192.168.2.5
Oct 14, 2024 12:17:04.013979912 CEST	49714	443	192.168.2.5	142.250.186.110
Oct 14, 2024 12:17:04.013993979 CEST	443	49714	142.250.186.110	192.168.2.5
Oct 14, 2024 12:17:04.021235943 CEST	49717	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:04.021270990 CEST	443	49717	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:04.026176929 CEST	49717	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:04.026958942 CEST	49717	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:04.026974916 CEST	443	49717	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:04.027244091 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.027267933 CEST	443	49718	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:04.028672934 CEST	49714	443	192.168.2.5	142.250.186.110
Oct 14, 2024 12:17:04.028691053 CEST	443	49714	142.250.186.110	192.168.2.5
Oct 14, 2024 12:17:04.028750896 CEST	49714	443	192.168.2.5	142.250.186.110
Oct 14, 2024 12:17:04.029020071 CEST	443	49714	142.250.186.110	192.168.2.5
Oct 14, 2024 12:17:04.031378984 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.031445026 CEST	49714	443	192.168.2.5	142.250.186.110
Oct 14, 2024 12:17:04.032717943 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.032732964 CEST	443	49718	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:04.054527998 CEST	49719	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:04.059446096 CEST	80	49719	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:04.060832024 CEST	49719	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:04.060933113 CEST	49719	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:04.065839052 CEST	80	49719	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:04.122240067 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:04.122596979 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.127768993 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.127779961 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:04.127861977 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.128021002 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:04.128168106 CEST	49720	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.128206015 CEST	443	49720	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:04.129175901 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.129206896 CEST	49720	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.130764961 CEST	49720	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.130784988 CEST	443	49720	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:04.430562973 CEST	49722	443	192.168.2.5	34.160.144.191
Oct 14, 2024 12:17:04.430588007 CEST	443	49722	34.160.144.191	192.168.2.5
Oct 14, 2024 12:17:04.431145906 CEST	49722	443	192.168.2.5	34.160.144.191
Oct 14, 2024 12:17:04.431329012 CEST	49722	443	192.168.2.5	34.160.144.191
Oct 14, 2024 12:17:04.431334972 CEST	443	49722	34.160.144.191	192.168.2.5
Oct 14, 2024 12:17:04.507205009 CEST	443	49717	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:04.512573957 CEST	49717	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:04.524861097 CEST	80	49719	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:04.531774998 CEST	443	49718	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:04.532679081 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.569602966 CEST	49717	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:04.569626093 CEST	443	49717	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:04.570508003 CEST	443	49717	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:04.573076010 CEST	49719	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:04.588294029 CEST	49717	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:04.588821888 CEST	443	49717	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:04.591576099 CEST	49717	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:04.591584921 CEST	443	49717	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:04.599318027 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.599359035 CEST	443	49718	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:04.599409103 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.599608898 CEST	49717	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:04.599643946 CEST	49717	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:04.599643946 CEST	49717	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:04.599986076 CEST	443	49718	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:04.600065947 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.610656023 CEST	443	49720	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:04.611027956 CEST	49720	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.614927053 CEST	49720	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.614937067 CEST	443	49720	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:04.615019083 CEST	49720	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.615184069 CEST	443	49720	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:04.615381002 CEST	49720	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.721760035 CEST	49719	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:04.721847057 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:04.727185011 CEST	80	49719	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:04.727478027 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:04.728676081 CEST	49719	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:04.728718042 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:04.770704985 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.770739079 CEST	443	49723	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:04.770874977 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.772382021 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:04.772396088 CEST	443	49723	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:04.773603916 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:04.778460026 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:04.780435085 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:04.780555010 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:04.785382986 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:04.919550896 CEST	443	49722	34.160.144.191	192.168.2.5
Oct 14, 2024 12:17:04.919645071 CEST	49722	443	192.168.2.5	34.160.144.191
Oct 14, 2024 12:17:04.922418118 CEST	49722	443	192.168.2.5	34.160.144.191
Oct 14, 2024 12:17:04.922440052 CEST	443	49722	34.160.144.191	192.168.2.5
Oct 14, 2024 12:17:04.922847033 CEST	443	49722	34.160.144.191	192.168.2.5
Oct 14, 2024 12:17:04.924870014 CEST	49722	443	192.168.2.5	34.160.144.191
Oct 14, 2024 12:17:04.924976110 CEST	49722	443	192.168.2.5	34.160.144.191
Oct 14, 2024 12:17:04.925065041 CEST	443	49722	34.160.144.191	192.168.2.5
Oct 14, 2024 12:17:04.925308943 CEST	49725	443	192.168.2.5	34.160.144.191
Oct 14, 2024 12:17:04.925345898 CEST	443	49725	34.160.144.191	192.168.2.5
Oct 14, 2024 12:17:04.926485062 CEST	49722	443	192.168.2.5	34.160.144.191
Oct 14, 2024 12:17:04.926522017 CEST	49722	443	192.168.2.5	34.160.144.191
Oct 14, 2024 12:17:04.926534891 CEST	49725	443	192.168.2.5	34.160.144.191
Oct 14, 2024 12:17:04.926805019 CEST	49725	443	192.168.2.5	34.160.144.191
Oct 14, 2024 12:17:04.926840067 CEST	443	49725	34.160.144.191	192.168.2.5
Oct 14, 2024 12:17:05.240736961 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:05.254039049 CEST	443	49723	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:05.254244089 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:05.257659912 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:05.257668972 CEST	443	49723	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:05.257787943 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:05.257936954 CEST	443	49723	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:05.258109093 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:05.258138895 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:05.258171082 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:05.258286953 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:05.259568930 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:05.259579897 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:05.292031050 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:05.417695999 CEST	443	49725	34.160.144.191	192.168.2.5
Oct 14, 2024 12:17:05.417783976 CEST	49725	443	192.168.2.5	34.160.144.191
Oct 14, 2024 12:17:05.420834064 CEST	49725	443	192.168.2.5	34.160.144.191
Oct 14, 2024 12:17:05.420855045 CEST	443	49725	34.160.144.191	192.168.2.5
Oct 14, 2024 12:17:05.421066046 CEST	443	49725	34.160.144.191	192.168.2.5
Oct 14, 2024 12:17:05.423114061 CEST	49725	443	192.168.2.5	34.160.144.191
Oct 14, 2024 12:17:05.423202038 CEST	49725	443	192.168.2.5	34.160.144.191
Oct 14, 2024 12:17:05.423254013 CEST	443	49725	34.160.144.191	192.168.2.5
Oct 14, 2024 12:17:05.423353910 CEST	49725	443	192.168.2.5	34.160.144.191
Oct 14, 2024 12:17:05.654648066 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:05.659637928 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:05.660659075 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:05.660777092 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:05.665586948 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:05.736262083 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:05.737257004 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:05.742275953 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:05.742280960 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:05.742363930 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:05.742463112 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 14, 2024 12:17:05.742526054 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 14, 2024 12:17:05.814616919 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:05.819956064 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:05.912694931 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:05.962791920 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:06.123461008 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:06.179403067 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:08.335783005 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:08.590241909 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:08.615104914 CEST	49731	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:08.615149975 CEST	443	49731	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:08.620342970 CEST	49731	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:08.621825933 CEST	49731	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:08.621849060 CEST	443	49731	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:08.683367014 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:08.730592966 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:08.734014988 CEST	49732	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:08.734051943 CEST	443	49732	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:08.740935087 CEST	49732	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:08.742422104 CEST	49732	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:08.742444038 CEST	443	49732	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:08.753330946 CEST	49733	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:08.753381968 CEST	443	49733	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:08.755445004 CEST	49733	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:08.755563974 CEST	49733	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:08.755589962 CEST	443	49733	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:08.769399881 CEST	49734	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:08.769433975 CEST	443	49734	34.149.100.209	192.168.2.5
Oct 14, 2024 12:17:08.769849062 CEST	49734	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:08.771327972 CEST	49734	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:08.771346092 CEST	443	49734	34.149.100.209	192.168.2.5
Oct 14, 2024 12:17:09.120663881 CEST	443	49731	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:09.121242046 CEST	49731	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:09.126007080 CEST	49731	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:09.126007080 CEST	49731	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:09.126065969 CEST	443	49731	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:09.126430988 CEST	443	49731	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:09.127518892 CEST	49731	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:09.128761053 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:09.133733988 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:09.226125002 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:09.253586054 CEST	443	49732	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:09.253611088 CEST	443	49732	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:09.253671885 CEST	49732	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:09.257905960 CEST	49732	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:09.257975101 CEST	443	49732	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:09.258037090 CEST	49732	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:09.258268118 CEST	443	49732	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:09.258336067 CEST	49732	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:09.260405064 CEST	443	49734	34.149.100.209	192.168.2.5
Oct 14, 2024 12:17:09.260484934 CEST	49734	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:09.260731936 CEST	443	49733	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:09.263190031 CEST	49733	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:09.265799999 CEST	49733	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:09.265822887 CEST	443	49733	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:09.266480923 CEST	443	49733	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:09.268047094 CEST	49734	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:09.268064976 CEST	443	49734	34.149.100.209	192.168.2.5
Oct 14, 2024 12:17:09.268109083 CEST	49734	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:09.268522024 CEST	443	49734	34.149.100.209	192.168.2.5
Oct 14, 2024 12:17:09.269540071 CEST	49733	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:09.269612074 CEST	49733	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:09.269709110 CEST	443	49733	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:09.283415079 CEST	443	49733	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:09.285362959 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:09.285584927 CEST	49733	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:09.285584927 CEST	49733	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:09.285584927 CEST	49733	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:09.285592079 CEST	49734	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:09.573139906 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:09.578051090 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:09.599037886 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:09.603955984 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:09.641891956 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:09.641972065 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:09.642175913 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:09.643577099 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:09.643620014 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:09.662302017 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:09.662323952 CEST	443	49736	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:09.662528038 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:09.662569046 CEST	443	49737	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:09.664036036 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:09.664159060 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:09.664160967 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:09.664166927 CEST	443	49736	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:09.664259911 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:09.664268970 CEST	443	49737	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:09.670830965 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:09.696805000 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:09.717736959 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:09.748977900 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:09.833017111 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:09.838047981 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:09.930833101 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:09.987370014 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:10.120064974 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:10.120170116 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.124097109 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.124128103 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:10.124200106 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.124428034 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:10.125258923 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.126962900 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:10.129395962 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.129432917 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:10.129563093 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.130903006 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.130918980 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:10.131885052 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:10.142782927 CEST	443	49737	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:10.142863035 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.145536900 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.145544052 CEST	443	49737	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:10.145934105 CEST	443	49737	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:10.148391962 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.148471117 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.148752928 CEST	443	49737	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:10.148853064 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.153770924 CEST	443	49736	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:10.153852940 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.156428099 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.156435013 CEST	443	49736	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:10.156651974 CEST	443	49736	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:10.159266949 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.159339905 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.159408092 CEST	443	49736	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:10.159678936 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.224653959 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:10.227845907 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:10.232774973 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:10.266063929 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:10.325634956 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:10.366368055 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:10.604079962 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:10.604182959 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.608891964 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.608901978 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:10.608978987 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.609128952 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 14, 2024 12:17:10.610318899 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:17:10.612397909 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:10.617233992 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:10.709884882 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:10.712321043 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:10.717205048 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:10.751899958 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:10.810219049 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:10.852289915 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:18.443685055 CEST	49762	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:18.443727970 CEST	443	49762	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:18.445770979 CEST	49762	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:18.447803974 CEST	49762	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:18.447839022 CEST	443	49762	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:19.123044014 CEST	443	49762	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:19.123158932 CEST	49762	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:19.304450035 CEST	49762	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:19.304450035 CEST	49762	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:19.304474115 CEST	443	49762	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:19.304986954 CEST	443	49762	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:19.305085897 CEST	49762	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:19.430967093 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:19.435915947 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:19.528806925 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:19.572381973 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:20.033617020 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:20.039362907 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:20.132144928 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:20.173707962 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:29.441880941 CEST	49828	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:29.441925049 CEST	443	49828	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:29.442231894 CEST	49828	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:29.443662882 CEST	49828	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:29.443675041 CEST	443	49828	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:29.532011032 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:29.538804054 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:29.927882910 CEST	443	49828	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:29.927958965 CEST	49828	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:29.933480024 CEST	49828	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:29.933490038 CEST	443	49828	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:29.933583021 CEST	49828	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:29.933737040 CEST	443	49828	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:29.933949947 CEST	49828	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:29.936207056 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:29.941099882 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:30.035640001 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:30.042706966 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:30.047961950 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:30.086848021 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:30.140265942 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:30.187134027 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:31.580770016 CEST	49841	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:31.580836058 CEST	443	49841	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:31.587845087 CEST	49841	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:31.587970972 CEST	49841	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:31.587986946 CEST	443	49841	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:31.633582115 CEST	49843	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:31.633627892 CEST	443	49843	34.149.100.209	192.168.2.5
Oct 14, 2024 12:17:31.638012886 CEST	49843	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:31.638405085 CEST	49843	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:31.638423920 CEST	443	49843	34.149.100.209	192.168.2.5
Oct 14, 2024 12:17:31.638987064 CEST	49844	443	192.168.2.5	35.190.72.216
Oct 14, 2024 12:17:31.639028072 CEST	443	49844	35.190.72.216	192.168.2.5
Oct 14, 2024 12:17:31.639369965 CEST	49845	443	192.168.2.5	52.222.236.80
Oct 14, 2024 12:17:31.639415026 CEST	443	49845	52.222.236.80	192.168.2.5
Oct 14, 2024 12:17:31.653909922 CEST	49844	443	192.168.2.5	35.190.72.216
Oct 14, 2024 12:17:31.654031992 CEST	49845	443	192.168.2.5	52.222.236.80
Oct 14, 2024 12:17:31.655500889 CEST	49844	443	192.168.2.5	35.190.72.216
Oct 14, 2024 12:17:31.655536890 CEST	443	49844	35.190.72.216	192.168.2.5
Oct 14, 2024 12:17:31.655651093 CEST	49845	443	192.168.2.5	52.222.236.80
Oct 14, 2024 12:17:31.655667067 CEST	443	49845	52.222.236.80	192.168.2.5
Oct 14, 2024 12:17:31.659492016 CEST	49848	443	192.168.2.5	35.201.103.21
Oct 14, 2024 12:17:31.659519911 CEST	443	49848	35.201.103.21	192.168.2.5
Oct 14, 2024 12:17:31.669570923 CEST	49848	443	192.168.2.5	35.201.103.21
Oct 14, 2024 12:17:31.671057940 CEST	49848	443	192.168.2.5	35.201.103.21
Oct 14, 2024 12:17:31.671075106 CEST	443	49848	35.201.103.21	192.168.2.5
Oct 14, 2024 12:17:32.072066069 CEST	443	49841	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.072098017 CEST	443	49841	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.075026989 CEST	49841	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.079742908 CEST	49841	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.079776049 CEST	443	49841	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.080014944 CEST	443	49841	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.083163023 CEST	49841	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.083247900 CEST	49841	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.083307028 CEST	443	49841	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.083406925 CEST	49841	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.087486029 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:32.092442036 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:32.111538887 CEST	443	49843	34.149.100.209	192.168.2.5
Oct 14, 2024 12:17:32.114018917 CEST	49843	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:32.117109060 CEST	49843	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:32.117132902 CEST	443	49843	34.149.100.209	192.168.2.5
Oct 14, 2024 12:17:32.117633104 CEST	443	49843	34.149.100.209	192.168.2.5
Oct 14, 2024 12:17:32.119611979 CEST	49843	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:32.119705915 CEST	49843	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:32.119836092 CEST	443	49843	34.149.100.209	192.168.2.5
Oct 14, 2024 12:17:32.120840073 CEST	49843	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:32.159642935 CEST	443	49844	35.190.72.216	192.168.2.5
Oct 14, 2024 12:17:32.159667969 CEST	443	49844	35.190.72.216	192.168.2.5
Oct 14, 2024 12:17:32.159733057 CEST	49844	443	192.168.2.5	35.190.72.216
Oct 14, 2024 12:17:32.163348913 CEST	49844	443	192.168.2.5	35.190.72.216
Oct 14, 2024 12:17:32.163364887 CEST	443	49844	35.190.72.216	192.168.2.5
Oct 14, 2024 12:17:32.163476944 CEST	49844	443	192.168.2.5	35.190.72.216
Oct 14, 2024 12:17:32.163736105 CEST	443	49844	35.190.72.216	192.168.2.5
Oct 14, 2024 12:17:32.164197922 CEST	49844	443	192.168.2.5	35.190.72.216
Oct 14, 2024 12:17:32.175328016 CEST	443	49848	35.201.103.21	192.168.2.5
Oct 14, 2024 12:17:32.175355911 CEST	443	49848	35.201.103.21	192.168.2.5
Oct 14, 2024 12:17:32.175395966 CEST	49848	443	192.168.2.5	35.201.103.21
Oct 14, 2024 12:17:32.178911924 CEST	49848	443	192.168.2.5	35.201.103.21
Oct 14, 2024 12:17:32.178931952 CEST	443	49848	35.201.103.21	192.168.2.5
Oct 14, 2024 12:17:32.178994894 CEST	49848	443	192.168.2.5	35.201.103.21
Oct 14, 2024 12:17:32.179265022 CEST	443	49848	35.201.103.21	192.168.2.5
Oct 14, 2024 12:17:32.179577112 CEST	49848	443	192.168.2.5	35.201.103.21
Oct 14, 2024 12:17:32.184951067 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:32.189121962 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:32.192238092 CEST	49849	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:32.192266941 CEST	443	49849	34.149.100.209	192.168.2.5
Oct 14, 2024 12:17:32.192377090 CEST	49849	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:32.192478895 CEST	49849	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:32.192486048 CEST	443	49849	34.149.100.209	192.168.2.5
Oct 14, 2024 12:17:32.194006920 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:32.239965916 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:32.286717892 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:32.340224028 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:32.397567987 CEST	443	49845	52.222.236.80	192.168.2.5
Oct 14, 2024 12:17:32.397581100 CEST	443	49845	52.222.236.80	192.168.2.5
Oct 14, 2024 12:17:32.397747993 CEST	49845	443	192.168.2.5	52.222.236.80
Oct 14, 2024 12:17:32.400504112 CEST	49845	443	192.168.2.5	52.222.236.80
Oct 14, 2024 12:17:32.400532007 CEST	443	49845	52.222.236.80	192.168.2.5
Oct 14, 2024 12:17:32.400793076 CEST	443	49845	52.222.236.80	192.168.2.5
Oct 14, 2024 12:17:32.403059006 CEST	49845	443	192.168.2.5	52.222.236.80
Oct 14, 2024 12:17:32.403141975 CEST	49845	443	192.168.2.5	52.222.236.80
Oct 14, 2024 12:17:32.403254032 CEST	443	49845	52.222.236.80	192.168.2.5
Oct 14, 2024 12:17:32.403419971 CEST	49845	443	192.168.2.5	52.222.236.80
Oct 14, 2024 12:17:32.411135912 CEST	49852	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.411238909 CEST	443	49852	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.412336111 CEST	49853	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.412374973 CEST	443	49853	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.413960934 CEST	49854	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.413968086 CEST	443	49854	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.414561987 CEST	49852	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.414685011 CEST	49853	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.414685011 CEST	49854	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.414695978 CEST	49852	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.414731026 CEST	443	49852	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.414792061 CEST	49853	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.414803028 CEST	443	49853	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.414855957 CEST	49854	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.414866924 CEST	443	49854	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.416389942 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:32.421217918 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:32.539690018 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:32.544032097 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:32.548957109 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:32.594192982 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:32.641650915 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:32.694493055 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:32.736413002 CEST	443	49849	34.149.100.209	192.168.2.5
Oct 14, 2024 12:17:32.736498117 CEST	49849	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:32.739626884 CEST	49849	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:32.739636898 CEST	443	49849	34.149.100.209	192.168.2.5
Oct 14, 2024 12:17:32.740021944 CEST	443	49849	34.149.100.209	192.168.2.5
Oct 14, 2024 12:17:32.742094040 CEST	49849	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:32.742186069 CEST	49849	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:32.742289066 CEST	443	49849	34.149.100.209	192.168.2.5
Oct 14, 2024 12:17:32.742341042 CEST	49849	443	192.168.2.5	34.149.100.209
Oct 14, 2024 12:17:32.744693995 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:32.749509096 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:32.842210054 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:32.845372915 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:32.850280046 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:32.895067930 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:32.914751053 CEST	443	49854	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.915127993 CEST	49854	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.918095112 CEST	443	49852	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.918109894 CEST	49854	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.918128967 CEST	443	49854	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.918375969 CEST	443	49854	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.920289993 CEST	49854	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.920368910 CEST	49854	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.920449972 CEST	443	49854	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.920553923 CEST	49854	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.920572042 CEST	49854	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.921025991 CEST	443	49853	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.921087027 CEST	49852	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.926358938 CEST	49853	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.931493998 CEST	49852	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.931519985 CEST	443	49852	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.932079077 CEST	443	49852	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.934027910 CEST	49853	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.934055090 CEST	443	49853	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.934950113 CEST	443	49853	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.936444044 CEST	49852	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.936745882 CEST	49852	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.936937094 CEST	49853	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.936979055 CEST	49853	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.937069893 CEST	443	49852	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.937431097 CEST	443	49853	35.244.181.201	192.168.2.5
Oct 14, 2024 12:17:32.939397097 CEST	49853	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.939419031 CEST	49852	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.939426899 CEST	49853	443	192.168.2.5	35.244.181.201
Oct 14, 2024 12:17:32.940921068 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:32.942904949 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:32.945946932 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:32.995394945 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:33.039614916 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:33.042431116 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:33.047544003 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:33.095664024 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:33.141244888 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:33.195955038 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:41.308415890 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:41.313242912 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:41.405544996 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:41.408389091 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:41.413265944 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:41.450983047 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:41.506243944 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:41.551294088 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:50.412375927 CEST	49953	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:50.412416935 CEST	443	49953	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:50.412959099 CEST	49953	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:50.414331913 CEST	49953	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:50.414350033 CEST	443	49953	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:50.927454948 CEST	443	49953	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:50.927580118 CEST	49953	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:50.931468964 CEST	49953	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:50.931493998 CEST	443	49953	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:50.931580067 CEST	49953	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:50.932029009 CEST	443	49953	34.107.243.93	192.168.2.5
Oct 14, 2024 12:17:50.932087898 CEST	49953	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:17:50.934020996 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:50.938867092 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:51.031451941 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:51.034388065 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:51.039223909 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:51.076987028 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:17:51.132427931 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:17:51.177279949 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:01.037005901 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:01.041805983 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:18:01.137290955 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:01.142168045 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:18:01.348087072 CEST	50024	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:18:01.348139048 CEST	443	50024	34.120.208.123	192.168.2.5
Oct 14, 2024 12:18:01.349116087 CEST	50025	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:18:01.349168062 CEST	443	50025	34.120.208.123	192.168.2.5
Oct 14, 2024 12:18:01.350188017 CEST	50024	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:18:01.350330114 CEST	50024	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:18:01.350334883 CEST	50025	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:18:01.350342989 CEST	443	50024	34.120.208.123	192.168.2.5
Oct 14, 2024 12:18:01.350538969 CEST	50025	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:18:01.350560904 CEST	443	50025	34.120.208.123	192.168.2.5
Oct 14, 2024 12:18:01.823298931 CEST	443	50025	34.120.208.123	192.168.2.5
Oct 14, 2024 12:18:01.823404074 CEST	50025	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:18:01.826756001 CEST	50025	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:18:01.826765060 CEST	443	50025	34.120.208.123	192.168.2.5
Oct 14, 2024 12:18:01.827095032 CEST	443	50025	34.120.208.123	192.168.2.5
Oct 14, 2024 12:18:01.829030991 CEST	50025	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:18:01.829124928 CEST	50025	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:18:01.829235077 CEST	443	50025	34.120.208.123	192.168.2.5
Oct 14, 2024 12:18:01.829252958 CEST	50025	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:18:01.829977036 CEST	50025	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:18:01.858194113 CEST	443	50024	34.120.208.123	192.168.2.5
Oct 14, 2024 12:18:01.858680010 CEST	50024	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:18:01.861762047 CEST	50024	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:18:01.861773014 CEST	443	50024	34.120.208.123	192.168.2.5
Oct 14, 2024 12:18:01.862526894 CEST	443	50024	34.120.208.123	192.168.2.5
Oct 14, 2024 12:18:01.864166975 CEST	50024	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:18:01.864247084 CEST	50024	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:18:01.864356041 CEST	443	50024	34.120.208.123	192.168.2.5
Oct 14, 2024 12:18:01.865026951 CEST	50024	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:18:01.865055084 CEST	50024	443	192.168.2.5	34.120.208.123
Oct 14, 2024 12:18:01.867755890 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:01.872622967 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:18:01.965451956 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:18:01.988363981 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:01.993257046 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:18:02.008728981 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:02.085767031 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:18:02.135225058 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:11.968641043 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:11.973767996 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:18:12.106748104 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:12.111526012 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:18:21.983052015 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:22.045021057 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:18:22.114738941 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:22.119612932 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:18:31.045546055 CEST	50028	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:18:31.045572996 CEST	443	50028	34.107.243.93	192.168.2.5
Oct 14, 2024 12:18:31.045733929 CEST	50028	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:18:31.047947884 CEST	50028	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:18:31.047964096 CEST	443	50028	34.107.243.93	192.168.2.5
Oct 14, 2024 12:18:31.533160925 CEST	443	50028	34.107.243.93	192.168.2.5
Oct 14, 2024 12:18:31.533356905 CEST	50028	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:18:31.539129972 CEST	50028	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:18:31.539139986 CEST	443	50028	34.107.243.93	192.168.2.5
Oct 14, 2024 12:18:31.539258957 CEST	50028	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:18:31.539370060 CEST	443	50028	34.107.243.93	192.168.2.5
Oct 14, 2024 12:18:31.541305065 CEST	50028	443	192.168.2.5	34.107.243.93
Oct 14, 2024 12:18:31.542479038 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:31.549233913 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:18:31.640260935 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:18:31.643732071 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:31.648976088 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:18:31.682954073 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:31.741800070 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:18:31.783279896 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:41.649388075 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:41.654481888 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:18:41.749821901 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:41.754733086 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:18:51.663089991 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:51.668019056 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:18:51.763428926 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:18:51.768388987 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 14, 2024 12:19:01.679644108 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:19:01.684566975 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 14, 2024 12:19:01.779952049 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 14, 2024 12:19:01.784852028 CEST	80	49727	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 12:17:02.771928072 CEST	53764	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:02.778743029 CEST	53	53764	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:02.782496929 CEST	59432	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:02.789633036 CEST	53	59432	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:03.308621883 CEST	64009	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:03.308902979 CEST	62665	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:03.315722942 CEST	53	62665	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:03.346020937 CEST	58404	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:03.346955061 CEST	55818	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:03.353111982 CEST	53	58404	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:03.353934050 CEST	53	55818	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:03.362021923 CEST	53534	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:03.364728928 CEST	63356	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:03.369005919 CEST	53	53534	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:03.371434927 CEST	53	63356	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:03.628781080 CEST	64434	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:03.635611057 CEST	53	64434	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:03.637022972 CEST	49688	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:03.643883944 CEST	53	49688	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:03.644628048 CEST	51322	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:03.651519060 CEST	53	51322	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:04.015660048 CEST	54449	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:04.021522999 CEST	53034	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:04.021887064 CEST	53743	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:04.022608042 CEST	53	54449	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:04.028965950 CEST	53	53034	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:04.029514074 CEST	53	53743	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:04.043330908 CEST	50662	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:04.045532942 CEST	51750	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:04.046125889 CEST	58858	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:04.050085068 CEST	53	50662	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:04.050694942 CEST	56827	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:04.052412033 CEST	53	51750	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:04.058631897 CEST	53	56827	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:04.061520100 CEST	52797	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:04.068787098 CEST	53	52797	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:04.421854973 CEST	57861	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:04.429682970 CEST	53	57861	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:04.431093931 CEST	51016	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:04.438472986 CEST	53	51016	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:04.439838886 CEST	65168	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:04.446981907 CEST	53	65168	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:08.335459948 CEST	52359	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:08.447968960 CEST	59732	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:08.559731007 CEST	65123	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:08.591923952 CEST	53	52359	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:08.592037916 CEST	53	65123	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:08.594738960 CEST	64507	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:08.596671104 CEST	53213	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:08.602052927 CEST	53	64507	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:08.602615118 CEST	65251	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:08.604295969 CEST	53	53213	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:08.604811907 CEST	57695	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:08.609885931 CEST	53	65251	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:08.611846924 CEST	53	57695	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:08.630064011 CEST	53	51336	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:08.735049963 CEST	62699	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:08.742026091 CEST	53	62699	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:08.743189096 CEST	56898	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:08.746018887 CEST	59858	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:08.747946978 CEST	50379	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:08.750036001 CEST	53	56898	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:08.752733946 CEST	53	59858	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:08.755469084 CEST	53	50379	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:08.769750118 CEST	53584	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:08.777802944 CEST	53	53584	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:08.780325890 CEST	60193	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:08.787523985 CEST	53	60193	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:16.043441057 CEST	63462	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:16.043720961 CEST	59415	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:16.043963909 CEST	54151	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:16.050219059 CEST	53	63462	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:16.050826073 CEST	53	59415	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:16.051724911 CEST	53	54151	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:16.920470953 CEST	58509	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:16.920470953 CEST	52587	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:16.922327995 CEST	59504	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:16.927741051 CEST	53	58509	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:16.927804947 CEST	53	52587	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:16.928433895 CEST	59618	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:16.928602934 CEST	61067	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:16.930479050 CEST	53	59504	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:16.931109905 CEST	59879	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:16.935333967 CEST	53	59618	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:16.936048985 CEST	51858	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:16.936602116 CEST	53	61067	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:16.937305927 CEST	63389	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:16.937849998 CEST	53	59879	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:16.943803072 CEST	53	51858	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:16.944561958 CEST	53	63389	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:16.948484898 CEST	55912	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:16.948972940 CEST	50951	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:16.955100060 CEST	53	55912	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:16.955688000 CEST	55650	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:16.956176996 CEST	53	50951	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:16.956748962 CEST	50520	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:16.962836027 CEST	53	55650	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:16.964108944 CEST	53	50520	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:18.442810059 CEST	56212	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:18.449841976 CEST	53	56212	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:29.441796064 CEST	57126	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:29.448841095 CEST	53	57126	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:30.089454889 CEST	55538	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:30.098484993 CEST	53	55538	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:31.581916094 CEST	59424	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:31.591229916 CEST	53	59424	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:31.592992067 CEST	53016	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:31.599787951 CEST	53	53016	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:31.628894091 CEST	53547	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:31.636358976 CEST	53	53547	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:31.639859915 CEST	64820	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:31.643081903 CEST	51174	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:31.647506952 CEST	53	64820	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:31.653855085 CEST	53	51174	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:31.657242060 CEST	60540	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:31.660008907 CEST	59528	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:31.664241076 CEST	53	60540	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:31.667407036 CEST	53	59528	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:31.671487093 CEST	52955	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:31.679486036 CEST	53	52955	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:49.945902109 CEST	58315	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:50.411324024 CEST	53	58315	1.1.1.1	192.168.2.5
Oct 14, 2024 12:17:50.412679911 CEST	54055	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:17:50.419603109 CEST	53	54055	1.1.1.1	192.168.2.5
Oct 14, 2024 12:18:01.347400904 CEST	57092	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:18:01.354325056 CEST	53	57092	1.1.1.1	192.168.2.5
Oct 14, 2024 12:18:01.867669106 CEST	58434	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:18:31.037465096 CEST	52923	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:18:31.044493914 CEST	53	52923	1.1.1.1	192.168.2.5
Oct 14, 2024 12:18:31.045640945 CEST	57982	53	192.168.2.5	1.1.1.1
Oct 14, 2024 12:18:31.052540064 CEST	53	57982	1.1.1.1	192.168.2.5
Oct 14, 2024 12:18:31.542691946 CEST	49507	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 12:17:02.771928072 CEST	192.168.2.5	1.1.1.1	0xeb80	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:02.782496929 CEST	192.168.2.5	1.1.1.1	0x17d6	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 12:17:03.308621883 CEST	192.168.2.5	1.1.1.1	0x4f94	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:03.308902979 CEST	192.168.2.5	1.1.1.1	0x5cff	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:03.346020937 CEST	192.168.2.5	1.1.1.1	0xf6a6	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:03.346955061 CEST	192.168.2.5	1.1.1.1	0xd0f1	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:03.362021923 CEST	192.168.2.5	1.1.1.1	0x89db	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 12:17:03.364728928 CEST	192.168.2.5	1.1.1.1	0x2507	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 14, 2024 12:17:03.628781080 CEST	192.168.2.5	1.1.1.1	0x930	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:03.637022972 CEST	192.168.2.5	1.1.1.1	0x5963	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:03.644628048 CEST	192.168.2.5	1.1.1.1	0x7b4	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 12:17:04.015660048 CEST	192.168.2.5	1.1.1.1	0x9bae	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.021522999 CEST	192.168.2.5	1.1.1.1	0x1972	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.021887064 CEST	192.168.2.5	1.1.1.1	0x44f4	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.043330908 CEST	192.168.2.5	1.1.1.1	0xffbc	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 12:17:04.045532942 CEST	192.168.2.5	1.1.1.1	0x5457	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.046125889 CEST	192.168.2.5	1.1.1.1	0x15	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.050694942 CEST	192.168.2.5	1.1.1.1	0x1f4b	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.061520100 CEST	192.168.2.5	1.1.1.1	0xb4ab	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 12:17:04.421854973 CEST	192.168.2.5	1.1.1.1	0xf3e0	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.431093931 CEST	192.168.2.5	1.1.1.1	0x7ad3	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.439838886 CEST	192.168.2.5	1.1.1.1	0xc2ba	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 12:17:08.335459948 CEST	192.168.2.5	1.1.1.1	0x4583	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:08.447968960 CEST	192.168.2.5	1.1.1.1	0xe028	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:08.559731007 CEST	192.168.2.5	1.1.1.1	0xef21	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:08.594738960 CEST	192.168.2.5	1.1.1.1	0xe06a	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:08.596671104 CEST	192.168.2.5	1.1.1.1	0x1729	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:08.602615118 CEST	192.168.2.5	1.1.1.1	0x6ed7	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 12:17:08.604811907 CEST	192.168.2.5	1.1.1.1	0xa2c3	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 12:17:08.735049963 CEST	192.168.2.5	1.1.1.1	0xf7eb	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:08.743189096 CEST	192.168.2.5	1.1.1.1	0xb56	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 12:17:08.746018887 CEST	192.168.2.5	1.1.1.1	0x7bb3	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 12:17:08.747946978 CEST	192.168.2.5	1.1.1.1	0xb133	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:08.769750118 CEST	192.168.2.5	1.1.1.1	0x4434	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:08.780325890 CEST	192.168.2.5	1.1.1.1	0xadf4	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 12:17:16.043441057 CEST	192.168.2.5	1.1.1.1	0xf9f5	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.043720961 CEST	192.168.2.5	1.1.1.1	0xdf68	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.043963909 CEST	192.168.2.5	1.1.1.1	0xd80d	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.920470953 CEST	192.168.2.5	1.1.1.1	0xe4e9	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.920470953 CEST	192.168.2.5	1.1.1.1	0xde93	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.922327995 CEST	192.168.2.5	1.1.1.1	0x12df	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.928433895 CEST	192.168.2.5	1.1.1.1	0xa908	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 14, 2024 12:17:16.928602934 CEST	192.168.2.5	1.1.1.1	0xa1cf	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 14, 2024 12:17:16.931109905 CEST	192.168.2.5	1.1.1.1	0xd42c	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 14, 2024 12:17:16.936048985 CEST	192.168.2.5	1.1.1.1	0xa630	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.937305927 CEST	192.168.2.5	1.1.1.1	0x521a	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.948484898 CEST	192.168.2.5	1.1.1.1	0x79aa	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.948972940 CEST	192.168.2.5	1.1.1.1	0xfa06	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.955688000 CEST	192.168.2.5	1.1.1.1	0xaa0f	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 14, 2024 12:17:16.956748962 CEST	192.168.2.5	1.1.1.1	0x9919	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 14, 2024 12:17:18.442810059 CEST	192.168.2.5	1.1.1.1	0x5e5a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 12:17:29.441796064 CEST	192.168.2.5	1.1.1.1	0x4844	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 12:17:30.089454889 CEST	192.168.2.5	1.1.1.1	0x1d98	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:31.581916094 CEST	192.168.2.5	1.1.1.1	0x7e44	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:31.592992067 CEST	192.168.2.5	1.1.1.1	0x4ae1	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 12:17:31.628894091 CEST	192.168.2.5	1.1.1.1	0xb714	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:31.639859915 CEST	192.168.2.5	1.1.1.1	0x9d96	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:31.643081903 CEST	192.168.2.5	1.1.1.1	0xcc6e	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:31.657242060 CEST	192.168.2.5	1.1.1.1	0x2502	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 14, 2024 12:17:31.660008907 CEST	192.168.2.5	1.1.1.1	0xfd9e	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:31.671487093 CEST	192.168.2.5	1.1.1.1	0xf9fd	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 12:17:49.945902109 CEST	192.168.2.5	1.1.1.1	0x8494	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:50.412679911 CEST	192.168.2.5	1.1.1.1	0x8c2f	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 12:18:01.347400904 CEST	192.168.2.5	1.1.1.1	0x9b16	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 12:18:01.867669106 CEST	192.168.2.5	1.1.1.1	0x8c61	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:18:31.037465096 CEST	192.168.2.5	1.1.1.1	0xbcda	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:18:31.045640945 CEST	192.168.2.5	1.1.1.1	0xc364	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 12:18:31.542691946 CEST	192.168.2.5	1.1.1.1	0xa315	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 12:17:02.749285936 CEST	1.1.1.1	192.168.2.5	0x5ded	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:02.778743029 CEST	1.1.1.1	192.168.2.5	0xeb80	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:03.315547943 CEST	1.1.1.1	192.168.2.5	0x4f94	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:03.315547943 CEST	1.1.1.1	192.168.2.5	0x4f94	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:03.315722942 CEST	1.1.1.1	192.168.2.5	0x5cff	No error (0)	youtube.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:03.353111982 CEST	1.1.1.1	192.168.2.5	0xf6a6	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:03.353934050 CEST	1.1.1.1	192.168.2.5	0xd0f1	No error (0)	youtube.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:03.369005919 CEST	1.1.1.1	192.168.2.5	0x89db	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 14, 2024 12:17:03.371434927 CEST	1.1.1.1	192.168.2.5	0x2507	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 14, 2024 12:17:03.635611057 CEST	1.1.1.1	192.168.2.5	0x930	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:03.643883944 CEST	1.1.1.1	192.168.2.5	0x5963	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.017937899 CEST	1.1.1.1	192.168.2.5	0xc945	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:04.017937899 CEST	1.1.1.1	192.168.2.5	0xc945	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.022608042 CEST	1.1.1.1	192.168.2.5	0x9bae	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:04.022608042 CEST	1.1.1.1	192.168.2.5	0x9bae	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.028965950 CEST	1.1.1.1	192.168.2.5	0x1972	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.029514074 CEST	1.1.1.1	192.168.2.5	0x44f4	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.052412033 CEST	1.1.1.1	192.168.2.5	0x5457	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.052412033 CEST	1.1.1.1	192.168.2.5	0x5457	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.053869009 CEST	1.1.1.1	192.168.2.5	0x15	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:04.053869009 CEST	1.1.1.1	192.168.2.5	0x15	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.058631897 CEST	1.1.1.1	192.168.2.5	0x1f4b	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.429682970 CEST	1.1.1.1	192.168.2.5	0xf3e0	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:04.429682970 CEST	1.1.1.1	192.168.2.5	0xf3e0	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:04.429682970 CEST	1.1.1.1	192.168.2.5	0xf3e0	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.438472986 CEST	1.1.1.1	192.168.2.5	0x7ad3	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:04.446981907 CEST	1.1.1.1	192.168.2.5	0xc2ba	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 14, 2024 12:17:08.591923952 CEST	1.1.1.1	192.168.2.5	0x4583	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:08.591923952 CEST	1.1.1.1	192.168.2.5	0x4583	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:08.591923952 CEST	1.1.1.1	192.168.2.5	0x4583	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:08.592037916 CEST	1.1.1.1	192.168.2.5	0xef21	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:08.592081070 CEST	1.1.1.1	192.168.2.5	0xe028	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:08.602052927 CEST	1.1.1.1	192.168.2.5	0xe06a	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:08.604295969 CEST	1.1.1.1	192.168.2.5	0x1729	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:08.725696087 CEST	1.1.1.1	192.168.2.5	0xc9ab	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:08.742026091 CEST	1.1.1.1	192.168.2.5	0xf7eb	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:08.752701044 CEST	1.1.1.1	192.168.2.5	0x16c7	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:08.752701044 CEST	1.1.1.1	192.168.2.5	0x16c7	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:08.755469084 CEST	1.1.1.1	192.168.2.5	0xb133	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:08.755469084 CEST	1.1.1.1	192.168.2.5	0xb133	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:08.777802944 CEST	1.1.1.1	192.168.2.5	0x4434	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:09.638819933 CEST	1.1.1.1	192.168.2.5	0x7b21	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050219059 CEST	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050219059 CEST	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050219059 CEST	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050219059 CEST	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050219059 CEST	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050219059 CEST	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050219059 CEST	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050219059 CEST	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050219059 CEST	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050219059 CEST	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050219059 CEST	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050219059 CEST	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050219059 CEST	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050219059 CEST	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050219059 CEST	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050219059 CEST	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050219059 CEST	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050826073 CEST	1.1.1.1	192.168.2.5	0xdf68	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:16.050826073 CEST	1.1.1.1	192.168.2.5	0xdf68	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.051724911 CEST	1.1.1.1	192.168.2.5	0xd80d	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:16.051724911 CEST	1.1.1.1	192.168.2.5	0xd80d	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.927741051 CEST	1.1.1.1	192.168.2.5	0xe4e9	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.927804947 CEST	1.1.1.1	192.168.2.5	0xde93	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.927804947 CEST	1.1.1.1	192.168.2.5	0xde93	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.927804947 CEST	1.1.1.1	192.168.2.5	0xde93	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.927804947 CEST	1.1.1.1	192.168.2.5	0xde93	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.927804947 CEST	1.1.1.1	192.168.2.5	0xde93	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.927804947 CEST	1.1.1.1	192.168.2.5	0xde93	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.927804947 CEST	1.1.1.1	192.168.2.5	0xde93	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.927804947 CEST	1.1.1.1	192.168.2.5	0xde93	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.927804947 CEST	1.1.1.1	192.168.2.5	0xde93	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.927804947 CEST	1.1.1.1	192.168.2.5	0xde93	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.927804947 CEST	1.1.1.1	192.168.2.5	0xde93	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.927804947 CEST	1.1.1.1	192.168.2.5	0xde93	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.927804947 CEST	1.1.1.1	192.168.2.5	0xde93	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.927804947 CEST	1.1.1.1	192.168.2.5	0xde93	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.927804947 CEST	1.1.1.1	192.168.2.5	0xde93	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.927804947 CEST	1.1.1.1	192.168.2.5	0xde93	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.930479050 CEST	1.1.1.1	192.168.2.5	0x12df	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.935333967 CEST	1.1.1.1	192.168.2.5	0xa908	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 14, 2024 12:17:16.936602116 CEST	1.1.1.1	192.168.2.5	0xa1cf	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 12:17:16.936602116 CEST	1.1.1.1	192.168.2.5	0xa1cf	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 12:17:16.936602116 CEST	1.1.1.1	192.168.2.5	0xa1cf	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 12:17:16.936602116 CEST	1.1.1.1	192.168.2.5	0xa1cf	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 12:17:16.937849998 CEST	1.1.1.1	192.168.2.5	0xd42c	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 14, 2024 12:17:16.943803072 CEST	1.1.1.1	192.168.2.5	0xa630	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:16.943803072 CEST	1.1.1.1	192.168.2.5	0xa630	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.943803072 CEST	1.1.1.1	192.168.2.5	0xa630	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.943803072 CEST	1.1.1.1	192.168.2.5	0xa630	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.943803072 CEST	1.1.1.1	192.168.2.5	0xa630	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.944561958 CEST	1.1.1.1	192.168.2.5	0x521a	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.955100060 CEST	1.1.1.1	192.168.2.5	0x79aa	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.956176996 CEST	1.1.1.1	192.168.2.5	0xfa06	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.956176996 CEST	1.1.1.1	192.168.2.5	0xfa06	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.956176996 CEST	1.1.1.1	192.168.2.5	0xfa06	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:16.956176996 CEST	1.1.1.1	192.168.2.5	0xfa06	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:30.098484993 CEST	1.1.1.1	192.168.2.5	0x1d98	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:30.098484993 CEST	1.1.1.1	192.168.2.5	0x1d98	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:30.098484993 CEST	1.1.1.1	192.168.2.5	0x1d98	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:30.098484993 CEST	1.1.1.1	192.168.2.5	0x1d98	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:31.586869955 CEST	1.1.1.1	192.168.2.5	0x8b54	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:31.586869955 CEST	1.1.1.1	192.168.2.5	0x8b54	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:31.591229916 CEST	1.1.1.1	192.168.2.5	0x7e44	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:31.636358976 CEST	1.1.1.1	192.168.2.5	0xb714	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:31.636358976 CEST	1.1.1.1	192.168.2.5	0xb714	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:31.636358976 CEST	1.1.1.1	192.168.2.5	0xb714	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:31.636358976 CEST	1.1.1.1	192.168.2.5	0xb714	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:31.647506952 CEST	1.1.1.1	192.168.2.5	0x9d96	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:31.647506952 CEST	1.1.1.1	192.168.2.5	0x9d96	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:31.647506952 CEST	1.1.1.1	192.168.2.5	0x9d96	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:31.647506952 CEST	1.1.1.1	192.168.2.5	0x9d96	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:31.653855085 CEST	1.1.1.1	192.168.2.5	0xcc6e	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:31.653855085 CEST	1.1.1.1	192.168.2.5	0xcc6e	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:31.667407036 CEST	1.1.1.1	192.168.2.5	0xfd9e	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:17:32.954906940 CEST	1.1.1.1	192.168.2.5	0xc182	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:32.954906940 CEST	1.1.1.1	192.168.2.5	0xc182	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:17:50.411324024 CEST	1.1.1.1	192.168.2.5	0x8494	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:18:01.340501070 CEST	1.1.1.1	192.168.2.5	0xd75d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:18:01.874867916 CEST	1.1.1.1	192.168.2.5	0x8c61	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:18:01.874867916 CEST	1.1.1.1	192.168.2.5	0x8c61	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:18:31.044493914 CEST	1.1.1.1	192.168.2.5	0xbcda	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 12:18:31.550024986 CEST	1.1.1.1	192.168.2.5	0xa315	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 12:18:31.550024986 CEST	1.1.1.1	192.168.2.5	0xa315	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	34.107.221.82	80	7148	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 12:17:03.345074892 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 12:17:03.808943987 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 20:50:41 GMT Age: 48382 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49719	34.107.221.82	80	7148	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 12:17:04.060933113 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 12:17:04.524861097 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 59048 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49724	34.107.221.82	80	7148	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 12:17:04.780555010 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 12:17:05.240736961 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 77687 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 12:17:05.814616919 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 12:17:05.912694931 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 77687 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 12:17:09.128761053 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 12:17:09.226125002 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 77691 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 12:17:09.599037886 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 12:17:09.696805000 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 77691 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 12:17:10.126962900 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 12:17:10.224653959 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 77692 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 12:17:10.612397909 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 12:17:10.709884882 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 77692 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 12:17:19.430967093 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 12:17:19.528806925 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 77701 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 12:17:29.532011032 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 12:17:29.936207056 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 12:17:30.035640001 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 77711 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 12:17:32.087486029 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 12:17:32.184951067 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 77714 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 12:17:32.416389942 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 12:17:32.539690018 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 77714 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 12:17:32.744693995 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 12:17:32.842210054 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 77714 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 12:17:32.940921068 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 12:17:33.039614916 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 77714 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 12:17:41.308415890 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 12:17:41.405544996 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 77723 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 12:17:50.934020996 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 12:17:51.031451941 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 77732 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 12:18:01.037005901 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 12:18:01.867755890 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 12:18:01.965451956 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 77743 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 12:18:11.968641043 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 12:18:21.983052015 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 12:18:31.542479038 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 12:18:31.640260935 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 77773 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 12:18:41.649388075 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 12:18:51.663089991 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 12:19:01.679644108 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49727	34.107.221.82	80	7148	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 12:17:05.660777092 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 12:17:06.123461008 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 59050 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 12:17:08.335783005 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 12:17:08.683367014 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 59052 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 12:17:09.573139906 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 12:17:09.670830965 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 59053 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 12:17:09.833017111 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 12:17:09.930833101 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 59053 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 12:17:10.227845907 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 12:17:10.325634956 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 59054 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 12:17:10.712321043 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 12:17:10.810219049 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 59054 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 12:17:20.033617020 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 12:17:20.132144928 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 59064 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 12:17:30.042706966 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 12:17:30.140265942 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 59074 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 12:17:32.189121962 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 12:17:32.286717892 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 59076 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 12:17:32.544032097 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 12:17:32.641650915 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 59076 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 12:17:32.845372915 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 12:17:32.942904949 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 59076 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 12:17:33.042431116 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 12:17:33.141244888 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 59077 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 12:17:41.408389091 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 12:17:41.506243944 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 59085 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 12:17:51.034388065 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 12:17:51.132427931 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 59095 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 12:18:01.137290955 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 12:18:01.988363981 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 12:18:02.085767031 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 59106 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 12:18:12.106748104 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 12:18:22.114738941 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 12:18:31.643732071 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 12:18:31.741800070 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 59135 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 12:18:41.749821901 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 12:18:51.763428926 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 12:19:01.779952049 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	06:16:56
Start date:	14/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x550000
File size:	919'552 bytes
MD5 hash:	EA20340956658299C9783B15A587F3DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:16:56
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xcd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:16:56
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:16:58
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xcd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:16:58
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:16:59
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xcd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:16:59
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:16:59
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xcd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:16:59
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:16:59
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xcd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:16:59
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:16:59
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:16:59
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:16:59
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	06:17:00
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ee7b042-75ea-4bb9-90d9-9066a5230ac2} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 1fbd2f6e710 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	06:17:02
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3372 -parentBuildID 20230927232528 -prefsHandle 3516 -prefMapHandle 4288 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a816b74c-6ffd-4a66-bced-c718d78fb541} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 1fbe573ed10 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	06:17:08
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5100 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5020 -prefMapHandle 5068 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2033a4f-4d83-4a68-a247-c70252e4d8ba} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 1fbeebd3710 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.8%
Total number of Nodes:	1626
Total number of Limit Nodes:	55

Executed Functions

Function 005542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0055430D

Part of subcall function 00556B57: _wcslen.LIBCMT ref: 00556B6A

GetCurrentProcess.KERNEL32(?,005ECB64,00000000,?,?), ref: 00554422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00554429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00554454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00554466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00554474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0055447B
GetSystemInfo.KERNEL32(?,?,?), ref: 005544A0

Strings

|O, xrefs: 005936F8
GetNativeSystemInfo, xrefs: 00554460
kernel32.dll, xrefs: 0055444F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 28b4af7bab528940990bdc25824ceda9aaecae655d67e43f957e8e3e0cbc70ee
Instruction ID: d7625b2721833404996331618fb485ef60babbc15a9080d5f259a2da514680c8
Opcode Fuzzy Hash: 28b4af7bab528940990bdc25824ceda9aaecae655d67e43f957e8e3e0cbc70ee
Instruction Fuzzy Hash: E1A1A46290EAD0CFCF35CB69BC841957FA7BB77305B047899D4819FA62D220464BCB22

Function 005542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005550AA,?,?,00000000,00000000), ref: 005542B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005550AA,?,?,00000000,00000000), ref: 005542C9
LoadResource.KERNEL32(?,00000000,?,?,005550AA,?,?,00000000,00000000,?,?,?,?,?,?,00554F20), ref: 005935BE
SizeofResource.KERNEL32(?,00000000,?,?,005550AA,?,?,00000000,00000000,?,?,?,?,?,?,00554F20), ref: 005935D3
LockResource.KERNEL32(005550AA,?,?,005550AA,?,?,00000000,00000000,?,?,?,?,?,?,00554F20,?), ref: 005935E6

Strings

SCRIPT, xrefs: 005542BF

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 3c2850828c34ade78a3e7d22c09613e4caafb2517a6eaa90b04abf5458e16b4a
Instruction ID: ceed31a4d152921b727182d86fdcf4429038fd796edf2da188d2213cfc9b41b3
Opcode Fuzzy Hash: 3c2850828c34ade78a3e7d22c09613e4caafb2517a6eaa90b04abf5458e16b4a
Instruction Fuzzy Hash: 8011AC78200301BFDB258B65DC88F277FBDFBC5B56F10816AB9428A250DB71D80A9A20

Function 00592BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00552B6B

Part of subcall function 00553A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00621418,?,00552E7F,?,?,?,00000000), ref: 00553A78

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00612224), ref: 00592C10
ShellExecuteW.SHELL32(00000000,?,?,00612224), ref: 00592C17

Strings

runas, xrefs: 00592C0B

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: ce9d9659886fda0cae7bb9f8c006ed9c763795f51b83b4a3d557a95ab033b5b6
Instruction ID: 0718d0ccaf1b32bdcfeba4e8162f1e67fa0df7375a13e8a2ddd70223bc03db2e
Opcode Fuzzy Hash: ce9d9659886fda0cae7bb9f8c006ed9c763795f51b83b4a3d557a95ab033b5b6
Instruction Fuzzy Hash: 0611BE311083465AC714FF60D8799AD7FA5BFE6352F44182FF846560A2DF21854ED712

Function 005BD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 005BD501
Process32FirstW.KERNEL32(00000000,?), ref: 005BD50F
Process32NextW.KERNEL32(00000000,?), ref: 005BD52F
CloseHandle.KERNELBASE(00000000), ref: 005BD5DC

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 30ece86e9569f4739537a34bb7f535834d94bee6b5e6bdb953e66ae2765a1f5b
Instruction ID: 9b6336ab4da41c8ef6f3be189975751620545070806a6a1a5a92c7ee8c0a81e5
Opcode Fuzzy Hash: 30ece86e9569f4739537a34bb7f535834d94bee6b5e6bdb953e66ae2765a1f5b
Instruction Fuzzy Hash: F5318B310082419FD314EF54C895AAEBFF8BFD9344F14092DF981871A2EB61A949CBA2

Function 005BDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00595222), ref: 005BDBCE
GetFileAttributesW.KERNELBASE(?), ref: 005BDBDD
FindFirstFileW.KERNEL32(?,?), ref: 005BDBEE
FindClose.KERNEL32(00000000), ref: 005BDBFA

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 83eb828166905c937fd08c63ec3e8fcd89c4eea346faad5054034605e61d16b5
Instruction ID: dc569cfa3b6490878f68137ee227797f8ef6a3c958f280ad40f7448d5acd321c
Opcode Fuzzy Hash: 83eb828166905c937fd08c63ec3e8fcd89c4eea346faad5054034605e61d16b5
Instruction Fuzzy Hash: 57F0A0308109105782246F78AC4E8AA3F7DAF41334B104702F9B6C20E0FBB0AD5ADAA5

Function 00574CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(005828E9,?,00574CBE,005828E9,006188B8,0000000C,00574E15,005828E9,00000002,00000000,?,005828E9), ref: 00574D09
TerminateProcess.KERNEL32(00000000,?,00574CBE,005828E9,006188B8,0000000C,00574E15,005828E9,00000002,00000000,?,005828E9), ref: 00574D10
ExitProcess.KERNEL32 ref: 00574D22

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 67a7943ac0704b306922805ec4d61bce764ad32ac9e26f08b5184cc14bebcaf8
Instruction ID: d83cc981940fade9944e95b2b83c088b04a25ff60fc0bc76d912442a2e4c93c3
Opcode Fuzzy Hash: 67a7943ac0704b306922805ec4d61bce764ad32ac9e26f08b5184cc14bebcaf8
Instruction Fuzzy Hash: E9E04631000188AFCF25AF54ED49A483F29FB95781B008414FC989E122CB35ED42EF80

Function 0055BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#b, xrefs: 005A07CE

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#b
API String ID: 3964851224-3064317527
Opcode ID: 428a56d5baa4a32998466e590be7b2a2df12cdfab00a555c4c929b997dbe5252
Instruction ID: d31e5cd9297c93dabae9be52e54a7aee9bb6225f388a02d6fde2a897e986c679
Opcode Fuzzy Hash: 428a56d5baa4a32998466e590be7b2a2df12cdfab00a555c4c929b997dbe5252
Instruction Fuzzy Hash: 4FA25C709083019FD714DF18C494B2ABFE1BF89304F14996EE99A9B392D771EC49CB92

Function 005DAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 005DB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005DB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005DB1D4
_wcslen.LIBCMT ref: 005DB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005DB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005DB236
_wcslen.LIBCMT ref: 005DB332

Part of subcall function 005C05A7: GetStdHandle.KERNEL32(000000F6), ref: 005C05C6

_wcslen.LIBCMT ref: 005DB34B
_wcslen.LIBCMT ref: 005DB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005DB3B6
GetLastError.KERNEL32(00000000), ref: 005DB407
CloseHandle.KERNEL32(?), ref: 005DB439
CloseHandle.KERNEL32(00000000), ref: 005DB44A
CloseHandle.KERNEL32(00000000), ref: 005DB45C
CloseHandle.KERNEL32(00000000), ref: 005DB46E
CloseHandle.KERNEL32(?), ref: 005DB4E3

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 4abff94dfe6894d085a50a34600742f5ee38e0d9fd84e4b126f81fcba4a3bfa5
Instruction ID: 2c95c0dc6dc799ca9e02c67dcfbc77a3595b68a05378a7f7bb0c420c1e80625c
Opcode Fuzzy Hash: 4abff94dfe6894d085a50a34600742f5ee38e0d9fd84e4b126f81fcba4a3bfa5
Instruction Fuzzy Hash: 87F18B31504341DFDB24EF28C895A2ABFE6BF85310F15895EE8958B3A2DB31EC05CB52

Function 0055D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0055D807
timeGetTime.WINMM ref: 0055DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0055DB28
TranslateMessage.USER32(?), ref: 0055DB7B
DispatchMessageW.USER32(?), ref: 0055DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0055DB9F
Sleep.KERNELBASE(0000000A), ref: 0055DBB1

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 5361838776ffef2eb36faceebae973f0bce36fa6f4dae9771b8ee05feabc6226
Instruction ID: b982a521f860f1a51a08057c678dddac6a818896165ddb2c8af46f209f788499
Opcode Fuzzy Hash: 5361838776ffef2eb36faceebae973f0bce36fa6f4dae9771b8ee05feabc6226
Instruction Fuzzy Hash: A442E431608642DFD738CF24C865BAEBFB5BF86315F14491EE85587291D770E848CBA2

Function 00552CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00552D07
RegisterClassExW.USER32(00000030), ref: 00552D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00552D42
InitCommonControlsEx.COMCTL32(?), ref: 00552D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00552D6F
LoadIconW.USER32(000000A9), ref: 00552D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00552D94

Strings

0, xrefs: 00552CE9
AutoIt v3 GUI, xrefs: 00552D23
TaskbarCreated, xrefs: 00552D37
+, xrefs: 00552CF0

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 6fcdb82621373d79e8eb3190e59de52822329857df35e5d69b8f295c5a1f7ed5
Instruction ID: 846061ea1b3ad9752485bfca0c0a18fdc81802306391c6fb0c0b8be64f3e0105
Opcode Fuzzy Hash: 6fcdb82621373d79e8eb3190e59de52822329857df35e5d69b8f295c5a1f7ed5
Instruction Fuzzy Hash: 642113B1D01348AFDB10DFA4E888BDDBFB5FB19700F00811AF951AA2A0D7B08586CF90

Function 0059065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0059039A: CreateFileW.KERNELBASE(00000000,00000000,?,00590704,?,?,00000000,?,00590704,00000000,0000000C), ref: 005903B7

GetLastError.KERNEL32 ref: 0059076F
__dosmaperr.LIBCMT ref: 00590776
GetFileType.KERNELBASE(00000000), ref: 00590782
GetLastError.KERNEL32 ref: 0059078C
__dosmaperr.LIBCMT ref: 00590795
CloseHandle.KERNEL32(00000000), ref: 005907B5
CloseHandle.KERNEL32(?), ref: 005908FF
GetLastError.KERNEL32 ref: 00590931
__dosmaperr.LIBCMT ref: 00590938

Strings

H, xrefs: 005908BD

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: fc1084f65048961dc3ab596a57d6d1e586b840445d8ae1c5b68b4fcad7bdd2bd
Instruction ID: fc0c5b3c134e598a9363aba5ad0ecbeb8e86ba9be09e3104f622e7a872907454
Opcode Fuzzy Hash: fc1084f65048961dc3ab596a57d6d1e586b840445d8ae1c5b68b4fcad7bdd2bd
Instruction Fuzzy Hash: F1A12136A001098FDF29EF68D895BAE3FA1BB46320F145559F815AF2D2DB309813DB91

Function 0055344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00553A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00621418,?,00552E7F,?,?,?,00000000), ref: 00553A78

Part of subcall function 00553357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00553379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0055356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0059318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005931CE
RegCloseKey.ADVAPI32(?), ref: 00593210
_wcslen.LIBCMT ref: 00593277
_wcslen.LIBCMT ref: 00593286

Strings

\, xrefs: 0059328C
Include, xrefs: 00593184, 005931C5
\Include\, xrefs: 00553527
Software\AutoIt v3\AutoIt, xrefs: 00553560

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 3a5142396d2e6e98dfb53ce876f4a2bcce3872ff76963517f27ebcd3ddc9ede5
Instruction ID: a78075685e3eca478e81b4a7fbfd026789023f7a369e9ed02f6fdd7495c589d7
Opcode Fuzzy Hash: 3a5142396d2e6e98dfb53ce876f4a2bcce3872ff76963517f27ebcd3ddc9ede5
Instruction Fuzzy Hash: 6271B271404702AEC724DF65ECA586BBFE9FFD4740F40582EF985831A0EB349A49CB52

Function 00552B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00552B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00552B9D
LoadIconW.USER32(00000063), ref: 00552BB3
LoadIconW.USER32(000000A4), ref: 00552BC5
LoadIconW.USER32(000000A2), ref: 00552BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00552BEF
RegisterClassExW.USER32(?), ref: 00552C40

Part of subcall function 00552CD4: GetSysColorBrush.USER32(0000000F), ref: 00552D07
Part of subcall function 00552CD4: RegisterClassExW.USER32(00000030), ref: 00552D31
Part of subcall function 00552CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00552D42
Part of subcall function 00552CD4: InitCommonControlsEx.COMCTL32(?), ref: 00552D5F
Part of subcall function 00552CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00552D6F
Part of subcall function 00552CD4: LoadIconW.USER32(000000A9), ref: 00552D85
Part of subcall function 00552CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00552D94

Strings

#, xrefs: 00552C16
0, xrefs: 00552C0F
AutoIt v3, xrefs: 00552C2F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: fa300b1a913873c64c29ed9c936622193d6c8bfdbe49aed57aea491c142898fa
Instruction ID: a22ec6698afb241228f11193b1bd22142b1e2b9e5a0b51a5b63f50365fdbe55a
Opcode Fuzzy Hash: fa300b1a913873c64c29ed9c936622193d6c8bfdbe49aed57aea491c142898fa
Instruction Fuzzy Hash: 66214C70E04758ABDB20DFA5EC95A9D7FB6FB5DB50F00102AE500AA6A0D3B14A46DF90

Function 0055B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0055BB4E

Strings

p#b, xrefs: 005A024F
p#b, xrefs: 005A0263
x#b, xrefs: 005A0168
x#b, xrefs: 005A0207
p#b, xrefs: 0055BB6B
p#b, xrefs: 0055BA72
p%b, xrefs: 0055B8DC
p%b, xrefs: 0055BB32

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#b$p#b$p#b$p#b$p%b$p%b$x#b$x#b
API String ID: 1385522511-892136152
Opcode ID: 026031aa235a704be8cadfab644c3047d4b648404bfad2bf64231a79b1167313
Instruction ID: 997a706da1cd996af276f95f0b4f049c3908d2fbaf591dcae211affe9df2fda1
Opcode Fuzzy Hash: 026031aa235a704be8cadfab644c3047d4b648404bfad2bf64231a79b1167313
Instruction Fuzzy Hash: CA32AE34A0020AAFEB24CF54C8A8ABEBFB5FF45311F14845AED05AB291C774AD45CB91

Function 00553170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0055316A,?,?), ref: 005531D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0055316A,?,?), ref: 00553204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00553227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0055316A,?,?), ref: 00553232
CreatePopupMenu.USER32 ref: 00553246
PostQuitMessage.USER32(00000000), ref: 00553267

Strings

TaskbarCreated, xrefs: 0055322D

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 5e86be2e251d4e2007b433bca2bf5b8d42d9c9a0e5ce30a8ad0f45ec2913100b
Instruction ID: 9cef12725b89d703109ab2fe3af2dd3f5927dd145fa521e122964e2682badba4
Opcode Fuzzy Hash: 5e86be2e251d4e2007b433bca2bf5b8d42d9c9a0e5ce30a8ad0f45ec2913100b
Instruction Fuzzy Hash: 2B413734208E45ABDB245B38DC7DB7D3E1AF756382F04452BFD0A8A1A1CB70DA4AD761

Function 00551410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00551459
CoUninitialize.COMBASE ref: 005514F8
UnregisterHotKey.USER32(?), ref: 005516DD
DestroyWindow.USER32(?), ref: 005924B9
FreeLibrary.KERNEL32(?), ref: 0059251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0059254B

Strings

close all, xrefs: 00551454

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 15e64979a69d5fd732a34266097ebf6a593575db47d6b75a2c6ceccdab57c922
Instruction ID: 5f738a744edb0779030d7d62b2175d3712dfeba52df0e914ef565dceabd2fa3e
Opcode Fuzzy Hash: 15e64979a69d5fd732a34266097ebf6a593575db47d6b75a2c6ceccdab57c922
Instruction Fuzzy Hash: FDD16931601612DFCB29EF15C4A9B29FFA4BF44701F1545AEE84AAB252DB30EC1ACF54

Function 00552C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00552C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00552CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00551CAD,?), ref: 00552CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00551CAD,?), ref: 00552CCF

Strings

edit, xrefs: 00552CAC
AutoIt v3, xrefs: 00552C89, 00552C8E, 00552C8F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a86e14dc1b8fd4f1b5350bdcf02e0d2db272e3f551d8b1d10494d9700d59e62c
Instruction ID: f66fe9f2e28f0d5c5eb402d974a9b2e5e41aed382708fb1811370799f7152073
Opcode Fuzzy Hash: a86e14dc1b8fd4f1b5350bdcf02e0d2db272e3f551d8b1d10494d9700d59e62c
Instruction Fuzzy Hash: A9F017755442947AEB304713AC48E772EBFE7EBF90B01202EF900EA1A0C2615842DAB0

Function 00553B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00553B0F,SwapMouseButtons,00000004,?), ref: 00553B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00553B0F,SwapMouseButtons,00000004,?), ref: 00553B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00553B0F,SwapMouseButtons,00000004,?), ref: 00553B83

Strings

Control Panel\Mouse, xrefs: 00553B3E

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 13ae422b2225109a10a7f984f6f0ca561883c70a5f34fcb8181669e7f4448c00
Instruction ID: b80edd66af3d534477b62ac4692be16b6672201096051bf7bd15e98d966aa4a3
Opcode Fuzzy Hash: 13ae422b2225109a10a7f984f6f0ca561883c70a5f34fcb8181669e7f4448c00
Instruction Fuzzy Hash: 1B112AB5510218FFDB24CFA5DC98AAEBBB8FF04795B10485AF809D7110E231DF49A760

Function 00553923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005933A2

Part of subcall function 00556B57: _wcslen.LIBCMT ref: 00556B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00553A04

Strings

Line: , xrefs: 005933EB

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: d36675f71ae9e74cfa75499f1ba267c08001257f98acfb7578c6e8de0188f03d
Instruction ID: a219759c1448603fbc5c953790d8181788bf2596d22d351c21ea12d255baffdb
Opcode Fuzzy Hash: d36675f71ae9e74cfa75499f1ba267c08001257f98acfb7578c6e8de0188f03d
Instruction Fuzzy Hash: 7E31E4B1408345AAC721EB10DC59BEB7BE9BF91351F10492BF99987091EB70964DC7C2

Function 00552DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00592C8C

Part of subcall function 00553AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00553A97,?,?,00552E7F,?,?,?,00000000), ref: 00553AC2

Part of subcall function 00552DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00552DC4

Strings

X, xrefs: 00592C5A
`ea, xrefs: 00592C85

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`ea
API String ID: 779396738-2348371570
Opcode ID: 9bef0fa6fa726d856a0217489aee847cc391bb94fc960c0abb269a1abe4f2fd5
Instruction ID: f2075b234081b73f85b422fed06fcee1c081739ecbd81cf0431ce7e252513e5c
Opcode Fuzzy Hash: 9bef0fa6fa726d856a0217489aee847cc391bb94fc960c0abb269a1abe4f2fd5
Instruction Fuzzy Hash: 2E218471A00299ABDF01DF94C8597EE7FF9AF89315F00805AE805AB241DBB4598D8F61

Function 0056FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00570668

Part of subcall function 005732A4: RaiseException.KERNEL32(?,?,?,0057068A,?,00621444,?,?,?,?,?,?,0057068A,00551129,00618738,00551129), ref: 00573304

__CxxThrowException@8.LIBVCRUNTIME ref: 00570685

Strings

Unknown exception, xrefs: 00570692

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 6a72443a4adebee7af8e502ba38e4526bd19eb2d1f02a6c1631f0fe73af4c71e
Instruction ID: c06407ce7b73474f1cdecbb111e1afc42269a83bf078b6a03a2354a7f0de6cc8
Opcode Fuzzy Hash: 6a72443a4adebee7af8e502ba38e4526bd19eb2d1f02a6c1631f0fe73af4c71e
Instruction Fuzzy Hash: 5AF0A43490020AB78B00B665F85EC9E7FAD7E80350B608531B81C965D2EF71EA65EA80

Function 005510F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00551BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00551BF4
Part of subcall function 00551BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00551BFC
Part of subcall function 00551BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00551C07
Part of subcall function 00551BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00551C12
Part of subcall function 00551BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00551C1A
Part of subcall function 00551BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00551C22

Part of subcall function 00551B4A: RegisterWindowMessageW.USER32(00000004,?,005512C4), ref: 00551BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0055136A
OleInitialize.OLE32 ref: 00551388
CloseHandle.KERNEL32(00000000,00000000), ref: 005924AB

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 593c8bb6ba86e4cdc68e90e9caf3510654238125ec73e4a34b8770ed65eeeed2
Instruction ID: c77f41641cdd058bd4b77b57657d49a63cfeaa276b241bdc4611326efdb804cb
Opcode Fuzzy Hash: 593c8bb6ba86e4cdc68e90e9caf3510654238125ec73e4a34b8770ed65eeeed2
Instruction Fuzzy Hash: 3F71EFF4909A458FC7A4EF79AC956543EE3BBAA340314A2BAD40AEF361E7344407CF45

Function 005BC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00553923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00553A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005BC259
KillTimer.USER32(?,00000001,?,?), ref: 005BC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005BC270

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 0dc441b5c0f1359a61d3efce764b0f6bd3bbb76fad21036b472cf0aeb1523171
Instruction ID: 16770b0aba0f62ae7ca77bb6ee6110389bb7ad3e0774184cb4d14636d52050b4
Opcode Fuzzy Hash: 0dc441b5c0f1359a61d3efce764b0f6bd3bbb76fad21036b472cf0aeb1523171
Instruction Fuzzy Hash: 7131C374904384AFEB32CF648895BEBFFEDAB16304F00049ED5DAA7241C3746A89CB55

Function 005886AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,005885CC,?,00618CC8,0000000C), ref: 00588704
GetLastError.KERNEL32(?,005885CC,?,00618CC8,0000000C), ref: 0058870E
__dosmaperr.LIBCMT ref: 00588739

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: bbf44bbc48933df8b16331f1fa1ada2e78da78e7918cd09228ec8bc25a41e353
Instruction ID: 26043d22b27adf6baffb3aea405b8c92222c1dd8bc6c8429267a7ef3c724ac7b
Opcode Fuzzy Hash: bbf44bbc48933df8b16331f1fa1ada2e78da78e7918cd09228ec8bc25a41e353
Instruction Fuzzy Hash: 43016B3660466016D6347635684977E2F5AEBE1774F780519FC14FB1D3FEA1DC818350

Function 0055DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0055DB7B
DispatchMessageW.USER32(?), ref: 0055DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0055DB9F
Sleep.KERNELBASE(0000000A), ref: 0055DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 005A1CC9

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: f82d9c3bfcc3ce07f3870f7a94f98cc1423848916cb3fa05d62bae8450dd1e2c
Instruction ID: 2ab531ed0ae3f0de81b2e0633cd87e54e66d38857cb863a60582faeab8ca0d69
Opcode Fuzzy Hash: f82d9c3bfcc3ce07f3870f7a94f98cc1423848916cb3fa05d62bae8450dd1e2c
Instruction Fuzzy Hash: B2F054315443809BE734CB609C99FAA7BB9FB55311F104519E649C70C0DB34948D9F25

Function 00561310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005617F6

Strings

CALL, xrefs: 005617C6

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: e86ebfa7e51b1ab21284d17730f8c42f0bf1c47be1458b09864b71bb0d80014d
Instruction ID: ede8ef50d9bf230bfb2f79a448d074ec2defd180050ea4bd98262e15c415c05c
Opcode Fuzzy Hash: e86ebfa7e51b1ab21284d17730f8c42f0bf1c47be1458b09864b71bb0d80014d
Instruction Fuzzy Hash: 3A227A706087029FC714DF24C494A2ABFF1BF9A314F18895DF4968B3A2D731E845CB96

Function 00553837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00553908

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 020d3cf403b711ebfebc14791bff0647a9351f218c12869c043c60749eb050b4
Instruction ID: bb6959604a3b5d349c0f3aab8b49c0c80e12b16cc2d68173e60fec1cad941d17
Opcode Fuzzy Hash: 020d3cf403b711ebfebc14791bff0647a9351f218c12869c043c60749eb050b4
Instruction Fuzzy Hash: BE31BFB05057018FD721DF24D89479BBFE9FB59349F00092EF99D87240E771AA48CB52

Function 0056F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0056F661

Part of subcall function 0055D730: GetInputState.USER32 ref: 0055D807

Sleep.KERNEL32(00000000), ref: 005AF2DE

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: bcd5db02a7f4f25081565710f8ee897973bec0bac04de2b30a16341a8660fec3
Instruction ID: 17d61a5d55cb27cf3f401df37f3728cf073ffe80bafb701cc55ea64075f54b25
Opcode Fuzzy Hash: bcd5db02a7f4f25081565710f8ee897973bec0bac04de2b30a16341a8660fec3
Instruction Fuzzy Hash: 41F012352406069FD318EF75D459B5ABFE4FF99761F00402AE859CB261EB70A844CB91

Function 00554ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00554E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00554EDD,?,00621418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00554E9C
Part of subcall function 00554E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00554EAE
Part of subcall function 00554E90: FreeLibrary.KERNEL32(00000000,?,?,00554EDD,?,00621418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00554EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00621418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00554EFD

Part of subcall function 00554E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00593CDE,?,00621418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00554E62
Part of subcall function 00554E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00554E74
Part of subcall function 00554E59: FreeLibrary.KERNEL32(00000000,?,?,00593CDE,?,00621418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00554E87

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 63bc2402d41f71a4af91456b2511a98a654c1ed5c184bb86c468430113f7916c
Instruction ID: a1eefbd3597ddc6bb883913f5354455213efb6ff246b4d577a24e8a80c8543cc
Opcode Fuzzy Hash: 63bc2402d41f71a4af91456b2511a98a654c1ed5c184bb86c468430113f7916c
Instruction Fuzzy Hash: 5611EB31600306ABCF14AB64DC2BFAD7FA5BF80716F10441EF942A62D1EE709E899F50

Function 00588402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00588440

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 51975aaf37fbb9586ca6664fbae204e3891a61d0fe61c5d17090aea26bb228b9
Instruction ID: 61e7a06d1e32b1d5769fcb86ca756667e77cf3e98fdeff2a8d5197e7a7e15c7b
Opcode Fuzzy Hash: 51975aaf37fbb9586ca6664fbae204e3891a61d0fe61c5d17090aea26bb228b9
Instruction Fuzzy Hash: FE11487290410AAFCF15DF58E9459AA7BF5FF48304F104059FC08AB312DB31DA11CBA4

Function 00585000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00584C7D: RtlAllocateHeap.NTDLL(00000008,00551129,00000000,?,00582E29,00000001,00000364,?,?,?,0057F2DE,00583863,00621444,?,0056FDF5,?), ref: 00584CBE

_free.LIBCMT ref: 0058506C

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 73c7489ae096a0c30c15482625288cb79c672794067f143bfb30dbc03e49a4ea
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: A4012B722047059BE3219E55984995AFFECFB85370F65051DE984A3280EA306805C774

Function 0057E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 23d5cdb577cf027264a541f4c6aca9fe34c9bd96c976b1359a8f250126d78616
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: C1F0F932511B1196C7313E66BC0EB563F9CBFD6330F108755FC29A21D2DB749801A7A5

Function 00584C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00551129,00000000,?,00582E29,00000001,00000364,?,?,?,0057F2DE,00583863,00621444,?,0056FDF5,?), ref: 00584CBE

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 972ef7a4f04232716bea53c0317b5720583cbefc6b6a20d686102cd89d42dd1b
Instruction ID: b00344fe69f53d46eb871fa2aa35d88d8ac6154f90deb991e72c9a30bcab8f8a
Opcode Fuzzy Hash: 972ef7a4f04232716bea53c0317b5720583cbefc6b6a20d686102cd89d42dd1b
Instruction Fuzzy Hash: F0F0E93160622767DB217F62AC09B5A7F8DBF917B0B148125FC19BA281CB30DC019FE0

Function 00583820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00621444,?,0056FDF5,?,?,0055A976,00000010,00621440,005513FC,?,005513C6,?,00551129), ref: 00583852

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 107ce5f6b820faf62ad9f6b169a8a0ff333d412fc970dac6a219b4724e933bd4
Instruction ID: 60882ab9a77fcfdd9deb60b23eec3d717ffaf825e1f034acb10d2bf6315ec3aa
Opcode Fuzzy Hash: 107ce5f6b820faf62ad9f6b169a8a0ff333d412fc970dac6a219b4724e933bd4
Instruction Fuzzy Hash: 55E0E53120322557D7313766AC09B9A3E49BB82FB0F150020BC18B6581DB20DD019FE1

Function 00554F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00621418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00554F6D

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 232b0d2d09712f88df48549a57c8c177224cb170a41d842c0952ff1cdb07ed9b
Instruction ID: 047bc0f9de01f04b29b89fba41d22c3e3ff7872c923f4d6d95243d7e93482ac2
Opcode Fuzzy Hash: 232b0d2d09712f88df48549a57c8c177224cb170a41d842c0952ff1cdb07ed9b
Instruction Fuzzy Hash: D6F01C71105792CFDB389F68E4A4852BFE4BF1431A320896EE5DA86611C7319888EF10

Function 005E2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 005E2A66

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 5e4b99a5f12cc95f02cf6c058adbc8d8a5df90bb11da843e732d58b03e5b15b9
Instruction ID: ac83497616162da36490d75a5e56991d2c6c822229deebf0502d6b0362aaea64
Opcode Fuzzy Hash: 5e4b99a5f12cc95f02cf6c058adbc8d8a5df90bb11da843e732d58b03e5b15b9
Instruction Fuzzy Hash: 20E0DF72340156AAC718EA31EC848FE7F4CFB90394B00083AAC96C2100DB70998586E0

Function 005530F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0055314E

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: a63c4969c28b132f50e620e7bce1b7c49a9721f974db8a97f939af64db5a2830
Instruction ID: eae54fae554939a3c9bb76439ba67a58417852a93068f6413ccb8e31bd08ec52
Opcode Fuzzy Hash: a63c4969c28b132f50e620e7bce1b7c49a9721f974db8a97f939af64db5a2830
Instruction Fuzzy Hash: E1F0A7709043489FEB62DB24DC497D97FBDB701708F0000E5A5889A181D7704789CF41

Function 00552DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00552DC4

Part of subcall function 00556B57: _wcslen.LIBCMT ref: 00556B6A

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 666b0ddb5c78308857eaf04a5bde377e6d5b5edb209d295d337eaa61ff2f418e
Instruction ID: 90ed9e3cb70d2f818cb60b73012be1e7de505cbdf18b6acee91c7cc983089539
Opcode Fuzzy Hash: 666b0ddb5c78308857eaf04a5bde377e6d5b5edb209d295d337eaa61ff2f418e
Instruction Fuzzy Hash: 9DE0CD766001255BCB1096589C4AFEA7BDDEFC8790F040071FD49D7248D970ED848550

Function 00552B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00553837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00553908

Part of subcall function 0055D730: GetInputState.USER32 ref: 0055D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00552B6B

Part of subcall function 005530F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0055314E

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: b52021dd0de356cc8eaa4968ebc5fa45f38bd16968c4a51b265bc128e2551e7f
Instruction ID: 38a3985939630b98dcf9ba531d70909cd4ef61d128c9d7c01b0cd98ea38ed999
Opcode Fuzzy Hash: b52021dd0de356cc8eaa4968ebc5fa45f38bd16968c4a51b265bc128e2551e7f
Instruction Fuzzy Hash: 3AE0202230424502C7087B3098795ADAF55BBE6393F40143FF84A47163CE14454E8311

Function 0059039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00590704,?,?,00000000,?,00590704,00000000,0000000C), ref: 005903B7

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8e4ed3b22d0f9043306410cabe7a613acc936ce23fb41fcfd48d962e859af46d
Instruction ID: 3801f92a4830326e83ae479555a20a2ddfdcfdb8747c339f25f91b696ff8f8d5
Opcode Fuzzy Hash: 8e4ed3b22d0f9043306410cabe7a613acc936ce23fb41fcfd48d962e859af46d
Instruction Fuzzy Hash: 35D06C3204014DBBDF028F84DD46EDA3FAAFB48714F014000BE5856020C732E822EB91

Function 00551CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00551CBC

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 660bd55436252ea60a7fcb9b858d1513d187948408b023d838c478c75c1d5067
Instruction ID: 8e9439ab4331070714848db1201ba0faa08edf3689aa6ce58d36a39152600555
Opcode Fuzzy Hash: 660bd55436252ea60a7fcb9b858d1513d187948408b023d838c478c75c1d5067
Instruction Fuzzy Hash: 32C09B35280745BFF3248780BC5AF107756A35CB00F04D001F6496D5E3C3A15421E650

Non-executed Functions

Function 005E9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00569BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00569BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 005E961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005E965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 005E969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005E96C9
SendMessageW.USER32 ref: 005E96F2
GetKeyState.USER32(00000011), ref: 005E978B
GetKeyState.USER32(00000009), ref: 005E9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005E97AE
GetKeyState.USER32(00000010), ref: 005E97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005E97E9
SendMessageW.USER32 ref: 005E9810
SendMessageW.USER32(?,00001030,?,005E7E95), ref: 005E9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 005E992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 005E9941
SetCapture.USER32(?), ref: 005E994A
ClientToScreen.USER32(?,?), ref: 005E99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005E99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005E99D6
ReleaseCapture.USER32 ref: 005E99E1
GetCursorPos.USER32(?), ref: 005E9A19
ScreenToClient.USER32(?,?), ref: 005E9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 005E9A80
SendMessageW.USER32 ref: 005E9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 005E9AEB
SendMessageW.USER32 ref: 005E9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 005E9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 005E9B4A
GetCursorPos.USER32(?), ref: 005E9B68
ScreenToClient.USER32(?,?), ref: 005E9B75
GetParent.USER32(?), ref: 005E9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 005E9BFA
SendMessageW.USER32 ref: 005E9C2B
ClientToScreen.USER32(?,?), ref: 005E9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 005E9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 005E9CDE
SendMessageW.USER32 ref: 005E9D01
ClientToScreen.USER32(?,?), ref: 005E9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 005E9D82

Part of subcall function 00569944: GetWindowLongW.USER32(?,000000EB), ref: 00569952

GetWindowLongW.USER32(?,000000F0), ref: 005E9E05

Strings

F, xrefs: 005E9D07
@GUI_DRAGID, xrefs: 005E997D
p#b, xrefs: 005E9990

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#b
API String ID: 3429851547-1219855865
Opcode ID: b3ed3ddddf9b8c897dbbff9a7c7d59ffebf2f35ca14078972628bd97d58291a0
Instruction ID: 91bd17d2f4b16e54c6e463955f34ec308b69ded31433db0e289d620c498dabdb
Opcode Fuzzy Hash: b3ed3ddddf9b8c897dbbff9a7c7d59ffebf2f35ca14078972628bd97d58291a0
Instruction Fuzzy Hash: 47427C74604381AFDB28CF29CC84AAABFF5FF99310F14061AF9998B2A1D731D855DB41

Function 005E4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005E48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 005E4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 005E4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 005E494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 005E495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 005E497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005E49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005E49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 005E4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005E4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005E4A7E
IsMenu.USER32(?), ref: 005E4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005E4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005E4B20
GetWindowLongW.USER32(?,000000F0), ref: 005E4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 005E4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 005E4C82
wsprintfW.USER32 ref: 005E4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005E4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 005E4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005E4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005E4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 005E4D5A

Strings

%d/%02d/%02d, xrefs: 005E4CA8

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 561efb4dc73f2f747559540901e036aa2f428a07e854a9ea8a8413608451f92d
Instruction ID: df8b0638ecd3d3b238bd37d20d8328003823ba819ff30ac799ec8b52e0923723
Opcode Fuzzy Hash: 561efb4dc73f2f747559540901e036aa2f428a07e854a9ea8a8413608451f92d
Instruction Fuzzy Hash: 8212EF31900294ABEB288F2ACC49FAF7FB8BF85710F104529F995EB2A1D7749941CF50

Function 0056F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0056F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005AF474
IsIconic.USER32(00000000), ref: 005AF47D
ShowWindow.USER32(00000000,00000009), ref: 005AF48A
SetForegroundWindow.USER32(00000000), ref: 005AF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005AF4AA
GetCurrentThreadId.KERNEL32 ref: 005AF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005AF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 005AF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 005AF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 005AF4DE
SetForegroundWindow.USER32(00000000), ref: 005AF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 005AF4F6
keybd_event.USER32(00000012,00000000), ref: 005AF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 005AF50B
keybd_event.USER32(00000012,00000000), ref: 005AF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 005AF519
keybd_event.USER32(00000012,00000000), ref: 005AF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 005AF528
keybd_event.USER32(00000012,00000000), ref: 005AF52D
SetForegroundWindow.USER32(00000000), ref: 005AF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 005AF557

Strings

Shell_TrayWnd, xrefs: 005AF46F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: bc89d13cc314c0704d53bb8cf5204534d83d9f9f830ee600dac2b055eb7e3792
Instruction ID: 1e64d945b06e7fee69b42a02962d0a1cbff8a51b81e80ad70124db969b08c3c8
Opcode Fuzzy Hash: bc89d13cc314c0704d53bb8cf5204534d83d9f9f830ee600dac2b055eb7e3792
Instruction Fuzzy Hash: DA317371A402587FEB246BF55C89FBF7E6DFB49B50F100066FA40EA1D1C6B09D01AB60

Function 005B1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 005B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005B170D
Part of subcall function 005B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005B173A
Part of subcall function 005B16C3: GetLastError.KERNEL32 ref: 005B174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 005B1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005B12A8
CloseHandle.KERNEL32(?), ref: 005B12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005B12D1
GetProcessWindowStation.USER32 ref: 005B12EA
SetProcessWindowStation.USER32(00000000), ref: 005B12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 005B1310

Part of subcall function 005B10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005B11FC), ref: 005B10D4
Part of subcall function 005B10BF: CloseHandle.KERNEL32(?,?,005B11FC), ref: 005B10E9

Strings

Za, xrefs: 005B1392
, xrefs: 005B125A
winsta0, xrefs: 005B12CC
default, xrefs: 005B130B

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Za
API String ID: 22674027-3380561490
Opcode ID: 6d68fd02eb3f3100ec44a19e886bd0af4ab1dbd3a98fbfa133e06d5141acf19b
Instruction ID: a48c85880f3dba5dc550f1353012212830efc4484133cdb2c97a39788d050a13
Opcode Fuzzy Hash: 6d68fd02eb3f3100ec44a19e886bd0af4ab1dbd3a98fbfa133e06d5141acf19b
Instruction Fuzzy Hash: 1881AA71900249AFDF249FA8DC99BEE7FB9FF44700F144129F911AA1A0DB31E945DB24

Function 005B0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005B1114
Part of subcall function 005B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,005B0B9B,?,?,?), ref: 005B1120
Part of subcall function 005B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005B0B9B,?,?,?), ref: 005B112F
Part of subcall function 005B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005B0B9B,?,?,?), ref: 005B1136
Part of subcall function 005B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005B0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005B0C00
GetLengthSid.ADVAPI32(?), ref: 005B0C17
GetAce.ADVAPI32(?,00000000,?), ref: 005B0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005B0C6D
GetLengthSid.ADVAPI32(?), ref: 005B0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 005B0C8C
HeapAlloc.KERNEL32(00000000), ref: 005B0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 005B0CB4
CopySid.ADVAPI32(00000000), ref: 005B0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005B0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005B0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 005B0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005B0D45
HeapFree.KERNEL32(00000000), ref: 005B0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005B0D55
HeapFree.KERNEL32(00000000), ref: 005B0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005B0D65
HeapFree.KERNEL32(00000000), ref: 005B0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 005B0D78
HeapFree.KERNEL32(00000000), ref: 005B0D7F

Part of subcall function 005B1193: GetProcessHeap.KERNEL32(00000008,005B0BB1,?,00000000,?,005B0BB1,?), ref: 005B11A1
Part of subcall function 005B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,005B0BB1,?), ref: 005B11A8
Part of subcall function 005B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,005B0BB1,?), ref: 005B11B7

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: a1f066d9339b6c89ddaea76b1ed9f1045d173edeabcb8853b82d68b9fdbcfeae
Instruction ID: d52d70323c73873a75b9922499150869bfe208cad167328a069195fd521393f4
Opcode Fuzzy Hash: a1f066d9339b6c89ddaea76b1ed9f1045d173edeabcb8853b82d68b9fdbcfeae
Instruction Fuzzy Hash: 1D716A7290020AAFDF14DFA4DC88BEFBFB8BF14300F044515E955AA1A1D771EA06CB60

Function 005CEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(005ECC08), ref: 005CEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 005CEB37
GetClipboardData.USER32(0000000D), ref: 005CEB43
CloseClipboard.USER32 ref: 005CEB4F
GlobalLock.KERNEL32(00000000), ref: 005CEB87
CloseClipboard.USER32 ref: 005CEB91
GlobalUnlock.KERNEL32(00000000), ref: 005CEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 005CEBC9
GetClipboardData.USER32(00000001), ref: 005CEBD1
GlobalLock.KERNEL32(00000000), ref: 005CEBE2
GlobalUnlock.KERNEL32(00000000), ref: 005CEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 005CEC38
GetClipboardData.USER32(0000000F), ref: 005CEC44
GlobalLock.KERNEL32(00000000), ref: 005CEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 005CEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 005CEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 005CECD2
GlobalUnlock.KERNEL32(00000000), ref: 005CECF3
CountClipboardFormats.USER32 ref: 005CED14
CloseClipboard.USER32 ref: 005CED59

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 60df5cd1b8804da295a5a29891e05dcfe71c4a129a7252c0d356664bd26decad
Instruction ID: 945034edace8d95ece2cd327e1128bdd34bc96e5023b3966c27f69f60962a2f8
Opcode Fuzzy Hash: 60df5cd1b8804da295a5a29891e05dcfe71c4a129a7252c0d356664bd26decad
Instruction Fuzzy Hash: 9B61BC742042429FD304EFA4C89AF6A7FA4BF94714F14451DF8969B2A2DB30DD0ADB62

Function 005C698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005C69BE
FindClose.KERNEL32(00000000), ref: 005C6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005C6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005C6A75

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 005C6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 005C6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 005C6B32
%02d, xrefs: 005C6C00, 005C6C0A, 005C6C5A, 005C6CAA, 005C6CFA, 005C6D4A
%4d%02d%02d%02d%02d%02d, xrefs: 005C6B6A
%4d, xrefs: 005C6BB1
%03d, xrefs: 005C6DA2

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: f66568555b0ef79be003a1e9e6ee925ed70766c2fce2c6ffeb69e75a9b73e2de
Instruction ID: dbaf33ee21eb6dbc2bc97e83d2cc0133d646381c4213fa23b8b0b0869248c292
Opcode Fuzzy Hash: f66568555b0ef79be003a1e9e6ee925ed70766c2fce2c6ffeb69e75a9b73e2de
Instruction Fuzzy Hash: 2FD16171908341AEC314DBA4D895EAFBBECBF88705F44491EF985C7191EB34DA48CB62

Function 005C9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 005C9663
GetFileAttributesW.KERNEL32(?), ref: 005C96A1
SetFileAttributesW.KERNEL32(?,?), ref: 005C96BB
FindNextFileW.KERNEL32(00000000,?), ref: 005C96D3
FindClose.KERNEL32(00000000), ref: 005C96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 005C96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 005C974A
SetCurrentDirectoryW.KERNEL32(00616B7C), ref: 005C9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 005C9772
FindClose.KERNEL32(00000000), ref: 005C977F
FindClose.KERNEL32(00000000), ref: 005C978F

Strings

*.*, xrefs: 005C96F5

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 8085c60dbd3f7a5df2b895779f06e9115e32618e36bff50091e4f95c3ad45022
Instruction ID: ccf56dccafa60117978a84bb6769d1060d8dd565f8a5320bcabbb54ec4e229d4
Opcode Fuzzy Hash: 8085c60dbd3f7a5df2b895779f06e9115e32618e36bff50091e4f95c3ad45022
Instruction Fuzzy Hash: 3631CD3654125A6ECB14AFF4EC4DEDE3BACFF4A320F144059F955E20A0EB70DE858A54

Function 005C979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 005C97BE
FindNextFileW.KERNEL32(00000000,?), ref: 005C9819
FindClose.KERNEL32(00000000), ref: 005C9824
FindFirstFileW.KERNEL32(*.*,?), ref: 005C9840
SetCurrentDirectoryW.KERNEL32(?), ref: 005C9890
SetCurrentDirectoryW.KERNEL32(00616B7C), ref: 005C98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005C98B8
FindClose.KERNEL32(00000000), ref: 005C98C5
FindClose.KERNEL32(00000000), ref: 005C98D5

Part of subcall function 005BDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005BDB00

Strings

*.*, xrefs: 005C983B

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: c8aafbc95de96a0f387481b68499a2b30aced95cefdf5340a31710c8864f40be
Instruction ID: 361e1ece057a6f712641c3599d758ddfb70a64d218cb4e47c1e5598e4b524727
Opcode Fuzzy Hash: c8aafbc95de96a0f387481b68499a2b30aced95cefdf5340a31710c8864f40be
Instruction Fuzzy Hash: 4A31F23650025A6EDB14AFE4EC4CEDE3FACBF46320F144059E954A3090DB71DE899A60

Function 005DBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005DB6AE,?,?), ref: 005DC9B5
Part of subcall function 005DC998: _wcslen.LIBCMT ref: 005DC9F1
Part of subcall function 005DC998: _wcslen.LIBCMT ref: 005DCA68
Part of subcall function 005DC998: _wcslen.LIBCMT ref: 005DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005DBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 005DBFA9
RegCloseKey.ADVAPI32(00000000), ref: 005DBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 005DC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 005DC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 005DC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 005DC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 005DC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 005DC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 005DC382
RegCloseKey.ADVAPI32(00000000), ref: 005DC38F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 29d77075e796bc04ff797db7f1fd062ac83dcb0aed5268d570a640bc8bd38f03
Instruction ID: deef3290ea1d45131ca8cbf393b29c4e1982425c947c65bae26ea406178c5d75
Opcode Fuzzy Hash: 29d77075e796bc04ff797db7f1fd062ac83dcb0aed5268d570a640bc8bd38f03
Instruction Fuzzy Hash: 58023D716042019FD724DF28C895E2ABFE5BF89314F19889EF84A8B3A2D731ED45CB51

Function 005C8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005C8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 005C8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 005C8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005C8310
SetCurrentDirectoryW.KERNEL32(?), ref: 005C8324
SetCurrentDirectoryW.KERNEL32(?), ref: 005C8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005C838C
SetCurrentDirectoryW.KERNEL32(?), ref: 005C8395

Strings

*.*, xrefs: 005C839B

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 631f37afa04f05cec23eafbe4924479bca5b518c3b45fdfe738cc6a02b28bd34
Instruction ID: fd76a91ca0b7308a34f65d441f66d0afb7b4f69b7b1ed0ffa80480df8eca02e7
Opcode Fuzzy Hash: 631f37afa04f05cec23eafbe4924479bca5b518c3b45fdfe738cc6a02b28bd34
Instruction Fuzzy Hash: 80616C755043469FC710DF60C848EAEBBE8FF89711F04891EF99987251EB31E949CB92

Function 005BD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00553AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00553A97,?,?,00552E7F,?,?,?,00000000), ref: 00553AC2

Part of subcall function 005BE199: GetFileAttributesW.KERNEL32(?,005BCF95), ref: 005BE19A

FindFirstFileW.KERNEL32(?,?), ref: 005BD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 005BD1DD
MoveFileW.KERNEL32(?,?), ref: 005BD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 005BD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 005BD237

Part of subcall function 005BD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,005BD21C,?,?), ref: 005BD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 005BD253
FindClose.KERNEL32(00000000), ref: 005BD264

Strings

\*.*, xrefs: 005BD0CD, 005BD0D6, 005BD0EB

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 616dd69c1ebe1effb6620e42ee01de07b76de17ca568a050a8fac01a505ca946
Instruction ID: 43667749c6a8cfb1f8e9ec939b2974656dee844868ad0fa16d7076b80e7bd99c
Opcode Fuzzy Hash: 616dd69c1ebe1effb6620e42ee01de07b76de17ca568a050a8fac01a505ca946
Instruction Fuzzy Hash: 89619E3580114E9ACF05EBE0C9A69EDBFB5BF94301F244166E80277192EB30AF0DCB60

Function 005CED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 005CED91
EmptyClipboard.USER32 ref: 005CED97
GlobalAlloc.KERNEL32(00000002,?), ref: 005CEDAC
CloseClipboard.USER32 ref: 005CEEA3

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 09f5533da5ae454dd881c8cbd308831c828ef3aaf1de462fd861f2ef6839eadc
Instruction ID: 473d15503730387f3f438cf4d59abb8334b4bafe9497314222ad575b17dfe05d
Opcode Fuzzy Hash: 09f5533da5ae454dd881c8cbd308831c828ef3aaf1de462fd861f2ef6839eadc
Instruction Fuzzy Hash: 9741BA34204651AFE724DF59D88AF1ABFA5FF44358F04809DE8568F662C735EC46CB90

Function 005BE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005B170D
Part of subcall function 005B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005B173A
Part of subcall function 005B16C3: GetLastError.KERNEL32 ref: 005B174A

ExitWindowsEx.USER32(?,00000000), ref: 005BE932

Strings

, xrefs: 005BE920
SeShutdownPrivilege, xrefs: 005BE902
, xrefs: 005BE95C
@, xrefs: 005BE925

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: e7ff824c8dcc169dcc864f829680e86cfd7fb5757bfc4abfe7c259f5a1498825
Instruction ID: 5e80c626921545a3c69102a88948b7aa257549a8142fcd86c9b54435dd01e99e
Opcode Fuzzy Hash: e7ff824c8dcc169dcc864f829680e86cfd7fb5757bfc4abfe7c259f5a1498825
Instruction Fuzzy Hash: 9301D673610311AFEB5866B49C8BBFF7A9CB714750F190822F913E61D1D5A0BC499194

Function 005D1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 005D1276
WSAGetLastError.WSOCK32 ref: 005D1283
bind.WSOCK32(00000000,?,00000010), ref: 005D12BA
WSAGetLastError.WSOCK32 ref: 005D12C5
closesocket.WSOCK32(00000000), ref: 005D12F4
listen.WSOCK32(00000000,00000005), ref: 005D1303
WSAGetLastError.WSOCK32 ref: 005D130D
closesocket.WSOCK32(00000000), ref: 005D133C

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 512f8cb3aa1215111f240356e090a55d2532c34814c4b1bbf2a424ecd8e57c3b
Instruction ID: a635928cb825b77c1fdcc1af2e53122f6f99c711e16ed041230d958ed626fcfa
Opcode Fuzzy Hash: 512f8cb3aa1215111f240356e090a55d2532c34814c4b1bbf2a424ecd8e57c3b
Instruction Fuzzy Hash: 3A419335600641AFD724DF68C588B29BFE5BF86314F18808AD8568F392C771EC86CBA1

Function 0058B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0058B9D4
_free.LIBCMT ref: 0058B9F8
_free.LIBCMT ref: 0058BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,005F3700), ref: 0058BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0062121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0058BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00621270,000000FF,?,0000003F,00000000,?), ref: 0058BC36
_free.LIBCMT ref: 0058BD4B

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: ac8d4411e01e871d046017c747a77a8caca9c104b64a0ccef71cf768bcd8adb2
Instruction ID: ced16090a9941cd1e20586d57db7beb64ca57aa40df7d9c4a8959a01b1e0040c
Opcode Fuzzy Hash: ac8d4411e01e871d046017c747a77a8caca9c104b64a0ccef71cf768bcd8adb2
Instruction Fuzzy Hash: 1FC12671904206AFEB24BF688845AAE7FBDFF92310F18455AEC94FB251DB309E41C750

Function 005BD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00553AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00553A97,?,?,00552E7F,?,?,?,00000000), ref: 00553AC2

Part of subcall function 005BE199: GetFileAttributesW.KERNEL32(?,005BCF95), ref: 005BE19A

FindFirstFileW.KERNEL32(?,?), ref: 005BD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 005BD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 005BD481
FindClose.KERNEL32(00000000), ref: 005BD498
FindClose.KERNEL32(00000000), ref: 005BD4A1

Strings

\*.*, xrefs: 005BD3F2

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: bb822beb4012d3c4a460f672a26ae6804a0f9582ab8dca848de2148145737a51
Instruction ID: b5b623edf7a531c1981dc542ecfa3ea57805b4f586a942096af14f747f4bc69b
Opcode Fuzzy Hash: bb822beb4012d3c4a460f672a26ae6804a0f9582ab8dca848de2148145737a51
Instruction Fuzzy Hash: BE3150310083869BC704EF64C8A58EF7BA8BED1311F444E2EF8D553191EB64EA0DD762

Function 0058E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0058E645

Strings

1#QNAN, xrefs: 0058F84B
1#SNAN, xrefs: 0058F844
1#INF, xrefs: 0058F852
1#IND, xrefs: 0058F83D

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 484d07930b845e3dfb710fde5bc7212d4baa00eca113764efc72f2377daaf479
Instruction ID: 5cf4a75e5c7c31515cdf378cb26d79dd260e0732e8d528eef5686cda40115a55
Opcode Fuzzy Hash: 484d07930b845e3dfb710fde5bc7212d4baa00eca113764efc72f2377daaf479
Instruction Fuzzy Hash: C7C24A71E046298FDB25EE289D457EABBB5FB48304F1445EAD80EF7241E774AE818F40

Function 005C648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005C64DC
CoInitialize.OLE32(00000000), ref: 005C6639
CoCreateInstance.OLE32(005EFCF8,00000000,00000001,005EFB68,?), ref: 005C6650
CoUninitialize.OLE32 ref: 005C68D4

Strings

.lnk, xrefs: 005C64BA, 005C6524, 005C65E0

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: e5750be55892913dbbe1312df4e1dee1e2f0b5fe5d569c2e9f0f4d56ee0d0147
Instruction ID: 871359c8ed399b5ecca31bfbd758bc58164fc96c9fbde147f01596e960040694
Opcode Fuzzy Hash: e5750be55892913dbbe1312df4e1dee1e2f0b5fe5d569c2e9f0f4d56ee0d0147
Instruction Fuzzy Hash: 50D159715082029FC304DF64C895E6BBBE9FFD8305F50496DF5958B2A1DB70EA09CB92

Function 005D22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 005D22E8

Part of subcall function 005CE4EC: GetWindowRect.USER32(?,?), ref: 005CE504

GetDesktopWindow.USER32 ref: 005D2312
GetWindowRect.USER32(00000000), ref: 005D2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 005D2355
GetCursorPos.USER32(?), ref: 005D2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005D23DF

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: dfa568e7e620d9773cce6010238354b44ab1f4a45ed1b6a1b16d37fa4d9cb788
Instruction ID: 052927bc026865176e7a6c37c695eb94b5ac6c07c229511dbd1cabb35353ece0
Opcode Fuzzy Hash: dfa568e7e620d9773cce6010238354b44ab1f4a45ed1b6a1b16d37fa4d9cb788
Instruction Fuzzy Hash: D531DE72504355AFCB24DF58C849F9BBBA9FF94310F00091AF9959B281DB34EA09CB92

Function 005C9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 005C9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 005C9C8B

Part of subcall function 005C3874: GetInputState.USER32 ref: 005C38CB
Part of subcall function 005C3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005C3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 005C9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 005C9C75

Strings

*.*, xrefs: 005C9B5D

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 2a9529ac535450fd5ca26f1c2ccc7474a40950b1e7b190bf89d428970daafaf4
Instruction ID: 20b7e2ca82a998230fc585d078a587f1f07861aa906f0774ab4fb1a4e618e31b
Opcode Fuzzy Hash: 2a9529ac535450fd5ca26f1c2ccc7474a40950b1e7b190bf89d428970daafaf4
Instruction Fuzzy Hash: 3A417F7190424AAFCF14DFA4C899FEE7FB4FF55301F24445AE805A2191EB319E49CB60

Function 0056997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00569BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00569BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00569A4E
GetSysColor.USER32(0000000F), ref: 00569B23
SetBkColor.GDI32(?,00000000), ref: 00569B36

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 3ab9cab335c575a3cea588f902b1e67f661cd5703078f75a191902bff283de4a
Instruction ID: 4534818be3c875714f88621fe1084908832bec1f9895bb50c4890ef285200a58
Opcode Fuzzy Hash: 3ab9cab335c575a3cea588f902b1e67f661cd5703078f75a191902bff283de4a
Instruction Fuzzy Hash: 79A11870108448AEE7289A7D8C9CE7F2EDEFBCB340B14061AF542CB691CA359D01D772

Function 005D1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005D307A
Part of subcall function 005D304E: _wcslen.LIBCMT ref: 005D309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 005D185D
WSAGetLastError.WSOCK32 ref: 005D1884
bind.WSOCK32(00000000,?,00000010), ref: 005D18DB
WSAGetLastError.WSOCK32 ref: 005D18E6
closesocket.WSOCK32(00000000), ref: 005D1915

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: b33bc63a51033b77610e95cfde0ae0e7e9e51be7d67555a409b1485947768e64
Instruction ID: 2ed9f1f872882fadd982cf4658a600f095cd59761dc8036e3902c3834c4dcef7
Opcode Fuzzy Hash: b33bc63a51033b77610e95cfde0ae0e7e9e51be7d67555a409b1485947768e64
Instruction Fuzzy Hash: B451A371A00200AFDB20EF24C89AF2A7BA5BB84718F04845AF9465F3D3D671AD458BA1

Function 005E1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 005E1CC0
IsWindowEnabled.USER32 ref: 005E1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 005E1CDB
IsIconic.USER32 ref: 005E1CE9
IsZoomed.USER32 ref: 005E1CF7

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 9165a890469a0cfd91be434d2456b4b4661e01ad6e5b0a19db0243e05db6ccab
Instruction ID: 5bcecd41d3c3c06762b80739612c5dffc4d7a4c12103bd9c9d41c784558b7425
Opcode Fuzzy Hash: 9165a890469a0cfd91be434d2456b4b4661e01ad6e5b0a19db0243e05db6ccab
Instruction Fuzzy Hash: C621A2317406915FD7288F2BC884B2A7FA5FF95315B288468E8CACB351CB71EC46CB94

Function 00558060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0055843C
VUUU, xrefs: 005583E8
ERCP, xrefs: 0055813C
VUUU, xrefs: 005583FA
VUUU, xrefs: 00595DF0

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 295714f96f0840fef4b49e64f402a248b1bd697eebcd8f0b2a9e9afbb3e5465e
Instruction ID: baf74edd64f58e172979f52efa6bd75be327ff4de331d86b6c991968c0a0abbf
Opcode Fuzzy Hash: 295714f96f0840fef4b49e64f402a248b1bd697eebcd8f0b2a9e9afbb3e5465e
Instruction Fuzzy Hash: E7A29074E0061ACBDF25CF58C8907BEBBB1BF54311F2485AADC15A7285EB309D99CB50

Function 005B8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005B82AA

Strings

|, xrefs: 005B82DA
(, xrefs: 005B82F0
tba, xrefs: 005B84F4

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tba$|
API String ID: 1659193697-2167466884
Opcode ID: 021b7aa236d0309fac305de1a137d48d1220113dc811361c4c0cb9e937908103
Instruction ID: a84a0db7661f541e29fd053396ac251adac78a38a270eda319b335a3ac2ccadc
Opcode Fuzzy Hash: 021b7aa236d0309fac305de1a137d48d1220113dc811361c4c0cb9e937908103
Instruction Fuzzy Hash: 4D322874A00605DFCB28CF59C4819AABBF4FF48710B15C96EE49ADB3A1EB70E941CB40

Function 005BAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 005BAAAC
SetKeyboardState.USER32(00000080), ref: 005BAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 005BAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 005BAB88

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: da97b45b16151d932512c11d1c1a88466257ee3fa4e4a7442797e471c81b58e0
Instruction ID: 19e1e8104d343eb80995ceb1c28646a42dcd453da1d20ed162a92122d3429b39
Opcode Fuzzy Hash: da97b45b16151d932512c11d1c1a88466257ee3fa4e4a7442797e471c81b58e0
Instruction Fuzzy Hash: A2311430A40248AEFF358B688C09BFA7FAABB84310F14421AF5A1961D0D775ED85D762

Function 005CCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 005CCE89
GetLastError.KERNEL32(?,00000000), ref: 005CCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 005CCEFE

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 1e63147200e23d897a49e74b46b77360fde7faa82db3f84e84dfc94e076c465c
Instruction ID: 2a3e40c51e923facb2f1075f522fec5d443e9d82c532bf96b6a9478590ba4da7
Opcode Fuzzy Hash: 1e63147200e23d897a49e74b46b77360fde7faa82db3f84e84dfc94e076c465c
Instruction Fuzzy Hash: 9321DCB19003059FD7208FA5D988FAA7FFCFB51304F10881EE68A92151E770EA09DB60

Function 005C5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005C5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 005C5D17
FindClose.KERNEL32(?), ref: 005C5D5F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 605a15be6188c7636d069d271e3f4e178efc943dc1fb32d7da353fc5317d096a
Instruction ID: e73cf960d08bd787f117215cdc9208ccf0dc9dbd22934a761c8836274e1c76e8
Opcode Fuzzy Hash: 605a15be6188c7636d069d271e3f4e178efc943dc1fb32d7da353fc5317d096a
Instruction Fuzzy Hash: CB5146746047029FC714CFA8C498E96BBE4BF49314F14855EE99A8B3A2EB30F945CB91

Function 00582622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0058271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00582724
UnhandledExceptionFilter.KERNEL32(?), ref: 00582731

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c5885d8caaa52ddaab8f5a1c6781665e6532991c704939592644cddaff79220d
Instruction ID: 45f404e092b05271621d1d553d083b3770fe5cfe5013e20f46afe2fc46bfacde
Opcode Fuzzy Hash: c5885d8caaa52ddaab8f5a1c6781665e6532991c704939592644cddaff79220d
Instruction Fuzzy Hash: 9831C6749013199BCB21DF64DC8879CBBB8FF48310F5081DAE80CA6260E7309F859F44

Function 005C51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005C51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 005C5238
SetErrorMode.KERNEL32(00000000), ref: 005C52A1

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: ff8198ded58de8d39791b211178d537bf8e7a3bc3e997bd19f4d5be67febf95b
Instruction ID: 43f4c4f37ec58d6bd7e15142d31bc720f36f856bac125ffa8dae2ca3104cb249
Opcode Fuzzy Hash: ff8198ded58de8d39791b211178d537bf8e7a3bc3e997bd19f4d5be67febf95b
Instruction Fuzzy Hash: C4313C75A00619DFDB00DF94D898EADBFB5FF48314F048099E8459B352DB31E85ACB90

Function 005B16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0056FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00570668
Part of subcall function 0056FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00570685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005B170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005B173A
GetLastError.KERNEL32 ref: 005B174A

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: a4f24e745ed773923745fb8094f9605342118d3c39cfe2df9bf1700cdf7f3495
Instruction ID: f433f45fc6ede9fa338f98aeb81950482ea7544e993051091aa1c84cf4032b1f
Opcode Fuzzy Hash: a4f24e745ed773923745fb8094f9605342118d3c39cfe2df9bf1700cdf7f3495
Instruction Fuzzy Hash: 9F11C1B2800705AFD7189F54ECCADAABBBDFB44714B20852EE05657241EB70FC428B64

Function 005BD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005BD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 005BD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005BD650

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 04fbb0869e69c78d783760b05a37c1ff59c3ca80a7e6fc10b541c5bbe58e77a4
Instruction ID: 850ba9b3903fb7b32f42d5b8b0118204b9a66a1fbcf14e155d4a8e13ec8700c6
Opcode Fuzzy Hash: 04fbb0869e69c78d783760b05a37c1ff59c3ca80a7e6fc10b541c5bbe58e77a4
Instruction Fuzzy Hash: DF117C75E01228BBDB148F949C84FEFBFBCEB45B50F108111F904E7290D2705A058BA1

Function 005B1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 005B168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005B16A1
FreeSid.ADVAPI32(?), ref: 005B16B1

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a86295aa47f0632856d3c790815d2688127e7c4e91e29b2592b0c32f27c88645
Instruction ID: 9be9d9078266d640baf2495ba28156973b6d785db74fdda087c65d7841ecc4ae
Opcode Fuzzy Hash: a86295aa47f0632856d3c790815d2688127e7c4e91e29b2592b0c32f27c88645
Instruction Fuzzy Hash: 98F04471940308FBDB00CFE09C89AAEBBBCFB08200F404460E500E6180E330EA089A50

Function 0058C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0058C36C

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 5fe9a55f7212906d2dacbb0ec9bf7daab4eabf448304845bb5a4487ff36c21f2
Instruction ID: 69dac9680c569904ecf82c990d3b1811bb92b001619949734a8cc72b4bb1aebb
Opcode Fuzzy Hash: 5fe9a55f7212906d2dacbb0ec9bf7daab4eabf448304845bb5a4487ff36c21f2
Instruction Fuzzy Hash: 0A412976500219AFCB24AFB9DC49DBB7F78FB84314F504669FD05EB180E6709D818B60

Function 005AD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 005AD28C

Strings

X64, xrefs: 005AD2A8

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 9722e9ced89d334abad76dad7a2720cd0c9b3b51da27edb137ba2c6397ffdcf7
Instruction ID: c5ab2132ffcb383ccc5bfc286b72349047ea01e49883863bee287305402c4707
Opcode Fuzzy Hash: 9722e9ced89d334abad76dad7a2720cd0c9b3b51da27edb137ba2c6397ffdcf7
Instruction Fuzzy Hash: EBD0C9B580111DEACB94DB90ECCCDDDBB7CBB14315F100951F506A2000D73495499F20

Function 0057CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: c208f45a67898b295eea1ba035f22ff7a5d16e7d6f25668ee994308ef343dcc9
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: CD021B71E002199BDF25CFA9D8806ADBFF5FF88314F25816DD919EB280D730AE419B84

Function 0055CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#b, xrefs: 0055CF7F
Variable is not of type 'Object'., xrefs: 005A0C40

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#b
API String ID: 0-4067407705
Opcode ID: 00e31d182c21f74aa1cb0bd14d9d5368cddb15651be75abc2805d4a580ed6037
Instruction ID: 9f0ef66568521967966e0f18249ee7a2588fbb7ace0d76824e51d97f9589d87d
Opcode Fuzzy Hash: 00e31d182c21f74aa1cb0bd14d9d5368cddb15651be75abc2805d4a580ed6037
Instruction Fuzzy Hash: B3328A70910319DFCF14DF90C8A5AEDBFB9BF46305F10445AE806AB282D775AE4ACB60

Function 005C68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005C6918
FindClose.KERNEL32(00000000), ref: 005C6961

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 5056b6200f954288eb2de71f9c6ffbd278a4a50c1f32372cdf6de72d78e86c2d
Instruction ID: d45baed785b9978cb63b742e857b6b0994244d169010521053883ad60ed5e5c2
Opcode Fuzzy Hash: 5056b6200f954288eb2de71f9c6ffbd278a4a50c1f32372cdf6de72d78e86c2d
Instruction Fuzzy Hash: 7811AF356042019FC710CF69D889A16BBE0FF88329F04C69DE8A98F6A2C730EC05CB90

Function 005C37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,005D4891,?,?,00000035,?), ref: 005C37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,005D4891,?,?,00000035,?), ref: 005C37F4

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: fda370d0368735aaff6da83c05c2be51905af267b91cdb416bfca30980cfa9a6
Instruction ID: addd07175e32b46d6b4a5afb21520058306d64255ded21e8baeb19088a711b34
Opcode Fuzzy Hash: fda370d0368735aaff6da83c05c2be51905af267b91cdb416bfca30980cfa9a6
Instruction Fuzzy Hash: 71F0E5B16043296EEB2057AA8C8DFEB3FAEFFC5761F000175F509D2281D9609E08C6B0

Function 005BB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 005BB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 005BB270

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: ed43ea6e67e16c7f3494811f21d30b180585b14a5ea7d64a795c0f2c9782e412
Instruction ID: e09f71bc29e85a362e10d158b1e64c0acf22e4f165dfe950aedff2ec35b23ea4
Opcode Fuzzy Hash: ed43ea6e67e16c7f3494811f21d30b180585b14a5ea7d64a795c0f2c9782e412
Instruction Fuzzy Hash: 58F01D7580428DABEB059FA1C805BEEBFB4FF04305F00840AF965A9191C3B9D6159F94

Function 005B10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005B11FC), ref: 005B10D4
CloseHandle.KERNEL32(?,?,005B11FC), ref: 005B10E9

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: e6a0639964369683e43c13cd58e8f8ff92326ca26a0c370094bcd15938ce7b29
Instruction ID: 5f5d261b25b49a864e4fc367f9374090151bac843f3f98021ccc42d8d44b0ad4
Opcode Fuzzy Hash: e6a0639964369683e43c13cd58e8f8ff92326ca26a0c370094bcd15938ce7b29
Instruction Fuzzy Hash: 5FE04F32404601AFE7256B11FC09E777FADFB04310B10882EF4A5854B1DB62AC90EB14

Function 0058676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00586766,?,?,00000008,?,?,0058FEFE,00000000), ref: 00586998

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b92f2767671f72d974bed1ade3338c8b800479fed8174f2aef56c6b6c7f36303
Instruction ID: 0d05bb0243e76b8361254d09bc5b1b091c6397b75dc18fec0516134d7967fdd7
Opcode Fuzzy Hash: b92f2767671f72d974bed1ade3338c8b800479fed8174f2aef56c6b6c7f36303
Instruction Fuzzy Hash: CDB13831610609DFD719DF28C48AB657FE0FF45364F258658E8AAEF2A2C335E991CB40

Function 0056B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 005A851F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c2546e6e5ca4946af815620263b0903153b838559f7dce3b201afdfa3e873b75
Instruction ID: f1a0350040e6a114a6f8f72732b65f1509f3d8df6fdb379815eafecf3e207c3d
Opcode Fuzzy Hash: c2546e6e5ca4946af815620263b0903153b838559f7dce3b201afdfa3e873b75
Instruction Fuzzy Hash: 59123075E002299BDF24CF58C8806BEBBF5FF49710F14859AE849EB255DB349A81CB90

Function 005CEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 005CEABD

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 19c48da4b2951f11ed933e7b161ff16976a784bfcbfb771f66c3c26247f72e7e
Instruction ID: a1165d1ee6e672b3eec23f70e799010d6c6b9bd4bc57ff73160315422a95e183
Opcode Fuzzy Hash: 19c48da4b2951f11ed933e7b161ff16976a784bfcbfb771f66c3c26247f72e7e
Instruction Fuzzy Hash: 45E04F312002059FD710EFA9D859E9AFFE9BF98760F00841AFC49CB351DBB0E8458B90

Function 005709D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005703EE), ref: 005709DA

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1e83dd896c405782f740fb7e0ec5a5979346b5085a1dca764d52f9d1d6d5189d
Instruction ID: 68e9e7fd9ee817f9b81bcff64fd2421ca1ee02545ac1e7be9570c80a12019d08
Opcode Fuzzy Hash: 1e83dd896c405782f740fb7e0ec5a5979346b5085a1dca764d52f9d1d6d5189d
Instruction Fuzzy Hash:

Function 0057781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0057798B

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 3bd6869b2e4037d5b769f39dc48ab8a02ea59cbaa19607515616a4e9a78dbcc7
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 8151446160C70E9ADB384968F85D7BE2F95BB4E300F18C959D98ED7282C611DE01F397

Function 005C2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&b, xrefs: 005C2053

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID: 0&b
API String ID: 0-3142107090
Opcode ID: b3effa88f988d85eb8e66dc5b8ef4337f6ef9c9b66ee06fdf05e475fa605e2b4
Instruction ID: 37d92ace8f980292dde07f5dc3954e4780852e708f6564b5b0620e9607856d52
Opcode Fuzzy Hash: b3effa88f988d85eb8e66dc5b8ef4337f6ef9c9b66ee06fdf05e475fa605e2b4
Instruction Fuzzy Hash: 9F21E7326206118BDB28CF79C827A7E77E5B754310F14862EE4A7D37D0DE35A904CB80

Function 00586DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c6209678da0f8fab4f8cfe3d811e8a3486106f596ce3c3343236e3128cc877
Instruction ID: 092cf29bb29dd27b4898597530aebeb801ba159b111186b836fac7a8a08cd045
Opcode Fuzzy Hash: c6c6209678da0f8fab4f8cfe3d811e8a3486106f596ce3c3343236e3128cc877
Instruction Fuzzy Hash: A5322761D29F054ED723A634C822335AA4DAFB73C5F25C737EC16F59A5EB29C4839200

Function 0056CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f44e0fcdc3038ce9dad30c7668ae32c23abfb9828042d25a9fff329da9a369
Instruction ID: b645ca58bc50fbe9ff3b51ea2c447416c53d2453d696719a3c7b2347d592aeb2
Opcode Fuzzy Hash: 55f44e0fcdc3038ce9dad30c7668ae32c23abfb9828042d25a9fff329da9a369
Instruction Fuzzy Hash: F9320432A041598BDF28CF2DC4946BD7FA1FB47310F28856AD8AADB791D630DD81DB50

Function 00557920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21ef05078e60610abb327efdd8627d78a45cff824d198be18dc7558b5ef90c9
Instruction ID: 453470da470def165c3d8745ae80ab471e6a7383d99b68f44dbfc37aefa0e71d
Opcode Fuzzy Hash: e21ef05078e60610abb327efdd8627d78a45cff824d198be18dc7558b5ef90c9
Instruction Fuzzy Hash: 0022C2B0A0060ADFDF14CF64D855AAEBBF6FF48311F14452AE816A7291FB36AD14CB50

Function 005591C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c8b4b86a1149147aae46c37e580dcbd7553d35e8e4cf7b47685b26d7930641
Instruction ID: d06982eca56ac5ea6ca7b88fda44a295238060ea2cedb328328eef363c8eac71
Opcode Fuzzy Hash: d8c8b4b86a1149147aae46c37e580dcbd7553d35e8e4cf7b47685b26d7930641
Instruction Fuzzy Hash: 7D02C6B0E00206EBDF04DF54D886AADBFB5FF44300F118569E8169B291EB35EE64CB95

Function 00589EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa81f2c22e20cc9cb8edadc9f802d8fffeacd78ba5a3a576cb97ff28361bad6
Instruction ID: 57729954387dd0a5a146898bd6a66e8266f3ae760f0650c9cb6e9562ff17b836
Opcode Fuzzy Hash: faa81f2c22e20cc9cb8edadc9f802d8fffeacd78ba5a3a576cb97ff28361bad6
Instruction Fuzzy Hash: 67B12520D2AF414DE723A6398835336BA4CBFBB2C5F51DB1BFC16B4D62EB2585879140

Function 00571C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 67692d90902c93143854f4968be9142a0b28c4622f5a070f30c44be2340a70a9
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 719199721084A34ADB29463EA53543DFFE57A523A131A479DD8FACB1C1FE10C954FB24

Function 005719B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 9dff68768ce71660ab479f969e1134d323d85648a7c56087f949999bc810289f
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: ED91B6722098E30EDB2D467EA57403DFFE16A923A131A879DD4FACA1C1FE14C654F624

Function 00577A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20373052e8b777f1cbfe0e7876b4fbe07ca7d1f69c6fc11fe32b91d26513f13
Instruction ID: 38269fcb755e90890553ba9c100666c5fef30c16c4cca36ea2d4d4febcdb14b0
Opcode Fuzzy Hash: a20373052e8b777f1cbfe0e7876b4fbe07ca7d1f69c6fc11fe32b91d26513f13
Instruction Fuzzy Hash: B0616931348B0E96EA345928B899BBE2F98FF8D300F14CD19E94ECB281E5119E42F755

Function 00577CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b30de9fa8f7f40d6686fec6c3ead5965bea31f6f7d65176ac87dd728e2a33f8
Instruction ID: a70e4e6a0ebc095f07e7379d5252e072802bb2a9eccf3e71c278150e5fd17d52
Opcode Fuzzy Hash: 6b30de9fa8f7f40d6686fec6c3ead5965bea31f6f7d65176ac87dd728e2a33f8
Instruction Fuzzy Hash: 8561797124870E66DA384A787859BBF2F98FF8E704F10CC59E94ECB281E6129D41F255

Function 00571706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 49ff978c4984ffd9c0edb35b95ef20e92ac3f14f009a5f0d9abc44a75c4e7b9a
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 6C8195326084A30DDB2D463E953443EFFE1BA923A131A879DD4FACB1C1EE24C559F624

Function 005D2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005D2B30
DeleteObject.GDI32(00000000), ref: 005D2B43
DestroyWindow.USER32 ref: 005D2B52
GetDesktopWindow.USER32 ref: 005D2B6D
GetWindowRect.USER32(00000000), ref: 005D2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 005D2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 005D2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005D2CF8
GetClientRect.USER32(00000000,?), ref: 005D2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 005D2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005D2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005D2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005D2D80
GlobalLock.KERNEL32(00000000), ref: 005D2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005D2D98
GlobalUnlock.KERNEL32(00000000), ref: 005D2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005D2DA8
GlobalFree.KERNEL32(00000000), ref: 005D2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005D2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,005EFC38,00000000), ref: 005D2DDB
GlobalFree.KERNEL32(00000000), ref: 005D2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 005D2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 005D2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005D2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005D303F

Strings

DISPLAY, xrefs: 005D2EA2
static, xrefs: 005D2D3A, 005D2E91
, xrefs: 005D2FC5
AutoIt v3, xrefs: 005D2CF2

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 2e13f23cbde42971481477a68b63622d24617bef6177cd5e074c91582c516ab9
Instruction ID: 6da76639ccbec2c252bd03ee7e657cd5f650155286e3aba28307d00de044334c
Opcode Fuzzy Hash: 2e13f23cbde42971481477a68b63622d24617bef6177cd5e074c91582c516ab9
Instruction Fuzzy Hash: C6027E71500205AFDB28DF68CC89EAE7FB9FB59311F00855AF915AB2A1D770ED06CB60

Function 005E70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 005E712F
GetSysColorBrush.USER32(0000000F), ref: 005E7160
GetSysColor.USER32(0000000F), ref: 005E716C
SetBkColor.GDI32(?,000000FF), ref: 005E7186
SelectObject.GDI32(?,?), ref: 005E7195
InflateRect.USER32(?,000000FF,000000FF), ref: 005E71C0
GetSysColor.USER32(00000010), ref: 005E71C8
CreateSolidBrush.GDI32(00000000), ref: 005E71CF
FrameRect.USER32(?,?,00000000), ref: 005E71DE
DeleteObject.GDI32(00000000), ref: 005E71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 005E7230
FillRect.USER32(?,?,?), ref: 005E7262
GetWindowLongW.USER32(?,000000F0), ref: 005E7284

Part of subcall function 005E73E8: GetSysColor.USER32(00000012), ref: 005E7421
Part of subcall function 005E73E8: SetTextColor.GDI32(?,?), ref: 005E7425
Part of subcall function 005E73E8: GetSysColorBrush.USER32(0000000F), ref: 005E743B
Part of subcall function 005E73E8: GetSysColor.USER32(0000000F), ref: 005E7446
Part of subcall function 005E73E8: GetSysColor.USER32(00000011), ref: 005E7463
Part of subcall function 005E73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 005E7471
Part of subcall function 005E73E8: SelectObject.GDI32(?,00000000), ref: 005E7482
Part of subcall function 005E73E8: SetBkColor.GDI32(?,00000000), ref: 005E748B
Part of subcall function 005E73E8: SelectObject.GDI32(?,?), ref: 005E7498
Part of subcall function 005E73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005E74B7
Part of subcall function 005E73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005E74CE
Part of subcall function 005E73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005E74DB

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 9a9cf6d617d8a4c0a39621d68f41bd64753c223a5e6d6bf7d59c618fba1a263a
Instruction ID: 28426bdbf6517ed055ddfde28fb07e367ae726285e4fa95abadbf4adafde1b76
Opcode Fuzzy Hash: 9a9cf6d617d8a4c0a39621d68f41bd64753c223a5e6d6bf7d59c618fba1a263a
Instruction Fuzzy Hash: 3EA1B372008385AFD7089F64DC88E5B7FA9FB5C320F101A19FAE29A1E0D730E949DB51

Function 00568D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00568E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 005A6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 005A6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 005A6F43

Part of subcall function 00568F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00568BE8,?,00000000,?,?,?,?,00568BBA,00000000,?), ref: 00568FC5

SendMessageW.USER32(?,00001053), ref: 005A6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 005A6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 005A6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 005A6FB7

Strings

0, xrefs: 005A6DCF

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: a2df931ff704ebded21e0c43bd731a06cc1411605fdbf8c9029a90d68fcad9f9
Instruction ID: 4a5e9fe2c3ae0eeeeb368bb7dc096366784ea9d72221d76ebadd58d6e10c1e6b
Opcode Fuzzy Hash: a2df931ff704ebded21e0c43bd731a06cc1411605fdbf8c9029a90d68fcad9f9
Instruction Fuzzy Hash: A112BE30604641DFD725CF14C898BBABFE9FB5A310F184569E5898F261CB32EC92DB91

Function 005D2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 005D273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 005D286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 005D28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 005D28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 005D2900
GetClientRect.USER32(00000000,?), ref: 005D290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 005D2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 005D2964
GetStockObject.GDI32(00000011), ref: 005D2974
SelectObject.GDI32(00000000,00000000), ref: 005D2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 005D2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005D2991
DeleteDC.GDI32(00000000), ref: 005D299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005D29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 005D29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 005D2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 005D2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 005D2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 005D2A77
GetStockObject.GDI32(00000011), ref: 005D2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005D2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 005D2A97

Strings

msctls_progress32, xrefs: 005D2A13
DISPLAY, xrefs: 005D295A
static, xrefs: 005D294F, 005D2A71
AutoIt v3, xrefs: 005D28F8

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 418808a73b58efb331754b7b1564664f601aceb4c6c86567a1686126336285ad
Instruction ID: 694e2c24992c7e5893b732d4f16a7dea033a57c99a891d865e3c4911e94edb8d
Opcode Fuzzy Hash: 418808a73b58efb331754b7b1564664f601aceb4c6c86567a1686126336285ad
Instruction Fuzzy Hash: B4B17D71A00219AFEB24DF68CC89FAE7BA9FB59711F004116F915EB290D770ED41CBA0

Function 005C4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005C4AED
GetDriveTypeW.KERNEL32(?,005ECB68,?,\\.\,005ECC08), ref: 005C4BCA
SetErrorMode.KERNEL32(00000000,005ECB68,?,\\.\,005ECC08), ref: 005C4D36

Strings

\\.\, xrefs: 005C4B3F
Network, xrefs: 005C4C02
ATAPI, xrefs: 005C4C91
FileBackedVirtual, xrefs: 005C4CEC
Unknown, xrefs: 005C4BED, 005C4C83
SCSI, xrefs: 005C4C8A
ATA, xrefs: 005C4C98
MMC, xrefs: 005C4CDE
SAS, xrefs: 005C4CC9
iSCSI, xrefs: 005C4CC2
RAMDisk, xrefs: 005C4BF4
RAID, xrefs: 005C4CBB
CDROM, xrefs: 005C4BFB
1394, xrefs: 005C4C9F
Virtual, xrefs: 005C4CE5
SATA, xrefs: 005C4CD0
SSA, xrefs: 005C4CA6
USB, xrefs: 005C4CB4
PhysicalDrive, xrefs: 005C4B76
Fibre, xrefs: 005C4CAD
Removable, xrefs: 005C4C10, 005C4C15
Fixed, xrefs: 005C4C09
SSD, xrefs: 005C4C4A

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 56d7d4587d8b27f1eb810695222c9ec58b4787638d85c06c3a4438f76186a87f
Instruction ID: 3cb7abafee987ab682eebc5ae572e523c966985d5dc76da62b4a0eb010c9e3bf
Opcode Fuzzy Hash: 56d7d4587d8b27f1eb810695222c9ec58b4787638d85c06c3a4438f76186a87f
Instruction Fuzzy Hash: BD61C438A011069FCB14DFA4C9A6EA97FB1FF44304B25481EF806AB261DB35ED85DF41

Function 005E73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 005E7421
SetTextColor.GDI32(?,?), ref: 005E7425
GetSysColorBrush.USER32(0000000F), ref: 005E743B
GetSysColor.USER32(0000000F), ref: 005E7446
CreateSolidBrush.GDI32(?), ref: 005E744B
GetSysColor.USER32(00000011), ref: 005E7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 005E7471
SelectObject.GDI32(?,00000000), ref: 005E7482
SetBkColor.GDI32(?,00000000), ref: 005E748B
SelectObject.GDI32(?,?), ref: 005E7498
InflateRect.USER32(?,000000FF,000000FF), ref: 005E74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005E74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 005E74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005E752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 005E7554
InflateRect.USER32(?,000000FD,000000FD), ref: 005E7572
DrawFocusRect.USER32(?,?), ref: 005E757D
GetSysColor.USER32(00000011), ref: 005E758E
SetTextColor.GDI32(?,00000000), ref: 005E7596
DrawTextW.USER32(?,005E70F5,000000FF,?,00000000), ref: 005E75A8
SelectObject.GDI32(?,?), ref: 005E75BF
DeleteObject.GDI32(?), ref: 005E75CA
SelectObject.GDI32(?,?), ref: 005E75D0
DeleteObject.GDI32(?), ref: 005E75D5
SetTextColor.GDI32(?,?), ref: 005E75DB
SetBkColor.GDI32(?,?), ref: 005E75E5

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b63f040f183f6822b09c5c7905bf7f02dc028a0a875c08ae1889d20dbf74d703
Instruction ID: 78cac53e756f4190afcc276acb829caaec37c4e0dae28079c2ac5f88ca7584d4
Opcode Fuzzy Hash: b63f040f183f6822b09c5c7905bf7f02dc028a0a875c08ae1889d20dbf74d703
Instruction Fuzzy Hash: 9E617D72900258AFDF099FA4DC89EAE7FB9FB08320F114516F951AB2A1D770D941EF90

Function 005E0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005E1128
GetDesktopWindow.USER32 ref: 005E113D
GetWindowRect.USER32(00000000), ref: 005E1144
GetWindowLongW.USER32(?,000000F0), ref: 005E1199
DestroyWindow.USER32(?), ref: 005E11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005E11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005E120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005E121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 005E1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 005E1245
IsWindowVisible.USER32(00000000), ref: 005E12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005E12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005E12D0
GetWindowRect.USER32(00000000,?), ref: 005E12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 005E130E
GetMonitorInfoW.USER32(00000000,?), ref: 005E1328
CopyRect.USER32(?,?), ref: 005E133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 005E13AA

Strings

tooltips_class32, xrefs: 005E11E6
0, xrefs: 005E10D3
(, xrefs: 005E131B

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 48746c6ab262b81a25fa018a930ee0b2733aba64f718faabcc854b8127211b62
Instruction ID: 28db448b0e9bf777934a7c1a67fef2283d4ed689a152481e86efbf126d59971c
Opcode Fuzzy Hash: 48746c6ab262b81a25fa018a930ee0b2733aba64f718faabcc854b8127211b62
Instruction Fuzzy Hash: A6B18B71608781AFD708DF65C888B6ABFE4FF88310F008919F9D99B261D731E849CB95

Function 005E0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005E02E5
_wcslen.LIBCMT ref: 005E031F
_wcslen.LIBCMT ref: 005E0389
_wcslen.LIBCMT ref: 005E03F1
_wcslen.LIBCMT ref: 005E0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005E04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005E0504

Part of subcall function 0056F9F2: _wcslen.LIBCMT ref: 0056F9FD

Part of subcall function 005B223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005B2258
Part of subcall function 005B223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005B228A

Strings

GETSELECTEDCOUNT, xrefs: 005E0470, 005E048B
GETSUBITEMCOUNT, xrefs: 005E0384, 005E039F
SELECTINVERT, xrefs: 005E057E
FINDITEM, xrefs: 005E0627
VIEWCHANGE, xrefs: 005E0675
SELECT, xrefs: 005E0548
DESELECT, xrefs: 005E059C
GETITEMCOUNT, xrefs: 005E0316, 005E0337
SELECTALL, xrefs: 005E0515
GETSELECTED, xrefs: 005E05E1
ISSELECTED, xrefs: 005E04DD
GETTEXT, xrefs: 005E03EC, 005E0407
SELECTCLEAR, xrefs: 005E052D

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 72e98ed5d683c4f28c5665a4f3a3762f9265711d4191da492bf0bb84e4a370aa
Instruction ID: d7ec308228172c766795115f8c8636271727cf0dfe98bfad9e447227187bb63c
Opcode Fuzzy Hash: 72e98ed5d683c4f28c5665a4f3a3762f9265711d4191da492bf0bb84e4a370aa
Instruction Fuzzy Hash: B3E1AD312082828FCB18DF25C59496ABBE6BFC8314F14595DF8D69B2E1DB70ED85CB81

Function 00568891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00568968
GetSystemMetrics.USER32(00000007), ref: 00568970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0056899B
GetSystemMetrics.USER32(00000008), ref: 005689A3
GetSystemMetrics.USER32(00000004), ref: 005689C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005689E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005689F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00568A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00568A3C
GetClientRect.USER32(00000000,000000FF), ref: 00568A5A
GetStockObject.GDI32(00000011), ref: 00568A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00568A81

Part of subcall function 0056912D: GetCursorPos.USER32(?), ref: 00569141
Part of subcall function 0056912D: ScreenToClient.USER32(00000000,?), ref: 0056915E
Part of subcall function 0056912D: GetAsyncKeyState.USER32(00000001), ref: 00569183
Part of subcall function 0056912D: GetAsyncKeyState.USER32(00000002), ref: 0056919D

SetTimer.USER32(00000000,00000000,00000028,005690FC), ref: 00568AA8

Strings

AutoIt v3 GUI, xrefs: 00568A20

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 11f10f75165328ff95964fc9053c30517bc1c73c2ff07c94ea3af48b3cb1b335
Instruction ID: b2d27031748137b9c922e5cd9a01a9db61d4b0f5cfe464ce918eca2ee4d6475c
Opcode Fuzzy Hash: 11f10f75165328ff95964fc9053c30517bc1c73c2ff07c94ea3af48b3cb1b335
Instruction Fuzzy Hash: 82B16D71A0020A9FDB14DFA8DC89BAE3FB5FB59314F144229FA15AB290DB34E841CF51

Function 005B0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005B1114
Part of subcall function 005B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,005B0B9B,?,?,?), ref: 005B1120
Part of subcall function 005B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005B0B9B,?,?,?), ref: 005B112F
Part of subcall function 005B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005B0B9B,?,?,?), ref: 005B1136
Part of subcall function 005B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005B0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005B0E29
GetLengthSid.ADVAPI32(?), ref: 005B0E40
GetAce.ADVAPI32(?,00000000,?), ref: 005B0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005B0E96
GetLengthSid.ADVAPI32(?), ref: 005B0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 005B0EB5
HeapAlloc.KERNEL32(00000000), ref: 005B0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 005B0EDD
CopySid.ADVAPI32(00000000), ref: 005B0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005B0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005B0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 005B0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005B0F6E
HeapFree.KERNEL32(00000000), ref: 005B0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005B0F7E
HeapFree.KERNEL32(00000000), ref: 005B0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005B0F8E
HeapFree.KERNEL32(00000000), ref: 005B0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 005B0FA1
HeapFree.KERNEL32(00000000), ref: 005B0FA8

Part of subcall function 005B1193: GetProcessHeap.KERNEL32(00000008,005B0BB1,?,00000000,?,005B0BB1,?), ref: 005B11A1
Part of subcall function 005B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,005B0BB1,?), ref: 005B11A8
Part of subcall function 005B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,005B0BB1,?), ref: 005B11B7

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ad9f0e78419d7534cdb59b2f6c2572eec28e2e7bf70e357258ef71b7a247ca9c
Instruction ID: cf2ff7b3f9e4be0c594a33f54ab4333abf8d1fade2bcac5ed5e5acbc34ed7b4e
Opcode Fuzzy Hash: ad9f0e78419d7534cdb59b2f6c2572eec28e2e7bf70e357258ef71b7a247ca9c
Instruction Fuzzy Hash: C5715E72A0020AABDF249FA4DC88BEFBFB8BF15300F144155F959A6191D731EA05CB60

Function 005DC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005DC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,005ECC08,00000000,?,00000000,?,?), ref: 005DC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 005DC5A4
_wcslen.LIBCMT ref: 005DC5F4
_wcslen.LIBCMT ref: 005DC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 005DC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 005DC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 005DC84D
RegCloseKey.ADVAPI32(?), ref: 005DC881
RegCloseKey.ADVAPI32(00000000), ref: 005DC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 005DC960

Strings

REG_BINARY, xrefs: 005DC913
REG_DWORD, xrefs: 005DC804
REG_QWORD, xrefs: 005DC8C3
REG_EXPAND_SZ, xrefs: 005DC5CD
REG_SZ, xrefs: 005DC644
REG_MULTI_SZ, xrefs: 005DC6F5

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 43f1804e77e94f38c654e77afbad860805e6dbf2d873ae9c4e8d7046f374a053
Instruction ID: 784c73370e605d2d7f79226baf767688a288b3ba99833a8ae9d5a080d5ebab79
Opcode Fuzzy Hash: 43f1804e77e94f38c654e77afbad860805e6dbf2d873ae9c4e8d7046f374a053
Instruction Fuzzy Hash: A8124C356042029FD714DF18D895A2ABFE5FF88715F04885EF88A9B3A2DB31ED45CB81

Function 005E091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005E09C6
_wcslen.LIBCMT ref: 005E0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005E0A54
_wcslen.LIBCMT ref: 005E0A8A
_wcslen.LIBCMT ref: 005E0B06
_wcslen.LIBCMT ref: 005E0B81

Part of subcall function 0056F9F2: _wcslen.LIBCMT ref: 0056F9FD

Part of subcall function 005B2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005B2BFA

Strings

COLLAPSE, xrefs: 005E0B01, 005E0B1C
EXPAND, xrefs: 005E0BF8
CHECK, xrefs: 005E0A85, 005E0AA0
GETSELECTED, xrefs: 005E0C4E
GETITEMCOUNT, xrefs: 005E0C1E
EXISTS, xrefs: 005E0B7C, 005E0B97
ISCHECKED, xrefs: 005E0CE1
GETTEXT, xrefs: 005E0C97
UNCHECK, xrefs: 005E0D3E
GETTOTALCOUNT, xrefs: 005E09F2, 005E0A17
SELECT, xrefs: 005E0D11

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: d17b5627ac75438c1101fd877abadf82143729b388d221bc3d21672ae9b7f0d4
Instruction ID: 9b0e0891c4a952f113840c7b6f12a02be92a20f46771d1d883980fdc0016f2d0
Opcode Fuzzy Hash: d17b5627ac75438c1101fd877abadf82143729b388d221bc3d21672ae9b7f0d4
Instruction Fuzzy Hash: B0E16B356083829FC718DF25C45096ABBE2BF98314F14895DF8D69B3A2D770ED89CB81

Function 005DC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,005DB6AE,?,?), ref: 005DC9B5
_wcslen.LIBCMT ref: 005DC9F1
_wcslen.LIBCMT ref: 005DCA68
_wcslen.LIBCMT ref: 005DCA9E
_wcslen.LIBCMT ref: 005DCAF9
_wcslen.LIBCMT ref: 005DCB2F
_wcslen.LIBCMT ref: 005DCB7F

Strings

HKEY_CURRENT_USER, xrefs: 005DCBBD
HKEY_LOCAL_MACHINE, xrefs: 005DCA62, 005DCA67
HKCU, xrefs: 005DCBCE
HKLM, xrefs: 005DCA98, 005DCA9D
HKEY_USERS, xrefs: 005DCBDF
HKEY_CURRENT_CONFIG, xrefs: 005DCB79, 005DCB7E
HKCC, xrefs: 005DCBAC
HKU, xrefs: 005DCBF0
HKEY_CLASSES_ROOT, xrefs: 005DCAF3, 005DCAF8
HKCR, xrefs: 005DCB29, 005DCB2E

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 203c15521c850ca52f89320b2b149893ae15b63801c7af25c75dde86cdd449e1
Instruction ID: 572ec8f72d5b7e1bfb9fda7afbb03d009f84ff1df9daa3c6695b696828ba6de0
Opcode Fuzzy Hash: 203c15521c850ca52f89320b2b149893ae15b63801c7af25c75dde86cdd449e1
Instruction Fuzzy Hash: 1471F33261016B8BCB30DE6CC9515BA3FA2BBA0750F654527FC669B394E630CD85D7A0

Function 005E833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005E835A
_wcslen.LIBCMT ref: 005E836E
_wcslen.LIBCMT ref: 005E8391
_wcslen.LIBCMT ref: 005E83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005E83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,005E5BF2), ref: 005E844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005E8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005E84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005E8501
FreeLibrary.KERNEL32(?), ref: 005E850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005E851D
DestroyIcon.USER32(?,?,?,?,?,005E5BF2), ref: 005E852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 005E8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 005E8555

Strings

.icl, xrefs: 005E8368
.dll, xrefs: 005E83AB
.exe, xrefs: 005E8388

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: bfa6468597fa8be0b502f2a16d003d7ffbad8e98776c80e7e6663b959bdadecf
Instruction ID: fef67bea1235d4c1b66c6fba74d2830d1cb439f0938e8491d17264ba5668b64e
Opcode Fuzzy Hash: bfa6468597fa8be0b502f2a16d003d7ffbad8e98776c80e7e6663b959bdadecf
Instruction Fuzzy Hash: EC61F171500256BBEB18CF65DC85BBE7FA8FB48711F10450AF859DA1D0EF70A980DBA0

Function 00557778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 0055785F, 005578B1
#requireadmin, xrefs: 005577FF
', xrefs: 00595169
Unterminated group of comments, xrefs: 0059528C
#comments-end, xrefs: 005578D9
#include-once, xrefs: 0055782F
#cs, xrefs: 00557873, 005578C5
#include, xrefs: 00557847
Bad directive syntax error, xrefs: 0059519A
#notrayicon, xrefs: 005577E7
#ce, xrefs: 005578ED
#OnAutoItStartRegister, xrefs: 00557817
#pragma compile, xrefs: 005577D3
Cannot parse #include, xrefs: 00595279
", xrefs: 00595153

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 97a203b8664866e5792044109b88b118bba26b19179bdc885f499dfb4bdd7cef
Instruction ID: 805b5d1149db8ac560ca3ee72f44d15d1b7409d7489706d4507b37a52a957fb7
Opcode Fuzzy Hash: 97a203b8664866e5792044109b88b118bba26b19179bdc885f499dfb4bdd7cef
Instruction Fuzzy Hash: 9581187164060AABDF15AF60EC56FAE3F68FF48300F144426FD486B192EB70DA15D791

Function 005C3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 005C3EF8
_wcslen.LIBCMT ref: 005C3F03
_wcslen.LIBCMT ref: 005C3F5A
_wcslen.LIBCMT ref: 005C3F98
GetDriveTypeW.KERNEL32(?), ref: 005C3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005C401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005C4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005C4087

Strings

set cd door , xrefs: 005C4028
open , xrefs: 005C3FE5
close, xrefs: 005C3EFE, 005C3F18
wait, xrefs: 005C4044
closed, xrefs: 005C3F08, 005C3F2D, 005C3F46, 005C3F7E, 005C3F97
type cdaudio alias cd wait, xrefs: 005C4001
open, xrefs: 005C3F54, 005C3F59
close cd wait, xrefs: 005C4072

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 854446d46b16f9d3273d9f0bf2e6face62975ee78dcc80573b3462c80e69b580
Instruction ID: eb4de7c45e689f8a4c3adab0f4f4077c0ed0b7073044eea9a57aa01790d4c3b3
Opcode Fuzzy Hash: 854446d46b16f9d3273d9f0bf2e6face62975ee78dcc80573b3462c80e69b580
Instruction Fuzzy Hash: BC71DF326042069FC310EF24C8949AABFF5FF94754F00892EF89597261EB34DD49CB91

Function 005B5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 005B5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005B5A40
SetWindowTextW.USER32(?,?), ref: 005B5A57
GetDlgItem.USER32(?,000003EA), ref: 005B5A6C
SetWindowTextW.USER32(00000000,?), ref: 005B5A72
GetDlgItem.USER32(?,000003E9), ref: 005B5A82
SetWindowTextW.USER32(00000000,?), ref: 005B5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 005B5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 005B5AC3
GetWindowRect.USER32(?,?), ref: 005B5ACC
_wcslen.LIBCMT ref: 005B5B33
SetWindowTextW.USER32(?,?), ref: 005B5B6F
GetDesktopWindow.USER32 ref: 005B5B75
GetWindowRect.USER32(00000000), ref: 005B5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 005B5BD3
GetClientRect.USER32(?,?), ref: 005B5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 005B5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 005B5C2F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 774db88385bdd38191294596c9cc8b7630f9f96dcbd0d577098b955d101b108f
Instruction ID: 6618f69223fc935a88624e941c1d64c1e5dc2bc04994f219ef92b40ab0145db3
Opcode Fuzzy Hash: 774db88385bdd38191294596c9cc8b7630f9f96dcbd0d577098b955d101b108f
Instruction Fuzzy Hash: 1F715B31900B05AFDB28DFA8CE85BAEBFF5FB48704F104918E582A65A0E775F944CB10

Function 005CFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 005CFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 005CFE32
LoadCursorW.USER32(00000000,00007F00), ref: 005CFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 005CFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 005CFE53
LoadCursorW.USER32(00000000,00007F01), ref: 005CFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 005CFE69
LoadCursorW.USER32(00000000,00007F88), ref: 005CFE74
LoadCursorW.USER32(00000000,00007F80), ref: 005CFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 005CFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 005CFE95
LoadCursorW.USER32(00000000,00007F85), ref: 005CFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 005CFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 005CFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 005CFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 005CFECC
GetCursorInfo.USER32(?), ref: 005CFEDC
GetLastError.KERNEL32 ref: 005CFF1E

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 256fc471ec0029da5fa7b10c6af22f536a7a87c46805d65e49b4ea0dc06c528b
Instruction ID: 51adeed5ebe8094228bccf306dcd0f716e80ccdbab9ea5c064eeca6cd8f6676d
Opcode Fuzzy Hash: 256fc471ec0029da5fa7b10c6af22f536a7a87c46805d65e49b4ea0dc06c528b
Instruction Fuzzy Hash: 3E4151B0D043196EDB109FBA8C89D5EBFE9FF04354B50452AE119EB281DB78E901CF91

Function 005B30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005B318D
_wcslen.LIBCMT ref: 005B31F8

Strings

CLASS, xrefs: 005B3188, 005B31A5
INSTANCE, xrefs: 005B3453
TEXT, xrefs: 005B347C
NAME, xrefs: 005B3335, 005B3346
CLASSNN, xrefs: 005B31F3, 005B3204
REGEXPCLASS, xrefs: 005B3255, 005B3266
[a, xrefs: 005B339A

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[a
API String ID: 176396367-3666544304
Opcode ID: 631844284f75b2e2db039c42d9c6e1a0bd618b3e01c12e52568e0eb1d9bf6b23
Instruction ID: 1030dd56bb1f42bfa9cb2200e83d3db38b22c41c9e04fb891aeea08dcb9a9fc7
Opcode Fuzzy Hash: 631844284f75b2e2db039c42d9c6e1a0bd618b3e01c12e52568e0eb1d9bf6b23
Instruction Fuzzy Hash: AEE1D332A00516EBCF289F68C8556EEFFB5BF84710F54851AE456B7240DB30BE89D790

Function 005700C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005700C6

Part of subcall function 005700ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0062070C,00000FA0,D0D103D3,?,?,?,?,005923B3,000000FF), ref: 0057011C
Part of subcall function 005700ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005923B3,000000FF), ref: 00570127
Part of subcall function 005700ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005923B3,000000FF), ref: 00570138
Part of subcall function 005700ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0057014E
Part of subcall function 005700ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0057015C
Part of subcall function 005700ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0057016A
Part of subcall function 005700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00570195
Part of subcall function 005700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005701A0

___scrt_fastfail.LIBCMT ref: 005700E7

Part of subcall function 005700A3: __onexit.LIBCMT ref: 005700A9

Strings

kernel32.dll, xrefs: 00570133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00570122
InitializeConditionVariable, xrefs: 00570148
WakeAllConditionVariable, xrefs: 00570162
SleepConditionVariableCS, xrefs: 00570154

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 4d134c9458254aaf48ca64eccec3ac5c0124d2ee1659052666ae57ceee0afd4d
Instruction ID: 2fa98b1b7425186a4947b46591da8bf5bc048c93e723876e7132694eb7551ba6
Opcode Fuzzy Hash: 4d134c9458254aaf48ca64eccec3ac5c0124d2ee1659052666ae57ceee0afd4d
Instruction Fuzzy Hash: 22212932A44B51EBE7285B64BC49B6A3FD9FB44B61F009139F845976D1DF609C00DB90

Function 005C44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,005ECC08), ref: 005C4527
_wcslen.LIBCMT ref: 005C453B
_wcslen.LIBCMT ref: 005C4599
_wcslen.LIBCMT ref: 005C45F4
_wcslen.LIBCMT ref: 005C463F
_wcslen.LIBCMT ref: 005C46A7

Part of subcall function 0056F9F2: _wcslen.LIBCMT ref: 0056F9FD

GetDriveTypeW.KERNEL32(?,00616BF0,00000061), ref: 005C4743

Strings

removable, xrefs: 005C45EA, 005C45EF
cdrom, xrefs: 005C458F, 005C4594
ramdisk, xrefs: 005C46F1
fixed, xrefs: 005C4635, 005C463A
all, xrefs: 005C4531, 005C4536
unknown, xrefs: 005C4708
network, xrefs: 005C469D, 005C46A2

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: ada116977d76ea3cb4814c377e6667fe7015db54683d78c3a4e1606798899add
Instruction ID: 72c7a189e2c99dcd0799a681eb8da2c17e2fd35fbe2bce5e9460cac8aa73be43
Opcode Fuzzy Hash: ada116977d76ea3cb4814c377e6667fe7015db54683d78c3a4e1606798899add
Instruction Fuzzy Hash: F3B1CC316083029FC710DF68D8A4E6ABFE5BFE5760F50891DF49A87295D730D889CB92

Function 005E911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00569BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00569BB2

DragQueryPoint.SHELL32(?,?), ref: 005E9147

Part of subcall function 005E7674: ClientToScreen.USER32(?,?), ref: 005E769A
Part of subcall function 005E7674: GetWindowRect.USER32(?,?), ref: 005E7710
Part of subcall function 005E7674: PtInRect.USER32(?,?,005E8B89), ref: 005E7720

SendMessageW.USER32(?,000000B0,?,?), ref: 005E91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005E91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005E91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 005E9225
SendMessageW.USER32(?,000000B0,?,?), ref: 005E923E
SendMessageW.USER32(?,000000B1,?,?), ref: 005E9255
SendMessageW.USER32(?,000000B1,?,?), ref: 005E9277
DragFinish.SHELL32(?), ref: 005E927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 005E9371

Strings

@GUI_DRAGFILE, xrefs: 005E9320
@GUI_DRAGID, xrefs: 005E92E9
p#b, xrefs: 005E92BB
@GUI_DROPID, xrefs: 005E929E

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#b
API String ID: 221274066-3556060201
Opcode ID: fa25f410c8cd340b5c27a3626dd2b14c79b4d34866e0338e6fe7f3edf574fa4b
Instruction ID: b995b4686388d6b7107cbd294c33b8ed77a4edeab8dfeb6e867dab661e55da8e
Opcode Fuzzy Hash: fa25f410c8cd340b5c27a3626dd2b14c79b4d34866e0338e6fe7f3edf574fa4b
Instruction Fuzzy Hash: 95617571108342AFC704DF64D889DABBFE9FFD9350F00092EF991962A1DB309A49CB52

Function 0055326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00621990), ref: 00592F8D
GetMenuItemCount.USER32(00621990), ref: 0059303D
GetCursorPos.USER32(?), ref: 00593081
SetForegroundWindow.USER32(00000000), ref: 0059308A
TrackPopupMenuEx.USER32(00621990,00000000,?,00000000,00000000,00000000), ref: 0059309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005930A9

Strings

0, xrefs: 0055327D

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 4a4bbfb424723ccaf8c727c21e66f535d73387bc15436d591411f2325d0cff74
Instruction ID: 04721231578cab4a329e5296b09cb1472d0f18b78574896eeb7a41bbf77726fb
Opcode Fuzzy Hash: 4a4bbfb424723ccaf8c727c21e66f535d73387bc15436d591411f2325d0cff74
Instruction Fuzzy Hash: 4C711970640206BEEF258F64CC9EFAABF64FF05364F204216F9186A1E0C7B1AD14DB50

Function 005E6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 005E6DEB

Part of subcall function 00556B57: _wcslen.LIBCMT ref: 00556B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 005E6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 005E6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005E6E94
DestroyWindow.USER32(?), ref: 005E6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00550000,00000000), ref: 005E6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005E6EFD
GetDesktopWindow.USER32 ref: 005E6F16
GetWindowRect.USER32(00000000), ref: 005E6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005E6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 005E6F4D

Part of subcall function 00569944: GetWindowLongW.USER32(?,000000EB), ref: 00569952

Strings

tooltips_class32, xrefs: 005E6E58, 005E6EDD
0, xrefs: 005E6D98

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 1c067928561fbd46a85672a1d5676338f676ade5301ddb40351045179a04a197
Instruction ID: 7cbbe0cc0507693a4faa22e7e2485e8e43e78cce0395aa8d7504d73946a97a9b
Opcode Fuzzy Hash: 1c067928561fbd46a85672a1d5676338f676ade5301ddb40351045179a04a197
Instruction Fuzzy Hash: 2A716B74504284AFDB29CF19D884A6BBFE9FBA9384F04041DF9D98B261C770E94ADB11

Function 005CC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005CC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 005CC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 005CC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 005CC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 005CC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 005CC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005CC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005CC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 005CC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 005CC5F0
InternetCloseHandle.WININET(00000000), ref: 005CC5FB

Strings

, xrefs: 005CC575

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 01bd5b57eb83ee6938f562c420e6c9ed3bff9effa31bc9d617d76e3cb68186d0
Instruction ID: 3e79ab9cc762fc636387528b4e6b23f99337082b30ae86cc8e42e93f7487af89
Opcode Fuzzy Hash: 01bd5b57eb83ee6938f562c420e6c9ed3bff9effa31bc9d617d76e3cb68186d0
Instruction Fuzzy Hash: BB513CB1500645BFDB258FA4C988FAB7FBCFB18754F00841DF9899A250DB34E949EB60

Function 005E856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 005E8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005E85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005E85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005E85BA
GlobalLock.KERNEL32(00000000), ref: 005E85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005E85D7
GlobalUnlock.KERNEL32(00000000), ref: 005E85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005E85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005E85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,005EFC38,?), ref: 005E8611
GlobalFree.KERNEL32(00000000), ref: 005E8621
GetObjectW.GDI32(?,00000018,?), ref: 005E8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 005E8671
DeleteObject.GDI32(?), ref: 005E8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005E86AF

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: e582a7089ae73baa483b57c75ac96b085cdd77801a6f23f8067ff3c042b62287
Instruction ID: 2098fa89e80663605413af2ce3e9886c9ea897c8fcd59be11fdc81de30d6344d
Opcode Fuzzy Hash: e582a7089ae73baa483b57c75ac96b085cdd77801a6f23f8067ff3c042b62287
Instruction Fuzzy Hash: 84411975600244AFDB19DFA5CC88EAA7FB8FB99711F104059F999EB260DB30D906DB20

Function 005C14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 005C1502
VariantCopy.OLEAUT32(?,?), ref: 005C150B
VariantClear.OLEAUT32(?), ref: 005C1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005C15FB
VarR8FromDec.OLEAUT32(?,?), ref: 005C1657
VariantInit.OLEAUT32(?), ref: 005C1708
SysFreeString.OLEAUT32(?), ref: 005C178C
VariantClear.OLEAUT32(?), ref: 005C17D8
VariantClear.OLEAUT32(?), ref: 005C17E7
VariantInit.OLEAUT32(00000000), ref: 005C1823

Strings

Default, xrefs: 005C16AF
%4d%02d%02d%02d%02d%02d, xrefs: 005C1625

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: e1bf6427fba0f9406fc5a83c309705aa4d03cc7013bc2ce6573acc66aced9b24
Instruction ID: b9c0464e5bfdf5b950b5f9f23a30b88fb78ac60327a2603ceb306c94b1fec1c7
Opcode Fuzzy Hash: e1bf6427fba0f9406fc5a83c309705aa4d03cc7013bc2ce6573acc66aced9b24
Instruction Fuzzy Hash: 19D10271A00912DFCB049FA5E889F79BFB5BF86700F50849AE846AB182DB30EC45DF55

Function 005DB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

Part of subcall function 005DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005DB6AE,?,?), ref: 005DC9B5
Part of subcall function 005DC998: _wcslen.LIBCMT ref: 005DC9F1
Part of subcall function 005DC998: _wcslen.LIBCMT ref: 005DCA68
Part of subcall function 005DC998: _wcslen.LIBCMT ref: 005DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005DB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005DB772
RegDeleteValueW.ADVAPI32(?,?), ref: 005DB80A
RegCloseKey.ADVAPI32(?), ref: 005DB87E
RegCloseKey.ADVAPI32(?), ref: 005DB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 005DB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005DB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 005DB922
FreeLibrary.KERNEL32(00000000), ref: 005DB983
RegCloseKey.ADVAPI32(00000000), ref: 005DB994

Strings

RegDeleteKeyExW, xrefs: 005DB8FE
advapi32.dll, xrefs: 005DB8ED

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 4658a89bcf1fcd5727c09d4b88257d7599c05df29ad2d9a53185e562174d8257
Instruction ID: 12a47ffdae8867b189307ac4bed56da9c806115c0ec5ffa0b67096967be06778
Opcode Fuzzy Hash: 4658a89bcf1fcd5727c09d4b88257d7599c05df29ad2d9a53185e562174d8257
Instruction Fuzzy Hash: D6C16E34204242EFD724DF18C4A9F2ABFE6BF84314F15855EE4954B3A2CB35E949CB91

Function 005D255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005D25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 005D25E8
CreateCompatibleDC.GDI32(?), ref: 005D25F4
SelectObject.GDI32(00000000,?), ref: 005D2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 005D266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 005D26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 005D26D0
SelectObject.GDI32(?,?), ref: 005D26D8
DeleteObject.GDI32(?), ref: 005D26E1
DeleteDC.GDI32(?), ref: 005D26E8
ReleaseDC.USER32(00000000,?), ref: 005D26F3

Strings

(, xrefs: 005D268D

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 4d5bb6d06b4e604b37b74497a0d742090908e6c52fc346657deeb48d70fdc698
Instruction ID: 043bd65f77a188417ce7402ad51bec5c675ccdd423417ee8347ae55c8d6587a2
Opcode Fuzzy Hash: 4d5bb6d06b4e604b37b74497a0d742090908e6c52fc346657deeb48d70fdc698
Instruction Fuzzy Hash: 0E61D275D00219EFCF18CFA8D888AAEBBB5FF58310F20852AE956A7250D770A951DF50

Function 0058DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0058DAA1

Part of subcall function 0058D63C: _free.LIBCMT ref: 0058D659
Part of subcall function 0058D63C: _free.LIBCMT ref: 0058D66B
Part of subcall function 0058D63C: _free.LIBCMT ref: 0058D67D
Part of subcall function 0058D63C: _free.LIBCMT ref: 0058D68F
Part of subcall function 0058D63C: _free.LIBCMT ref: 0058D6A1
Part of subcall function 0058D63C: _free.LIBCMT ref: 0058D6B3
Part of subcall function 0058D63C: _free.LIBCMT ref: 0058D6C5
Part of subcall function 0058D63C: _free.LIBCMT ref: 0058D6D7
Part of subcall function 0058D63C: _free.LIBCMT ref: 0058D6E9
Part of subcall function 0058D63C: _free.LIBCMT ref: 0058D6FB
Part of subcall function 0058D63C: _free.LIBCMT ref: 0058D70D
Part of subcall function 0058D63C: _free.LIBCMT ref: 0058D71F
Part of subcall function 0058D63C: _free.LIBCMT ref: 0058D731

_free.LIBCMT ref: 0058DA96

Part of subcall function 005829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0058D7D1,00000000,00000000,00000000,00000000,?,0058D7F8,00000000,00000007,00000000,?,0058DBF5,00000000), ref: 005829DE
Part of subcall function 005829C8: GetLastError.KERNEL32(00000000,?,0058D7D1,00000000,00000000,00000000,00000000,?,0058D7F8,00000000,00000007,00000000,?,0058DBF5,00000000,00000000), ref: 005829F0

_free.LIBCMT ref: 0058DAB8
_free.LIBCMT ref: 0058DACD
_free.LIBCMT ref: 0058DAD8
_free.LIBCMT ref: 0058DAFA
_free.LIBCMT ref: 0058DB0D
_free.LIBCMT ref: 0058DB1B
_free.LIBCMT ref: 0058DB26
_free.LIBCMT ref: 0058DB5E
_free.LIBCMT ref: 0058DB65
_free.LIBCMT ref: 0058DB82
_free.LIBCMT ref: 0058DB9A

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 7e74f029ad7c314d8dbeea3b0b87d98ef3f93b9553dfb0261f37d680926bfab2
Instruction ID: 08ad61c78c289e748741d3108ca3f3971c7901aa35378397723165606fa75c74
Opcode Fuzzy Hash: 7e74f029ad7c314d8dbeea3b0b87d98ef3f93b9553dfb0261f37d680926bfab2
Instruction Fuzzy Hash: A03119316446069FEB25BA39E849B6A7FF9FF40321F264419E849E7191DE35AC808B30

Function 005B365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 005B369C
_wcslen.LIBCMT ref: 005B36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 005B3797
GetClassNameW.USER32(?,?,00000400), ref: 005B380C
GetDlgCtrlID.USER32(?), ref: 005B385D
GetWindowRect.USER32(?,?), ref: 005B3882
GetParent.USER32(?), ref: 005B38A0
ScreenToClient.USER32(00000000), ref: 005B38A7
GetClassNameW.USER32(?,?,00000100), ref: 005B3921
GetWindowTextW.USER32(?,?,00000400), ref: 005B395D

Strings

%s%u, xrefs: 005B3734

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 2984ebd8baf5bda3e004813a1d273d43f2d70b5446573e800a724fd93cceebe5
Instruction ID: d768d06c44d895762ad570d4f10872cc29bc6208eea70e2c3fa1db5ec3759b9d
Opcode Fuzzy Hash: 2984ebd8baf5bda3e004813a1d273d43f2d70b5446573e800a724fd93cceebe5
Instruction Fuzzy Hash: 30919271204706AFD719DF24C885BEAFBA9FF44350F008529F999E6190EB70FA49CB91

Function 005B4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 005B4994
GetWindowTextW.USER32(?,?,00000400), ref: 005B49DA
_wcslen.LIBCMT ref: 005B49EB
CharUpperBuffW.USER32(?,00000000), ref: 005B49F7
_wcsstr.LIBVCRUNTIME ref: 005B4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 005B4A64
GetWindowTextW.USER32(?,?,00000400), ref: 005B4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 005B4AE6
GetClassNameW.USER32(?,?,00000400), ref: 005B4B20
GetWindowRect.USER32(?,?), ref: 005B4B8B

Strings

ThumbnailClass, xrefs: 005B4A6F, 005B4AF1

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a88a66c55ec507bbf6cf5fe047fc8cc6f4be85981ca7cd50522d697224abae81
Instruction ID: 096da71d41412ed824d5a91149a7366e3a422c524b2f6a24d7734669fcabc675
Opcode Fuzzy Hash: a88a66c55ec507bbf6cf5fe047fc8cc6f4be85981ca7cd50522d697224abae81
Instruction Fuzzy Hash: 4A91AD720042069BDB24CF14C985BEA7FA9FF84714F04846AFE859A196DB34ED45CFA1

Function 005E8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00569BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00569BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005E8D5A
GetFocus.USER32 ref: 005E8D6A
GetDlgCtrlID.USER32(00000000), ref: 005E8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 005E8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 005E8ECF
GetMenuItemCount.USER32(?), ref: 005E8EEC
GetMenuItemID.USER32(?,00000000), ref: 005E8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 005E8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 005E8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005E8FA1

Strings

0, xrefs: 005E8E9F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 10f673a5dcc652e5cfe63c003f1f2070ebe13971968514e4875f6211611aa6d0
Instruction ID: 36d7a7586505c4961af84c75bd899e0e2fa2e7bae370799a0a418679b103512e
Opcode Fuzzy Hash: 10f673a5dcc652e5cfe63c003f1f2070ebe13971968514e4875f6211611aa6d0
Instruction Fuzzy Hash: 1281B0715083819FDB18CF25D888ABB7FE9FB98314F040959F9D89B291DB30D905DBA1

Function 005BDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 005BDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 005BDC46
_wcslen.LIBCMT ref: 005BDC50
_wcsstr.LIBVCRUNTIME ref: 005BDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 005BDCBC

Strings

\VarFileInfo\Translation, xrefs: 005BDCB4
StringFileInfo\, xrefs: 005BDC8F
%u.%u.%u.%u, xrefs: 005BDD9A
DefaultLangCodepage, xrefs: 005BDD1F
04090000, xrefs: 005BDCF2

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 65e71e717223aa5b141fa479f27a3ceaac2ac0ba95caf64249d923e13ee85c45
Instruction ID: fee87004dc051e318d099586757f63d06e4792bb6b0e57ef30504024e3db9a41
Opcode Fuzzy Hash: 65e71e717223aa5b141fa479f27a3ceaac2ac0ba95caf64249d923e13ee85c45
Instruction Fuzzy Hash: 0041E0329402067ADB14A764AC4BEFF7F7CFF91710F14406AF944A6182FA65A902A7B4

Function 005DCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 005DCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 005DCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 005DCD48

Part of subcall function 005DCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 005DCCAA
Part of subcall function 005DCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 005DCCBD
Part of subcall function 005DCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005DCCCF
Part of subcall function 005DCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 005DCD05
Part of subcall function 005DCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 005DCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 005DCCF3

Strings

RegDeleteKeyExW, xrefs: 005DCCC9
advapi32.dll, xrefs: 005DCCB8

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: bdb1d50604b66caaa0940070234b10517835b19425c0b277aeba7b583488f31b
Instruction ID: 13f710aad1a46f161af7df73e4798360a91d2c12ece163c9c3f82157efa28c24
Opcode Fuzzy Hash: bdb1d50604b66caaa0940070234b10517835b19425c0b277aeba7b583488f31b
Instruction Fuzzy Hash: 2431807190122ABBDB349B54DC88EFFBF7DEF55740F000166F915EA250D6309E4AEAA0

Function 005C3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005C3D40
_wcslen.LIBCMT ref: 005C3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 005C3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 005C3DBE
RemoveDirectoryW.KERNEL32(?), ref: 005C3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 005C3E55
CloseHandle.KERNEL32(00000000), ref: 005C3E60
CloseHandle.KERNEL32(00000000), ref: 005C3E6B

Strings

:, xrefs: 005C3D82
\, xrefs: 005C3D77
\??\%s, xrefs: 005C3D5B

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 59d2812dfc16c819ef17fbf80f9f5b125cf3b83984f765ad21c2687fd8d30c89
Instruction ID: 51a197eecc14dcba3db63573c9707e9ec6b25f2c5185916014add90397bbf423
Opcode Fuzzy Hash: 59d2812dfc16c819ef17fbf80f9f5b125cf3b83984f765ad21c2687fd8d30c89
Instruction Fuzzy Hash: 9231957590024A6BDB209BA0DC89FEF3BBCFF88740F1081A9F545D6060E774D7459B64

Function 005BE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 005BE6B4

Part of subcall function 0056E551: timeGetTime.WINMM(?,?,005BE6D4), ref: 0056E555

Sleep.KERNEL32(0000000A), ref: 005BE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 005BE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 005BE727
SetActiveWindow.USER32 ref: 005BE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 005BE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 005BE773
Sleep.KERNEL32(000000FA), ref: 005BE77E
IsWindow.USER32 ref: 005BE78A
EndDialog.USER32(00000000), ref: 005BE79B

Strings

BUTTON, xrefs: 005BE719

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 1acbeebb7e9e367dc25e853e903f05b9218e67354afb17a1a1e518d9e3ac27dd
Instruction ID: f4ae4c4bf2eac890f0be268f9ab5c297f2268c3500360e36965cff60f44b40fe
Opcode Fuzzy Hash: 1acbeebb7e9e367dc25e853e903f05b9218e67354afb17a1a1e518d9e3ac27dd
Instruction Fuzzy Hash: 2421F671200686BFEB245F20ECDBAA63F6BFB65348F142425F841992A1CF71FC469A10

Function 005BE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 005BEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 005BEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005BEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 005BEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 005BEAA7

Strings

status PlayMe mode, xrefs: 005BEA58
open , xrefs: 005BEA0C
play PlayMe wait, xrefs: 005BEA91
alias PlayMe, xrefs: 005BEA36
close PlayMe, xrefs: 005BEA6E, 005BEA9B
play PlayMe, xrefs: 005BEAA2

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: a251a549357db26c7c96e1ff5dd3275e81511b09821d95c745ab76a5a98c00e5
Instruction ID: 34be87165b9d44bdc1157f5ab17fc996e3cf7bd590e36fce371b51d72a3201f1
Opcode Fuzzy Hash: a251a549357db26c7c96e1ff5dd3275e81511b09821d95c745ab76a5a98c00e5
Instruction Fuzzy Hash: 6F119135A5025A7AD720A7A1DC5FDFF6E7DFBD1B40F09082A7811A20D1EEB01989C5B0

Function 005B5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 005B5CE2
GetWindowRect.USER32(00000000,?), ref: 005B5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 005B5D59
GetDlgItem.USER32(?,00000002), ref: 005B5D69
GetWindowRect.USER32(00000000,?), ref: 005B5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 005B5DCF
GetDlgItem.USER32(?,000003E9), ref: 005B5DDD
GetWindowRect.USER32(00000000,?), ref: 005B5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 005B5E31
GetDlgItem.USER32(?,000003EA), ref: 005B5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 005B5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 005B5E67

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 3f497df714a02affbebbbad92b6b5acafd50e4f6e8e6a927a3594cc93bad14cc
Instruction ID: b488225f3d65f293e526177746f5638804241877c9f42bfc9d11dcb7c53f2cc7
Opcode Fuzzy Hash: 3f497df714a02affbebbbad92b6b5acafd50e4f6e8e6a927a3594cc93bad14cc
Instruction Fuzzy Hash: FA51F071A00605AFDF18CF68DD89AAE7FB9FB58300F548229F915E6290D770EE05CB50

Function 00568BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00568F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00568BE8,?,00000000,?,?,?,?,00568BBA,00000000,?), ref: 00568FC5

DestroyWindow.USER32(?), ref: 00568C81
KillTimer.USER32(00000000,?,?,?,?,00568BBA,00000000,?), ref: 00568D1B
DestroyAcceleratorTable.USER32(00000000), ref: 005A6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00568BBA,00000000,?), ref: 005A69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00568BBA,00000000,?), ref: 005A69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00568BBA,00000000), ref: 005A69D4
DeleteObject.GDI32(00000000), ref: 005A69E6

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 2ffc3043c77095cee8a89553fa76139c2392b7dca918e49ed2893c83b21e966c
Instruction ID: 403aa60c9c5e5dcd39a36b992830dd75b9cefd81d298cc8ca6096388ac16add8
Opcode Fuzzy Hash: 2ffc3043c77095cee8a89553fa76139c2392b7dca918e49ed2893c83b21e966c
Instruction Fuzzy Hash: BC617A31505A00DFDB359F24D998B3A7FB2FB66312F145A19E0829F560CB31ACD6DB50

Function 00569838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00569944: GetWindowLongW.USER32(?,000000EB), ref: 00569952

GetSysColor.USER32(0000000F), ref: 00569862

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 41bb5f83e57f020a2719abae66e96c96d47cc0ad8da0449f34d05c2a828a4d77
Instruction ID: 140aa3db4c60982924568721ecdda22b0fa4a086752e5af23759bd780d11ca39
Opcode Fuzzy Hash: 41bb5f83e57f020a2719abae66e96c96d47cc0ad8da0449f34d05c2a828a4d77
Instruction Fuzzy Hash: B4419F31504644AFDB245F389C88BBA3FA9BB5B320F144659F9A28B1E1D731DC42EB50

Function 00588D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.W, xrefs: 0058903A, 00588FD0, 00588FF2

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID: .W
API String ID: 0-1554619033
Opcode ID: 3e0dd6a505da7e2de416612ed49b77aa2642719004ed363b92c5f329c1fb1ca5
Instruction ID: 7dca361d2d114eb81e2d74cd3b648e64462df17eef4a3faac16018058f44671a
Opcode Fuzzy Hash: 3e0dd6a505da7e2de416612ed49b77aa2642719004ed363b92c5f329c1fb1ca5
Instruction Fuzzy Hash: F2C1C174A04249EFDB21EFA8D849BBDBFB4BF49310F184199ED54B7292C7309941CB61

Function 005B96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0059F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 005B9717
LoadStringW.USER32(00000000,?,0059F7F8,00000001), ref: 005B9720

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0059F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 005B9742
LoadStringW.USER32(00000000,?,0059F7F8,00000001), ref: 005B9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 005B9866

Strings

Error: , xrefs: 005B981D
Line %d:, xrefs: 005B97A0
%s (%d) : ==> %s: %s %s, xrefs: 005B984A
^ ERROR, xrefs: 005B97FB
Line %d (File "%s"):, xrefs: 005B978F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 7007285e8233d083061af2d03d2bcd3a853b6fcfb4157cae30739ba8c0e9057f
Instruction ID: dbe0b80b96d52afe286fdd96a2e864f5dede432ae977da063249a785cbfa58e6
Opcode Fuzzy Hash: 7007285e8233d083061af2d03d2bcd3a853b6fcfb4157cae30739ba8c0e9057f
Instruction Fuzzy Hash: 9541527280011AAACF04EBD0CD9ADEE7B79BF95341F510466F60572092EA356F49CB61

Function 005B06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00556B57: _wcslen.LIBCMT ref: 00556B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005B07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005B07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005B07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 005B0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 005B082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005B0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005B083C

Strings

\IPC$, xrefs: 005B0784
SOFTWARE\Classes\, xrefs: 005B070E
\CLSID, xrefs: 005B0724

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 400d97c00a7dbeab39a662bfabc8248c5260ae0d9a133c96ee6fe68b01a3919a
Instruction ID: b04b4b34863c600fc28f54eb1b92de377b7e752d0f394f4f3f958fe4a500a028
Opcode Fuzzy Hash: 400d97c00a7dbeab39a662bfabc8248c5260ae0d9a133c96ee6fe68b01a3919a
Instruction Fuzzy Hash: BE412A71C10229EBDF15EB94DC998EEBB78FF54350F15452AF805A71A1EB30AE08CB90

Function 005D3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005D3C5C
CoInitialize.OLE32(00000000), ref: 005D3C8A
CoUninitialize.OLE32 ref: 005D3C94
_wcslen.LIBCMT ref: 005D3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 005D3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 005D3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 005D3F0E
CoGetObject.OLE32(?,00000000,005EFB98,?), ref: 005D3F2D
SetErrorMode.KERNEL32(00000000), ref: 005D3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 005D3FC4
VariantClear.OLEAUT32(?), ref: 005D3FD8

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 55b57d5297b63cf0d032cf8508be568f5ddf85cdbbf165a76039fd2d85b22f4b
Instruction ID: 3e307f0c871993b152a5c793b1868219e455422d3f5078eb43fa7331d9f2ae0e
Opcode Fuzzy Hash: 55b57d5297b63cf0d032cf8508be568f5ddf85cdbbf165a76039fd2d85b22f4b
Instruction Fuzzy Hash: 3AC123716082069FD710DF68C88492BBBE9FF89744F14491EF98A9B351D730EE0ACB52

Function 005C7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005C7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 005C7B8F
SHGetDesktopFolder.SHELL32(?), ref: 005C7BA3
CoCreateInstance.OLE32(005EFD08,00000000,00000001,00616E6C,?), ref: 005C7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 005C7C74
CoTaskMemFree.OLE32(?,?), ref: 005C7CCC
SHBrowseForFolderW.SHELL32(?), ref: 005C7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 005C7D7A
CoTaskMemFree.OLE32(00000000), ref: 005C7D81
CoTaskMemFree.OLE32(00000000), ref: 005C7DD6
CoUninitialize.OLE32 ref: 005C7DDC

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 91d8b3fb2b7f825f3c83ade7ffadd346e14af1066cc724a634dc161b06985f7e
Instruction ID: dccd4aee1224433eaf27450dc6d207cf2f39a8def114454e4441a4d9f927ce3d
Opcode Fuzzy Hash: 91d8b3fb2b7f825f3c83ade7ffadd346e14af1066cc724a634dc161b06985f7e
Instruction Fuzzy Hash: E1C11975A04109AFCB14DFA4C898DAEBFB9FF48305F148499E81A9B661D730EE45CF90

Function 005E541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 005E5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005E5515
CharNextW.USER32(00000158), ref: 005E5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 005E5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 005E559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005E55AC

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 982633a744ff160a065f4bf8cf56b5f32d489260eb210aa73f4b727fd8ea5c5d
Instruction ID: ecfbb691559b5104c621be822815bfcd0eca3f8ba69b1a45a955f0c39bbaa6bf
Opcode Fuzzy Hash: 982633a744ff160a065f4bf8cf56b5f32d489260eb210aa73f4b727fd8ea5c5d
Instruction Fuzzy Hash: 3F61B130904689EFDF188F56CC849FE3F79FB09328F104545F9A5AB291E7748A81DB60

Function 005AFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 005AFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 005AFB08
VariantInit.OLEAUT32(?), ref: 005AFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 005AFB3A
VariantCopy.OLEAUT32(?,?), ref: 005AFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 005AFBA1
VariantClear.OLEAUT32(?), ref: 005AFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 005AFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005AFBCC
VariantClear.OLEAUT32(?), ref: 005AFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005AFBE9

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 25ce374465ef8837cdb8258749b7e2b5e74dba9e7be3cc2860aff470014f7a41
Instruction ID: f1e5d407505dc1871809bacf53d781d786650cc0a55972fb253f37776ecd8d8f
Opcode Fuzzy Hash: 25ce374465ef8837cdb8258749b7e2b5e74dba9e7be3cc2860aff470014f7a41
Instruction Fuzzy Hash: 03415135A002199FCF04DFA4C898DADBFB9FF59345F008069F955AB261DB30E946DBA0

Function 005B9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 005B9CA1
GetAsyncKeyState.USER32(000000A0), ref: 005B9D22
GetKeyState.USER32(000000A0), ref: 005B9D3D
GetAsyncKeyState.USER32(000000A1), ref: 005B9D57
GetKeyState.USER32(000000A1), ref: 005B9D6C
GetAsyncKeyState.USER32(00000011), ref: 005B9D84
GetKeyState.USER32(00000011), ref: 005B9D96
GetAsyncKeyState.USER32(00000012), ref: 005B9DAE
GetKeyState.USER32(00000012), ref: 005B9DC0
GetAsyncKeyState.USER32(0000005B), ref: 005B9DD8
GetKeyState.USER32(0000005B), ref: 005B9DEA

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2921f6c7d92cf1a92755ea33aac176a70bebfda3307d1bc59ced015ab550bf44
Instruction ID: d334a2bcbc0bd1882df4a94ad69e4847ec818692a07d723c01860b5a9df85148
Opcode Fuzzy Hash: 2921f6c7d92cf1a92755ea33aac176a70bebfda3307d1bc59ced015ab550bf44
Instruction Fuzzy Hash: 9B41D634504BC96EFF35876588453F5BEA07F21344F48805ADBC65A5C2DBA4BDC8CBA2

Function 005D055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005D05BC
inet_addr.WSOCK32(?), ref: 005D061C
gethostbyname.WSOCK32(?), ref: 005D0628
IcmpCreateFile.IPHLPAPI ref: 005D0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005D06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005D06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 005D07B9
WSACleanup.WSOCK32 ref: 005D07BF

Strings

Ping, xrefs: 005D0676

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 7f3938be2c1f51ccd329375bf0acd449a591f84633a835ac4eeb6c3a05c6810b
Instruction ID: ae1e3f0076ab2aa685bfbc8bb7a80f7a6c564c34729f91f127d906beff1088e8
Opcode Fuzzy Hash: 7f3938be2c1f51ccd329375bf0acd449a591f84633a835ac4eeb6c3a05c6810b
Instruction Fuzzy Hash: E1915A356042429FD724DF19D488B1ABFE0FB84318F1495AAE8A98F7A2C730ED45CF91

Function 005D8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 005D8CF3

Part of subcall function 005B8E54: _wcslen.LIBCMT ref: 005B8E77

_wcslen.LIBCMT ref: 005D8D4E
_wcslen.LIBCMT ref: 005D8D9C
_wcslen.LIBCMT ref: 005D8DDC
_wcslen.LIBCMT ref: 005D8E6E

Strings

cdecl, xrefs: 005D8D48, 005D8D4D
stdcall, xrefs: 005D8DD6, 005D8DDB
winapi, xrefs: 005D8D96, 005D8D9B
none, xrefs: 005D8E65, 005D8E6A

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 6af0876536cae53c3aefbe52ff25bc8e250f2bb905d152d6124e5aee636a5af0
Instruction ID: 6b8563819da45fdac3d84a7e23e7fa105defe889580e20cfff5349509733af5c
Opcode Fuzzy Hash: 6af0876536cae53c3aefbe52ff25bc8e250f2bb905d152d6124e5aee636a5af0
Instruction Fuzzy Hash: 37518331A001169BCB24EF6CC9519BEBBA6FF64710B25462BE826E73C5DB31DD44CB90

Function 005D372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 005D3774
CoUninitialize.OLE32 ref: 005D377F
CoCreateInstance.OLE32(?,00000000,00000017,005EFB78,?), ref: 005D37D9
IIDFromString.OLE32(?,?), ref: 005D384C
VariantInit.OLEAUT32(?), ref: 005D38E4
VariantClear.OLEAUT32(?), ref: 005D3936

Strings

Failed to create object, xrefs: 005D37E4, 005D389A
NULL Pointer assignment, xrefs: 005D381E
Invalid parameter, xrefs: 005D3865

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 0916bb1aea66c10c32323255b3f882029a64856e2d894ab96ee2d60480ff7ae4
Instruction ID: 19b1ea9fb3c3a88722dc8f3c339894cb6eaa6e000af527963ad7ec657d2f4a4b
Opcode Fuzzy Hash: 0916bb1aea66c10c32323255b3f882029a64856e2d894ab96ee2d60480ff7ae4
Instruction Fuzzy Hash: AE616B71608702AFD320DF58D889A5ABFE4FF89711F14080BF9859B391D770EA49DB92

Function 005E8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00569BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00569BB2

Part of subcall function 0056912D: GetCursorPos.USER32(?), ref: 00569141
Part of subcall function 0056912D: ScreenToClient.USER32(00000000,?), ref: 0056915E
Part of subcall function 0056912D: GetAsyncKeyState.USER32(00000001), ref: 00569183
Part of subcall function 0056912D: GetAsyncKeyState.USER32(00000002), ref: 0056919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 005E8B6B
ImageList_EndDrag.COMCTL32 ref: 005E8B71
ReleaseCapture.USER32 ref: 005E8B77
SetWindowTextW.USER32(?,00000000), ref: 005E8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 005E8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 005E8CFF

Strings

@GUI_DRAGFILE, xrefs: 005E8C9A
p#b, xrefs: 005E8C71
@GUI_DROPID, xrefs: 005E8C51

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#b
API String ID: 1924731296-3745197145
Opcode ID: e7476164ce5e6386a32ec774a70f935438c557ffef1523c2b70eb3a99e187232
Instruction ID: 5a3c9fb1be427d757fa53042bd851a3b8306f17cca9615d5ddbd9f434481608b
Opcode Fuzzy Hash: e7476164ce5e6386a32ec774a70f935438c557ffef1523c2b70eb3a99e187232
Instruction Fuzzy Hash: 0A51CE31508341AFD704DF14DC99BAA7BE5FB89710F00062DF996AB2E1CB309D49CB62

Function 005C3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005C33CF

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005C33F0

Strings

Error: , xrefs: 005C34D1
^ ERROR , xrefs: 005C349E
"%s" (%d) : ==> %s:%s%s, xrefs: 005C3504
Incorrect parameters to object property !, xrefs: 005C34AB
"%s" (%d) : ==> %s:, xrefs: 005C3522
Line %d (File "%s"):, xrefs: 005C3443, 005C345C

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: ffdffc187892dfbf788cc5e0bd3c7d9faeb59b326034a523e6e7c7ffa50d3aaf
Instruction ID: 54aa2e699e9c305c00b28d71987bbce22fecb56bfd09c847424a4c440d31be4c
Opcode Fuzzy Hash: ffdffc187892dfbf788cc5e0bd3c7d9faeb59b326034a523e6e7c7ffa50d3aaf
Instruction Fuzzy Hash: 5851933190020AAADF14EBE0CD5AEEEBB79FF54341F144466F90572062EB356F58DB60

Function 005BB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005BB5FC
_wcslen.LIBCMT ref: 005BB608
_wcslen.LIBCMT ref: 005BB64D
_wcslen.LIBCMT ref: 005BB68C
_wcslen.LIBCMT ref: 005BB6C7

Strings

KEYS, xrefs: 005BB647, 005BB64C
REMOVE, xrefs: 005BB602, 005BB607
APPEND, xrefs: 005BB6C1, 005BB6C6
EXISTS, xrefs: 005BB686, 005BB68B

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: aa8e129d347694039bb776694aeed3e14c31dabc7d5fb1f8f7e079d4fdd295c2
Instruction ID: f9854aec0b33af619f1a4f9bfa3637b7b144c00e77c794779a2a792748f4aadb
Opcode Fuzzy Hash: aa8e129d347694039bb776694aeed3e14c31dabc7d5fb1f8f7e079d4fdd295c2
Instruction Fuzzy Hash: F641C532A000279BDB205F7DC8915FE7FA5BBA0794B24462AE425DB284E7F1ED81C790

Function 005C5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005C53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 005C5416
GetLastError.KERNEL32 ref: 005C5420
SetErrorMode.KERNEL32(00000000,READY), ref: 005C54A7

Strings

INVALID, xrefs: 005C5459
READY, xrefs: 005C5460, 005C5468
NOTREADY, xrefs: 005C544B
UNKNOWN, xrefs: 005C5444
READONLY, xrefs: 005C5452

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 0b4fce997c142804c9041a69a8bc256400670ba751564a9a511f2accc3e9ecf5
Instruction ID: 4325cc612b63c3fbc017dc2000f05bea3100a1d49e04b35a6eed2a7e8db86fa4
Opcode Fuzzy Hash: 0b4fce997c142804c9041a69a8bc256400670ba751564a9a511f2accc3e9ecf5
Instruction Fuzzy Hash: 99315E35A005059FCB18DFA8C8C4FA97FA4FB45305F548059E8058B252EB71EDC6CB90

Function 005E3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 005E3C79
SetMenu.USER32(?,00000000), ref: 005E3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005E3D10
IsMenu.USER32(?), ref: 005E3D24
CreatePopupMenu.USER32 ref: 005E3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005E3D5B
DrawMenuBar.USER32 ref: 005E3D63

Strings

F, xrefs: 005E3D4E
0, xrefs: 005E3C54

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 13fc1979c52f88d2941fea6e1cba3f515ff0bf1b5508bf512e47df1b58cfadfc
Instruction ID: e87b84ccee3acf7c283f281caa163688fc9df925a3e863b716db143060c21d62
Opcode Fuzzy Hash: 13fc1979c52f88d2941fea6e1cba3f515ff0bf1b5508bf512e47df1b58cfadfc
Instruction Fuzzy Hash: 0B419C75A01349AFDB18CF61D888AAA7FB5FF49340F140029E9869B360D730EA15DF90

Function 005B1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

Part of subcall function 005B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005B3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 005B1F64
GetDlgCtrlID.USER32 ref: 005B1F6F
GetParent.USER32 ref: 005B1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 005B1F8E
GetDlgCtrlID.USER32(?), ref: 005B1F97
GetParent.USER32(?), ref: 005B1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 005B1FAE

Strings

ListBox, xrefs: 005B1F21
ComboBox, xrefs: 005B1EEC

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: e368007a03b072c04903828de184580364a16b188b347281e667377dc309c62e
Instruction ID: 6cada780d6e535d10b2548e3ad48502bf865a1d54e9a1f2bf7182fe07338293f
Opcode Fuzzy Hash: e368007a03b072c04903828de184580364a16b188b347281e667377dc309c62e
Instruction Fuzzy Hash: 8521B074900214BBCF04AFA4CC999FEBFB9FF55310F500556B961AB291CB38A909DB64

Function 005E3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005E3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005E3AA0
GetWindowLongW.USER32(?,000000F0), ref: 005E3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005E3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005E3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 005E3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 005E3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 005E3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 005E3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 005E3C13

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 0041b58e95e4f9e109cdb87a8bfc2fad3f99773b58a0b97147c70a54175b3684
Instruction ID: 79359e5826dd344651b10fa75d013dfb8beb09114377506b4b865fe9ee9d2dcc
Opcode Fuzzy Hash: 0041b58e95e4f9e109cdb87a8bfc2fad3f99773b58a0b97147c70a54175b3684
Instruction Fuzzy Hash: A9618C71900248AFDB24DF68CC85EEE7BB8FF49300F100199FA45AB291C774AE85DB50

Function 005BB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005BB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,005BA1E1,?,00000001), ref: 005BB165
GetWindowThreadProcessId.USER32(00000000), ref: 005BB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005BA1E1,?,00000001), ref: 005BB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 005BB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,005BA1E1,?,00000001), ref: 005BB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005BA1E1,?,00000001), ref: 005BB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,005BA1E1,?,00000001), ref: 005BB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,005BA1E1,?,00000001), ref: 005BB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,005BA1E1,?,00000001), ref: 005BB21D

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 39b5eb1a099882e722c11b75c67807c3770d638b2e92ca3612de752b0c3dfe73
Instruction ID: fd598838fa7dbac8b37dc5fadf1f98c477b3cac4c9ba182f1a8559fdc74b1243
Opcode Fuzzy Hash: 39b5eb1a099882e722c11b75c67807c3770d638b2e92ca3612de752b0c3dfe73
Instruction Fuzzy Hash: 14318075600614AFEB249F28DC84FAEBFAABB61311F204005F911DA290D7F8AD46CF70

Function 00582C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00582C94

Part of subcall function 005829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0058D7D1,00000000,00000000,00000000,00000000,?,0058D7F8,00000000,00000007,00000000,?,0058DBF5,00000000), ref: 005829DE
Part of subcall function 005829C8: GetLastError.KERNEL32(00000000,?,0058D7D1,00000000,00000000,00000000,00000000,?,0058D7F8,00000000,00000007,00000000,?,0058DBF5,00000000,00000000), ref: 005829F0

_free.LIBCMT ref: 00582CA0
_free.LIBCMT ref: 00582CAB
_free.LIBCMT ref: 00582CB6
_free.LIBCMT ref: 00582CC1
_free.LIBCMT ref: 00582CCC
_free.LIBCMT ref: 00582CD7
_free.LIBCMT ref: 00582CE2
_free.LIBCMT ref: 00582CED
_free.LIBCMT ref: 00582CFB

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 525977eb4790fa534416bf479f3a7fed40c771eb497009a33d73214b4b90ec65
Instruction ID: c2a71c37ddcf03e9ff32ce5ef9ccc04f94fa50aac4043f921d90bd414392d641
Opcode Fuzzy Hash: 525977eb4790fa534416bf479f3a7fed40c771eb497009a33d73214b4b90ec65
Instruction Fuzzy Hash: 48119376100109AFCB02FF54D886CDD3FA5FF45350F4244A5FE48AB222DA35EE909B90

Function 005C7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005C7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 005C7FC1
GetFileAttributesW.KERNEL32(?), ref: 005C7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 005C8005
SetCurrentDirectoryW.KERNEL32(?), ref: 005C8017
SetCurrentDirectoryW.KERNEL32(?), ref: 005C8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005C80B0

Strings

*.*, xrefs: 005C8066

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: a1dc96b2041ee190edd6e010c01387fab274c95ec714b161534de832cefdf75a
Instruction ID: a1ca649ae6a7127333120e5cb73a9f51704931d2d6abb69d5ba314fe4df89620
Opcode Fuzzy Hash: a1dc96b2041ee190edd6e010c01387fab274c95ec714b161534de832cefdf75a
Instruction Fuzzy Hash: 638170725082459FCB24DFA4C458EAABBE8BF89310F144C5EF885D7650EB34ED498F52

Function 00555BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00555C7A

Part of subcall function 00555D0A: GetClientRect.USER32(?,?), ref: 00555D30
Part of subcall function 00555D0A: GetWindowRect.USER32(?,?), ref: 00555D71
Part of subcall function 00555D0A: ScreenToClient.USER32(?,?), ref: 00555D99

GetDC.USER32 ref: 005946F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00594708
SelectObject.GDI32(00000000,00000000), ref: 00594716
SelectObject.GDI32(00000000,00000000), ref: 0059472B
ReleaseDC.USER32(?,00000000), ref: 00594733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005947C4

Strings

U, xrefs: 00594693

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 64e542e85f9bbe86bd5284c9ffbbcd3eb937fc35136f4c18a3d2ffcb2c2af8b1
Instruction ID: 858bf20ce45e7ca668311f6b6cc379f58de9a050589a5755934ba74429f37243
Opcode Fuzzy Hash: 64e542e85f9bbe86bd5284c9ffbbcd3eb937fc35136f4c18a3d2ffcb2c2af8b1
Instruction Fuzzy Hash: 4C71CE30400209DFCF258FA4C994EAA3FB5FF8A361F14426AED515A266D3309C47DF50

Function 005C359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005C35E4

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

LoadStringW.USER32(00622390,?,00000FFF,?), ref: 005C360A

Strings

Error: , xrefs: 005C36EF
"%s" (%d) : ==> %s:%s%s, xrefs: 005C3724
^ ERROR, xrefs: 005C36C9
"%s" (%d) : ==> %s:, xrefs: 005C3742
Line %d (File "%s"):, xrefs: 005C366B

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: cd0473dd3f44f308583306b133688aa851159c75beacd69a39dff3c49418ef52
Instruction ID: 4564c79d5ded2cd5fc77cada49c0f5f43a062862ee6d46ab472235df176e2a57
Opcode Fuzzy Hash: cd0473dd3f44f308583306b133688aa851159c75beacd69a39dff3c49418ef52
Instruction Fuzzy Hash: 16515D7280020AAACF14EBE0CC5AEEDBF75FF54341F14452AF505720A1EB316B99DB60

Function 005CC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005CC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005CC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005CC2CA
GetLastError.KERNEL32 ref: 005CC322
SetEvent.KERNEL32(?), ref: 005CC336
InternetCloseHandle.WININET(00000000), ref: 005CC341

Strings

, xrefs: 005CC2BB

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 512df68eb5c128d82de9290232c4c6ae8fd47c4e6dbce091ccbcd7cac017ea79
Instruction ID: 9cf3b41390cec15630c1d1e5205d12c005d9e1d7d035c3eb96b571b822ba3fb4
Opcode Fuzzy Hash: 512df68eb5c128d82de9290232c4c6ae8fd47c4e6dbce091ccbcd7cac017ea79
Instruction Fuzzy Hash: 07319FB5500244AFD7219FA49C88FAB7FFCFB59B40B14891EF48AD6201DB30DD499B61

Function 005B989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00593AAF,?,?,Bad directive syntax error,005ECC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005B98BC
LoadStringW.USER32(00000000,?,00593AAF,?), ref: 005B98C3

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 005B9987

Strings

Line %d:, xrefs: 005B9912
%s (%d) : ==> %s.: %s %s, xrefs: 005B98F1
Error: , xrefs: 005B9955
., xrefs: 005B996D
Line %d (File "%s"):, xrefs: 005B992D

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 0e89b43f8f636faf175c63e84da4fb695055bb5684a0eac83959c80a9fc2a0a2
Instruction ID: cf7c46b6de995e38d7f0d747022e55c8337f5f3c9ed632183586a90c0c10219b
Opcode Fuzzy Hash: 0e89b43f8f636faf175c63e84da4fb695055bb5684a0eac83959c80a9fc2a0a2
Instruction Fuzzy Hash: 9F218231D0021EEBCF15AF90CC5AEEE7B75FF54301F044866F519660A2DB75AA58DB10

Function 005B209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005B20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 005B20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 005B214D

Strings

list, xrefs: 005B212F
details, xrefs: 005B20FB
smallicons, xrefs: 005B2115
SHELLDLL_DefView, xrefs: 005B20CC
largeicons, xrefs: 005B20E1

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: f71a01f1e91343bba6f701c1cfcab6261e49c27593a365244f77a21ebdc73f1b
Instruction ID: fd224cdb03bbd8e4a8ae721380050a5c9a10a45ebad5dd066a2cd835539afb48
Opcode Fuzzy Hash: f71a01f1e91343bba6f701c1cfcab6261e49c27593a365244f77a21ebdc73f1b
Instruction Fuzzy Hash: 25113D76688707B6F6056228EC0ACE77F9DEB54314F204016F705E40D1FA65B882AA24

Function 0058CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0058CEB7
_free.LIBCMT ref: 0058CF22
_free.LIBCMT ref: 0058CF48
_free.LIBCMT ref: 0058CF71
_free.LIBCMT ref: 0058CFA9
_free.LIBCMT ref: 0058CFDA
_free.LIBCMT ref: 0058D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0058D09C
_free.LIBCMT ref: 0058D0B5

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: dbfbe5ad4ed8f60d18f4cd96b5cf76e3289236477d3ffa38dc827c268c09fac0
Instruction ID: 701fd61943c1c57312463c2c3fb584da98bd92f4d19e05b7d08a3723e19bc030
Opcode Fuzzy Hash: dbfbe5ad4ed8f60d18f4cd96b5cf76e3289236477d3ffa38dc827c268c09fac0
Instruction Fuzzy Hash: A1614971904302AFEF21BFB49889A697FA6FF45350F14456EFE45B7282E6319D028B70

Function 00568B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 005A6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005A68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005A68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005A68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005A68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00568874,00000000,00000000,00000000,000000FF,00000000), ref: 005A6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 005A691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00568874,00000000,00000000,00000000,000000FF,00000000), ref: 005A692D

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: a42b4bdf203f5247c4433a80af7b489e5d75234f13cab26b58abef164bf781a8
Instruction ID: bf70b92616619521d40e62e38cb9102fda3d01d5b5d9a0f0a11b262a39203955
Opcode Fuzzy Hash: a42b4bdf203f5247c4433a80af7b489e5d75234f13cab26b58abef164bf781a8
Instruction Fuzzy Hash: D851BC70A00209EFDB24CF24CC95FAA3FBAFB59750F144618F9529B2A0DB70E981DB40

Function 005CC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005CC182
GetLastError.KERNEL32 ref: 005CC195
SetEvent.KERNEL32(?), ref: 005CC1A9

Part of subcall function 005CC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005CC272
Part of subcall function 005CC253: GetLastError.KERNEL32 ref: 005CC322
Part of subcall function 005CC253: SetEvent.KERNEL32(?), ref: 005CC336
Part of subcall function 005CC253: InternetCloseHandle.WININET(00000000), ref: 005CC341

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 2fe4c8f449b8e654073a70f8f8d5f81b45f2c06ebb69d5a3145e92210adab505
Instruction ID: 61effad04d4626183d7316ab4563a4cfb81534e9ddeec6b17feb81485cc40438
Opcode Fuzzy Hash: 2fe4c8f449b8e654073a70f8f8d5f81b45f2c06ebb69d5a3145e92210adab505
Instruction Fuzzy Hash: 0E318C79600645AFDB259FE5DC48F66BFF9FF68300B04481DF99A86610D730E815EBA0

Function 005B25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 005B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005B3A57
Part of subcall function 005B3A3D: GetCurrentThreadId.KERNEL32 ref: 005B3A5E
Part of subcall function 005B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005B25B3), ref: 005B3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 005B25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005B25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005B25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 005B25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 005B2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 005B2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 005B260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 005B2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 005B2627

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 5c7dcd2e9a7143fbe09da8e1327abcfe52ea032a0fd43dd6012372e3d493e499
Instruction ID: 3f521b16f43fdcf1ca361a085fd8bb504dc1977b74b20200bb7ac059cc54d0a9
Opcode Fuzzy Hash: 5c7dcd2e9a7143fbe09da8e1327abcfe52ea032a0fd43dd6012372e3d493e499
Instruction Fuzzy Hash: 6C01D831390650BBFB1467699CCEF993F59EB9EB12F100011F354AE0D1C9E16449DA69

Function 005B1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,005B1449,?,?,00000000), ref: 005B180C
HeapAlloc.KERNEL32(00000000,?,005B1449,?,?,00000000), ref: 005B1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005B1449,?,?,00000000), ref: 005B1828
GetCurrentProcess.KERNEL32(?,00000000,?,005B1449,?,?,00000000), ref: 005B1830
DuplicateHandle.KERNEL32(00000000,?,005B1449,?,?,00000000), ref: 005B1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005B1449,?,?,00000000), ref: 005B1843
GetCurrentProcess.KERNEL32(005B1449,00000000,?,005B1449,?,?,00000000), ref: 005B184B
DuplicateHandle.KERNEL32(00000000,?,005B1449,?,?,00000000), ref: 005B184E
CreateThread.KERNEL32(00000000,00000000,005B1874,00000000,00000000,00000000), ref: 005B1868

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 0a7c44a5c0904f0b3c60765ffbc6b13aa493a117c683cf132a8443423159f0b9
Instruction ID: ce05878f51a8dea1bc6e7857157ba980bf5fca1057d27e1588d3c73c1c005763
Opcode Fuzzy Hash: 0a7c44a5c0904f0b3c60765ffbc6b13aa493a117c683cf132a8443423159f0b9
Instruction Fuzzy Hash: 1D01A8B5240348BFE614ABA5DC89F6B3FACEB99B11F404411FA45DB1A1CA70D805DB20

Function 005DA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 005BD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 005BD501
Part of subcall function 005BD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 005BD50F
Part of subcall function 005BD4DC: CloseHandle.KERNELBASE(00000000), ref: 005BD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 005DA16D
GetLastError.KERNEL32 ref: 005DA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 005DA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 005DA268
GetLastError.KERNEL32(00000000), ref: 005DA273
CloseHandle.KERNEL32(00000000), ref: 005DA2C4

Strings

SeDebugPrivilege, xrefs: 005DA18F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 2ef69f1ef093507cdaec2dca2405312f17620e445c09fc2bd10dd2c468e3cf2c
Instruction ID: a0178ad54dd6b6b22a01f94569833779e20749710640f8a73b6a582ac4234340
Opcode Fuzzy Hash: 2ef69f1ef093507cdaec2dca2405312f17620e445c09fc2bd10dd2c468e3cf2c
Instruction Fuzzy Hash: A2617D342042429FD724DF19C498F16BFE1BF94318F54849EE4668BBA2C772ED49CB92

Function 005E3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005E3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 005E393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005E3954
_wcslen.LIBCMT ref: 005E3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 005E39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005E39F4

Strings

SysListView32, xrefs: 005E38F7

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: e1fc71d1f8e13d6bd57872b07546b41ef01d3b0277e6e463da2affe217d745f1
Instruction ID: 1560f0f0299c973d050d55e9baaab6f05441081cffa481b8edf91c095ca672d4
Opcode Fuzzy Hash: e1fc71d1f8e13d6bd57872b07546b41ef01d3b0277e6e463da2affe217d745f1
Instruction Fuzzy Hash: D941C271A00259ABDB259F65CC49BEA7FA9FF48350F100526F988EB281D371DA84CB90

Function 005BBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005BBCFD
IsMenu.USER32(00000000), ref: 005BBD1D
CreatePopupMenu.USER32 ref: 005BBD53
GetMenuItemCount.USER32(00F468D8), ref: 005BBDA4
InsertMenuItemW.USER32(00F468D8,?,00000001,00000030), ref: 005BBDCC

Strings

2, xrefs: 005BBD37
0, xrefs: 005BBCA8

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 5f3d28bd86d876e48fc13580ae995cffd74085a4664312b5cf5f511dc427e148
Instruction ID: e9453fda40b2e09f9993b955088e760e0b50e7c503163d3fd4de13082a92d6d6
Opcode Fuzzy Hash: 5f3d28bd86d876e48fc13580ae995cffd74085a4664312b5cf5f511dc427e148
Instruction Fuzzy Hash: 83519D70A006059FEF20CFA8D888BEEBFF4BF95314F144619E4519B290D7F8A945CB61

Function 00572D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00572D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00572D53
_ValidateLocalCookies.LIBCMT ref: 00572DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00572E0C
_ValidateLocalCookies.LIBCMT ref: 00572E61

Strings

csm, xrefs: 00572DF6
&HW, xrefs: 00572DFE, 00572E07, 00572E18

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HW$csm
API String ID: 1170836740-771718976
Opcode ID: e185293507267c8a2821a9f2bee39bc66051583357859fab6dcdf67759161ecb
Instruction ID: 0c0a0d751dc36aa43ec104d4a3acbbbf24759b7d29819938ccbb4ddfec693e7b
Opcode Fuzzy Hash: e185293507267c8a2821a9f2bee39bc66051583357859fab6dcdf67759161ecb
Instruction Fuzzy Hash: F1419534E01219ABCF10DF68D855AAEBFB5FF44324F14C155E818AB392D731EA06EB91

Function 005BC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 005BC913

Strings

warning, xrefs: 005BC8FC
info, xrefs: 005BC8B4
question, xrefs: 005BC8CC
blank, xrefs: 005BC895
stop, xrefs: 005BC8E4

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e4a53601f769898946eabbac4859cb31c0ae0fdf5aff926030cd18c542834aa3
Instruction ID: 7f7a2f11001c1c6704d3235b1194a9b3713ad139a72af11f2d78ff3c29225554
Opcode Fuzzy Hash: e4a53601f769898946eabbac4859cb31c0ae0fdf5aff926030cd18c542834aa3
Instruction Fuzzy Hash: EB112B35689307BBB7045B14EC82CEA2F9CFF55715B20442AF504E61C2D760BD80666C

Function 005BDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005BDE42
gethostname.WSOCK32(?,00000100), ref: 005BDE5C
gethostbyname.WSOCK32(?), ref: 005BDE69
inet_ntoa.WSOCK32(?), ref: 005BDEAB
_strcat.LIBCMT ref: 005BDEB9
WSACleanup.WSOCK32 ref: 005BDEDE

Strings

0.0.0.0, xrefs: 005BDE87

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 89b191709e0a94e9fba6831086bbb9a994718ec7abb8d3b62b979497ef815cd2
Instruction ID: e01eac6d71cb554e9e9956f1a2f661e47a8638d41fa852232fe34448092575e9
Opcode Fuzzy Hash: 89b191709e0a94e9fba6831086bbb9a994718ec7abb8d3b62b979497ef815cd2
Instruction Fuzzy Hash: 94110671904215ABCB24AB20EC4AEEE7FBCFF51710F000169F549AB091FF71DA829A60

Function 005BED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 005BED2A
_wcslen.LIBCMT ref: 005BED3B
_wcslen.LIBCMT ref: 005BED79
_wcslen.LIBCMT ref: 005BEDAF
_wcslen.LIBCMT ref: 005BEDDF
_wcslen.LIBCMT ref: 005BEDEF
_wcslen.LIBCMT ref: 005BEE2B
_wcslen.LIBCMT ref: 005BEE5A

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 119297d614e4dc5d8d1417ff87f50a9d86ae9c2a359b4a388696896a6f3c41fe
Instruction ID: 6313901b51ee0ee476bf932ebac30d760b993ede2be3f2521063b2b9c258dbc1
Opcode Fuzzy Hash: 119297d614e4dc5d8d1417ff87f50a9d86ae9c2a359b4a388696896a6f3c41fe
Instruction Fuzzy Hash: F041B169C1021976CB11EBB4988E9CFBBBCBF85300F008566E518E3122FB34E245D7A6

Function 0056F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,005A682C,00000004,00000000,00000000), ref: 0056F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,005A682C,00000004,00000000,00000000), ref: 005AF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,005A682C,00000004,00000000,00000000), ref: 005AF454

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5b604c19a7575b00942a4bd6eb3d169dd94567a2c1a80a5809272c2d0bc3f9e9
Instruction ID: e997953962bef8889ddddcf90a1e96e5771d2719701aa6210fe4e367e0c87547
Opcode Fuzzy Hash: 5b604c19a7575b00942a4bd6eb3d169dd94567a2c1a80a5809272c2d0bc3f9e9
Instruction Fuzzy Hash: EF411831A08780BADB398B69E8C872E7FA2BB97314F14493DE09757560D631A8C1DB11

Function 005E2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005E2D1B
GetDC.USER32(00000000), ref: 005E2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005E2D2E
ReleaseDC.USER32(00000000,00000000), ref: 005E2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 005E2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 005E2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,005E5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 005E2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005E2DE1

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: a3464fd6a857cd24ab816f1ce37fa9a58422ff7fd83ded20ff7d096aabd4b698
Instruction ID: b74730f27dfe21f476046102e74f5ab2135435bba118ef59162b7b91ed7b293e
Opcode Fuzzy Hash: a3464fd6a857cd24ab816f1ce37fa9a58422ff7fd83ded20ff7d096aabd4b698
Instruction Fuzzy Hash: F2318B72201294BBEB198F558C8AFEB3FADFB59711F044055FE889E291C6759C42CBA0

Function 005B5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 005B5637
_memcmp.LIBVCRUNTIME ref: 005B5659
_memcmp.LIBVCRUNTIME ref: 005B5671
_memcmp.LIBVCRUNTIME ref: 005B5684
_memcmp.LIBVCRUNTIME ref: 005B569E
_memcmp.LIBVCRUNTIME ref: 005B56B1
_memcmp.LIBVCRUNTIME ref: 005B56C9
_memcmp.LIBVCRUNTIME ref: 005B56E4

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4716a490ef488dc2868e40f528e0facf0f280b5c0d02804ed207565975141e62
Instruction ID: 5ee2c176d8b8defeae21acc9674d3b293ec5d96810788eedeee21e24f890f082
Opcode Fuzzy Hash: 4716a490ef488dc2868e40f528e0facf0f280b5c0d02804ed207565975141e62
Instruction Fuzzy Hash: 7D21F971744E0A77E21C59259D86FFA3F5CBF60388F644420FD0A9A581FF20FE1192A9

Function 005D4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 005D502E, 005D5383
Not an Object type, xrefs: 005D5007

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: dd7cb40b6588d03403ff62203ca7f8137210bfe905fb3d3ffd16209633a81d3b
Instruction ID: 561803a21371fc82ab0dc106db50b8bdf1fe2fc51675d83112dba111c221f6bd
Opcode Fuzzy Hash: dd7cb40b6588d03403ff62203ca7f8137210bfe905fb3d3ffd16209633a81d3b
Instruction Fuzzy Hash: 67D19175A0060A9FDF24CFA8C885BAEBBB5BF48344F14846BE915AB381E770DD45CB50

Function 00591522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,005917FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 005915CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00591651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,005917FB,?,005917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005916E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005916FB

Part of subcall function 00583820: RtlAllocateHeap.NTDLL(00000000,?,00621444,?,0056FDF5,?,?,0055A976,00000010,00621440,005513FC,?,005513C6,?,00551129), ref: 00583852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,005917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00591777
__freea.LIBCMT ref: 005917A2
__freea.LIBCMT ref: 005917AE

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 5f9c4e66b41b156aac9e8f7ec5c491c6690d2ee6066d9ec173dacfe2f4e15d51
Instruction ID: b2da4c4eb54d2cb135587cc207ee5115e5d1f2f659397bfd7ccfc1fff74a58af
Opcode Fuzzy Hash: 5f9c4e66b41b156aac9e8f7ec5c491c6690d2ee6066d9ec173dacfe2f4e15d51
Instruction Fuzzy Hash: A991B272E00A279ADF248FA4C985AEE7FB9FF89710F194659E802E7181D735CC40CB64

Function 005D4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005D4648
VariantInit.OLEAUT32(?), ref: 005D4749
VariantClear.OLEAUT32(?), ref: 005D4753
VariantClear.OLEAUT32(?), ref: 005D47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 005D472C
Null Object assignment in FOR..IN loop, xrefs: 005D45D8, 005D4706, 005D47BE

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: a0564e6d1efffa5d351e74e33d54f6772b6f647d879272515c230c4de67c5ee7
Instruction ID: d228a4b64c464a143b21e102d238f5841b011476bd82d31095663208f9af9826
Opcode Fuzzy Hash: a0564e6d1efffa5d351e74e33d54f6772b6f647d879272515c230c4de67c5ee7
Instruction Fuzzy Hash: 51917D71A00215ABDF24CFA8D888FAEBFB8FF46711F14855BE505AB280D7709945CFA0

Function 005C1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 005C125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 005C1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005C12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005C12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005C135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005C13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005C1430

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 8ecd3d2d8aacb259adeffac44e7e128789e21c950ad6a223d865115b8f6ecfdf
Instruction ID: 6b2922f4058ffbfe5e7cff66314e10f03675bcf085f2e62526379b1547c76c2d
Opcode Fuzzy Hash: 8ecd3d2d8aacb259adeffac44e7e128789e21c950ad6a223d865115b8f6ecfdf
Instruction Fuzzy Hash: C791E075A006099FDB04DFD4C888FBEBBB5FF86315F104429E940EB292D778A945CB94

Function 0056948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f20821534d5149de52836810e92212c470b01f7e4819ebda209d104ba78c5abd
Instruction ID: 4c1f11464418825ffec402ea1f4d1e1758986ecf041fa9655840f60234bcaa9e
Opcode Fuzzy Hash: f20821534d5149de52836810e92212c470b01f7e4819ebda209d104ba78c5abd
Instruction Fuzzy Hash: 9F910671900219EFCB14CFA9CC88AEEBFB8FF49320F144559E516B7251D774AA42DBA0

Function 005D3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005D396B
CharUpperBuffW.USER32(?,?), ref: 005D3A7A
_wcslen.LIBCMT ref: 005D3A8A
VariantClear.OLEAUT32(?), ref: 005D3C1F

Part of subcall function 005C0CDF: VariantInit.OLEAUT32(00000000), ref: 005C0D1F
Part of subcall function 005C0CDF: VariantCopy.OLEAUT32(?,?), ref: 005C0D28
Part of subcall function 005C0CDF: VariantClear.OLEAUT32(?), ref: 005C0D34

Strings

AUTOIT.ERROR, xrefs: 005D3A80, 005D3A85
Incorrect Parameter format, xrefs: 005D39A6, 005D3BA1

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: a5bffa52d1fd1ef338a7000f924f7f98406f82bc75a706b99a1e7b7cf9d3af1b
Instruction ID: 717750b969171c4e33b74bd2f1c0c33efa7acf68c26da6238c6d7b04b57e8b34
Opcode Fuzzy Hash: a5bffa52d1fd1ef338a7000f924f7f98406f82bc75a706b99a1e7b7cf9d3af1b
Instruction Fuzzy Hash: 4C9157756083069FC714DF28C49596ABBE4FF89314F14886EF8899B351DB30EE49CB92

Function 005D4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 005B000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,005AFF41,80070057,?,?,?,005B035E), ref: 005B002B
Part of subcall function 005B000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005AFF41,80070057,?,?), ref: 005B0046
Part of subcall function 005B000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005AFF41,80070057,?,?), ref: 005B0054
Part of subcall function 005B000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005AFF41,80070057,?), ref: 005B0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 005D4C51
_wcslen.LIBCMT ref: 005D4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 005D4DCF
CoTaskMemFree.OLE32(?), ref: 005D4DDA

Strings

NULL Pointer assignment, xrefs: 005D4E23, 005D4E52

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 850c6b13309b2ff7c53316c9844c35b4c591941df31f52fbf26920c0ebe0d475
Instruction ID: c6bd8c2778daeb9614a5c708eb5fae436a793398beb3f8c21d71bec56941ccab
Opcode Fuzzy Hash: 850c6b13309b2ff7c53316c9844c35b4c591941df31f52fbf26920c0ebe0d475
Instruction Fuzzy Hash: C1911771D00219EFDF24DFA4C895AEEBBB9FF48300F10456AE915AB251DB309A49CF60

Function 005E20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 005E2183
GetMenuItemCount.USER32(00000000), ref: 005E21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005E21DD
_wcslen.LIBCMT ref: 005E2213
GetMenuItemID.USER32(?,?), ref: 005E224D
GetSubMenu.USER32(?,?), ref: 005E225B

Part of subcall function 005B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005B3A57
Part of subcall function 005B3A3D: GetCurrentThreadId.KERNEL32 ref: 005B3A5E
Part of subcall function 005B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005B25B3), ref: 005B3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005E22E3

Part of subcall function 005BE97B: Sleep.KERNEL32 ref: 005BE9F3

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 2c7ea7939b3b1b1d5ed1fbc107d06b0af7ba04d7ca366f330c16d35702850a24
Instruction ID: a8960f301e064e17eee228b5d07ac4e76f8b99a35e4291eadff3244801867c1c
Opcode Fuzzy Hash: 2c7ea7939b3b1b1d5ed1fbc107d06b0af7ba04d7ca366f330c16d35702850a24
Instruction Fuzzy Hash: CF719C75A00245AFCB18DF65C885AAEBFB9BF88310F148459E996EB345D734EE01CB90

Function 005BAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 005BAEF9
GetKeyboardState.USER32(?), ref: 005BAF0E
SetKeyboardState.USER32(?), ref: 005BAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 005BAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 005BAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 005BAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 005BB020

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7ccfd596f4fc390a559657d55f0780d85683e1c68ea9c7910d2d183bb35281b5
Instruction ID: 9b5dfc598937dd7076979c0316e8c71b48d922825cf57e1e870e8645637f7840
Opcode Fuzzy Hash: 7ccfd596f4fc390a559657d55f0780d85683e1c68ea9c7910d2d183bb35281b5
Instruction Fuzzy Hash: 185190A0A046D53DFB3692388849BFABEA96B06304F088589E1D9598C3D3D9FCC8D751

Function 005BACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 005BAD19
GetKeyboardState.USER32(?), ref: 005BAD2E
SetKeyboardState.USER32(?), ref: 005BAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 005BADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 005BADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 005BAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 005BAE38

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cd41d15564e0a2284eae17572dd9b64cea9f37aac63eb2a1f4b03ccd26a69db9
Instruction ID: dc80aabf3908ce09de2650f4bba807604b1798e63bf1f17ebeed451d47f50eb7
Opcode Fuzzy Hash: cd41d15564e0a2284eae17572dd9b64cea9f37aac63eb2a1f4b03ccd26a69db9
Instruction Fuzzy Hash: AD51B3A15047D53DFB378334CC95BFABEA97B46300F088589E1D55A8D2D294FC88E762

Function 0058542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00593CD6,?,?,?,?,?,?,?,?,00585BA3,?,?,00593CD6,?,?), ref: 00585470
__fassign.LIBCMT ref: 005854EB
__fassign.LIBCMT ref: 00585506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00593CD6,00000005,00000000,00000000), ref: 0058552C
WriteFile.KERNEL32(?,00593CD6,00000000,00585BA3,00000000,?,?,?,?,?,?,?,?,?,00585BA3,?), ref: 0058554B
WriteFile.KERNEL32(?,?,00000001,00585BA3,00000000,?,?,?,?,?,?,?,?,?,00585BA3,?), ref: 00585584

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1d5de7ed7e411f592a5f6cf6981d876ba9faab7ffeb685b074b575ddc74957f4
Instruction ID: cb56ea762547cce69b20d407e9159148e4f79a3c232fac3c28acbf80c16148b7
Opcode Fuzzy Hash: 1d5de7ed7e411f592a5f6cf6981d876ba9faab7ffeb685b074b575ddc74957f4
Instruction Fuzzy Hash: 40519E71A00649AFDB10DFA8D885AEEBFF9FF09300F14455AE955F7292E630DA41CB60

Function 005D10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005D307A
Part of subcall function 005D304E: _wcslen.LIBCMT ref: 005D309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 005D1112
WSAGetLastError.WSOCK32 ref: 005D1121
WSAGetLastError.WSOCK32 ref: 005D11C9
closesocket.WSOCK32(00000000), ref: 005D11F9

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: aa127b0fa1ae3050c36ad1539c91d693be89659844f53294d2c5ffe2ad063998
Instruction ID: ed1cc55e055f057b0b9c1ecc9e2c97915bfd9774ee94af0a8807468f7cb7f532
Opcode Fuzzy Hash: aa127b0fa1ae3050c36ad1539c91d693be89659844f53294d2c5ffe2ad063998
Instruction Fuzzy Hash: 95411331200605AFDB249F98C888BA9BFA9FF85324F14801BFD469B381C770ED45CBA5

Function 005BCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 005BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005BCF22,?), ref: 005BDDFD

Part of subcall function 005BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005BCF22,?), ref: 005BDE16

lstrcmpiW.KERNEL32(?,?), ref: 005BCF45
MoveFileW.KERNEL32(?,?), ref: 005BCF7F
_wcslen.LIBCMT ref: 005BD005
_wcslen.LIBCMT ref: 005BD01B
SHFileOperationW.SHELL32(?), ref: 005BD061

Strings

\*.*, xrefs: 005BCFF3

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 2bb744d815be0a772e14e09f4eece5678919b25dbd086d65ddefe841181c0035
Instruction ID: 507efae60a9a83c64c68e3f27f8ba26cb240e05227f329a5d6f72872b6a19df3
Opcode Fuzzy Hash: 2bb744d815be0a772e14e09f4eece5678919b25dbd086d65ddefe841181c0035
Instruction Fuzzy Hash: D44196718052199FDF12EFA4D985AEDBFB9BF48340F1000E6E549EB141EB34B689CB10

Function 005E2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 005E2E1C
GetWindowLongW.USER32(?,000000F0), ref: 005E2E4F
GetWindowLongW.USER32(?,000000F0), ref: 005E2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 005E2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 005E2EE0
GetWindowLongW.USER32(?,000000F0), ref: 005E2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005E2F0B

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e3d8b5874df8a2cc477be89353e9085ff485ca88bf953477cb1c0d24bf7d2fe9
Instruction ID: adacebb8b1375489f76bd8d9e22d84f79636c2dfbafbb23478da54487580a3a0
Opcode Fuzzy Hash: e3d8b5874df8a2cc477be89353e9085ff485ca88bf953477cb1c0d24bf7d2fe9
Instruction Fuzzy Hash: 5C3114306042A09FDB288F19DC85F653BE9FBAA710F1411A4F9848F2B6CB71EC859B41

Function 005B7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005B7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005B778F
SysAllocString.OLEAUT32(00000000), ref: 005B7792
SysAllocString.OLEAUT32(?), ref: 005B77B0
SysFreeString.OLEAUT32(?), ref: 005B77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 005B77DE
SysAllocString.OLEAUT32(?), ref: 005B77EC

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 0755a812d6e540158afdf2c10b1772393a2ced3221f2c60cfea11e2da01f73cb
Instruction ID: 131bafb9fcc15f9e6455a3815fb9384188a8a99715084e8f148ea3e66df47544
Opcode Fuzzy Hash: 0755a812d6e540158afdf2c10b1772393a2ced3221f2c60cfea11e2da01f73cb
Instruction Fuzzy Hash: CC219C76608219AFDF10DFA8DC88CFA7BACFB49364B108425BA14DB190DA70EC468760

Function 005B77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005B7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005B7868
SysAllocString.OLEAUT32(00000000), ref: 005B786B
SysAllocString.OLEAUT32 ref: 005B788C
SysFreeString.OLEAUT32 ref: 005B7895
StringFromGUID2.OLE32(?,?,00000028), ref: 005B78AF
SysAllocString.OLEAUT32(?), ref: 005B78BD

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a600ae5e925bcf9ed0b218d1d55e8cc7d3f86bcd8fbd5e61e39aee58aa37ccc5
Instruction ID: 1965fb4d08d8adb32fab8c31294071a53ee4b246e835d506a30ad82b7474cb76
Opcode Fuzzy Hash: a600ae5e925bcf9ed0b218d1d55e8cc7d3f86bcd8fbd5e61e39aee58aa37ccc5
Instruction Fuzzy Hash: 03216031608208AFDF149FB8DC8CDAA7BACFB4D7607108125F915CB2A1D670EC45DB64

Function 005C04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005C04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005C052E

Strings

nul, xrefs: 005C0567

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 320207263b430367c9854b71fa367ea98599069fba6e4ec5685f616f769ef710
Instruction ID: c3147a4d64395afe89fd190867d1e594c2a2cd02bda75c6adc1e9a7a05565e54
Opcode Fuzzy Hash: 320207263b430367c9854b71fa367ea98599069fba6e4ec5685f616f769ef710
Instruction Fuzzy Hash: 0F212675600205EFDF209FA9D844FAA7FA8BF54B24F204A1DE8A1962E0E7709945DF60

Function 005C05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005C05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005C0601

Strings

nul, xrefs: 005C0639

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: e0a00d4de7a2ab667ed4ff0f2181083b6bb6bb874fa328445e424ac0cf0974eb
Instruction ID: de720c67627557adfbf04c6368708c66fd6b292df6c9541c79a7eca498ef6a42
Opcode Fuzzy Hash: e0a00d4de7a2ab667ed4ff0f2181083b6bb6bb874fa328445e424ac0cf0974eb
Instruction Fuzzy Hash: 39216D75500315DFDB209FA98844FAA7BB8BF95B20F200A1DE9E1E72E0D770D8A1CB10

Function 005E40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0055600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0055604C
Part of subcall function 0055600E: GetStockObject.GDI32(00000011), ref: 00556060
Part of subcall function 0055600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0055606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 005E4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 005E411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 005E412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 005E4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 005E4145

Strings

Msctls_Progress32, xrefs: 005E40E3

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 048005ec8c2ca59f91c795b68bcbfdbd7a586c889306841e58d43b6444706cfd
Instruction ID: c1b851457655d3b065be6898520f98977dc68b0aac5dbbb60f11f0b85dff63af
Opcode Fuzzy Hash: 048005ec8c2ca59f91c795b68bcbfdbd7a586c889306841e58d43b6444706cfd
Instruction Fuzzy Hash: 9F11E2B214025ABEEF108F65CC85EE77FADFF08398F014110FA58A60A0C676DC21DBA0

Function 0058D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0058D7A3: _free.LIBCMT ref: 0058D7CC

_free.LIBCMT ref: 0058D82D

Part of subcall function 005829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0058D7D1,00000000,00000000,00000000,00000000,?,0058D7F8,00000000,00000007,00000000,?,0058DBF5,00000000), ref: 005829DE
Part of subcall function 005829C8: GetLastError.KERNEL32(00000000,?,0058D7D1,00000000,00000000,00000000,00000000,?,0058D7F8,00000000,00000007,00000000,?,0058DBF5,00000000,00000000), ref: 005829F0

_free.LIBCMT ref: 0058D838
_free.LIBCMT ref: 0058D843
_free.LIBCMT ref: 0058D897
_free.LIBCMT ref: 0058D8A2
_free.LIBCMT ref: 0058D8AD
_free.LIBCMT ref: 0058D8B8

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 606f5d414c0005cecd3dc97c414c6be5eb3aec7b8292b0e553587c391991c1a5
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 9811F971640B05AAD621BFB0CC4AFCB7FECBF84700F404825FA9DF64D2DA69A5458760

Function 005BDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 005BDA74
LoadStringW.USER32(00000000), ref: 005BDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 005BDA91
LoadStringW.USER32(00000000), ref: 005BDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 005BDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 005BDAB9

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 4adf5f45b5e9a5820be927c8d544180d1716c70cab51f4f9688628451be013f4
Instruction ID: 1a483b5ccdb244004b7d80c6b4dfcd8c4cd024094b3185b3e943143021884e79
Opcode Fuzzy Hash: 4adf5f45b5e9a5820be927c8d544180d1716c70cab51f4f9688628451be013f4
Instruction Fuzzy Hash: E701A2F2500348BFEB049BA49DC9EEB3B6CEB08301F000491B756E6041E674EE898F70

Function 005C096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00F4FCE8,00F4FCE8), ref: 005C097B
EnterCriticalSection.KERNEL32(00F4FCC8,00000000), ref: 005C098D
TerminateThread.KERNEL32(?,000001F6), ref: 005C099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 005C09A9
CloseHandle.KERNEL32(?), ref: 005C09B8
InterlockedExchange.KERNEL32(00F4FCE8,000001F6), ref: 005C09C8
LeaveCriticalSection.KERNEL32(00F4FCC8), ref: 005C09CF

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 420a84a4b870f69a00819ca4427ea6e30e014f31eae55b1b6055104194b81853
Instruction ID: a34db8914fe1a384e1d4cc3ddc574615429d7c16a0cbb9a6d106778c83942109
Opcode Fuzzy Hash: 420a84a4b870f69a00819ca4427ea6e30e014f31eae55b1b6055104194b81853
Instruction Fuzzy Hash: A7F01D32442642EBD7455B94EEC8BD67E29BF15702F402015F281598A0C774D46ADF90

Function 005D1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 005D1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 005D1DE1
WSAGetLastError.WSOCK32 ref: 005D1DF2
htons.WSOCK32(?,?,?,?,?), ref: 005D1EDB
inet_ntoa.WSOCK32(?), ref: 005D1E8C

Part of subcall function 005B39E8: _strlen.LIBCMT ref: 005B39F2

Part of subcall function 005D3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,005CEC0C), ref: 005D3240

_strlen.LIBCMT ref: 005D1F35

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 9f2f19c1ef1abe78a69672f563ed8144533910cb6bf3473bd146d6ddf9ba1a1f
Instruction ID: 45fc8d99a69cbea70f3382c85ea589ecf2e8002a62d8a1d3a0ec162c12abcc15
Opcode Fuzzy Hash: 9f2f19c1ef1abe78a69672f563ed8144533910cb6bf3473bd146d6ddf9ba1a1f
Instruction Fuzzy Hash: 59B1AE30204742AFD724DF28C899E2A7FA5BF84318F54894EF4565B3A2DB31ED46CB91

Function 00555D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00555D30
GetWindowRect.USER32(?,?), ref: 00555D71
ScreenToClient.USER32(?,?), ref: 00555D99
GetClientRect.USER32(?,?), ref: 00555ED7
GetWindowRect.USER32(?,?), ref: 00555EF8

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: d295752d671a07400fc6cb60b920f4c031fc204b2ec92dc71bdc429b19ab9154
Instruction ID: 07404dfc49658789cd4aa83a8376ba482dec898689da08e33dc9ab8c4d8a8a60
Opcode Fuzzy Hash: d295752d671a07400fc6cb60b920f4c031fc204b2ec92dc71bdc429b19ab9154
Instruction Fuzzy Hash: 92B18C35A0064ADBDF14CFA8C491BEEBBF5FF58311F14881AE8A9D7250E730AA45DB50

Function 005801B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005800BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005800D6
__allrem.LIBCMT ref: 005800ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0058010B
__allrem.LIBCMT ref: 00580122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00580140

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 62bcdbed749a96d9e07c144a76a24313940099273ce01945b936c0e95310e033
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: FD81F772600B079BE720FE69DC49B6A7BE8BF81334F248539F855E62C1EB70D9049750

Function 005861FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005782D9,005782D9,?,?,?,0058644F,00000001,00000001,8BE85006), ref: 00586258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0058644F,00000001,00000001,8BE85006,?,?,?), ref: 005862DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005863D8
__freea.LIBCMT ref: 005863E5

Part of subcall function 00583820: RtlAllocateHeap.NTDLL(00000000,?,00621444,?,0056FDF5,?,?,0055A976,00000010,00621440,005513FC,?,005513C6,?,00551129), ref: 00583852

__freea.LIBCMT ref: 005863EE
__freea.LIBCMT ref: 00586413

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 147aa5b2674915a9f0073a4d5283dc880409c6917dfd5aa2e21ae152c356003b
Instruction ID: 42756aba6a1c913a2d1555b21fa7aaa511c5d34fc2a5df451cd2214a51f21cfa
Opcode Fuzzy Hash: 147aa5b2674915a9f0073a4d5283dc880409c6917dfd5aa2e21ae152c356003b
Instruction Fuzzy Hash: EC51BE72A00216ABEB25AF64DC85EAF7EAAFB84710F144A69FC05E7150EF34DC40C760

Function 005DBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

Part of subcall function 005DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005DB6AE,?,?), ref: 005DC9B5
Part of subcall function 005DC998: _wcslen.LIBCMT ref: 005DC9F1
Part of subcall function 005DC998: _wcslen.LIBCMT ref: 005DCA68
Part of subcall function 005DC998: _wcslen.LIBCMT ref: 005DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005DBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005DBD25
RegCloseKey.ADVAPI32(00000000), ref: 005DBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 005DBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 005DBDF3
RegCloseKey.ADVAPI32(?), ref: 005DBDFF

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 980e0fd05f24439898a029b6d313a305d73ef67d414b4f2db2785ef3f459b416
Instruction ID: df15cbd551eabd408d84f034773472af849b0ee619d6f5e86c9944f7f85355cf
Opcode Fuzzy Hash: 980e0fd05f24439898a029b6d313a305d73ef67d414b4f2db2785ef3f459b416
Instruction Fuzzy Hash: 6C814C30118242EFD714DF24C895E2ABBE6FF84308F15495EF4558B2A2DB31ED49CB92

Function 005AF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 005AF7B9
SysAllocString.OLEAUT32(00000001), ref: 005AF860
VariantCopy.OLEAUT32(005AFA64,00000000), ref: 005AF889
VariantClear.OLEAUT32(005AFA64), ref: 005AF8AD
VariantCopy.OLEAUT32(005AFA64,00000000), ref: 005AF8B1
VariantClear.OLEAUT32(?), ref: 005AF8BB

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: cc1754389cfe8d2fc8b7ff77d433e07a207a087f1d0979c05cdf06473ae3eae8
Instruction ID: 001cca427775a71585e7bba2561a96356c2a0ed3268fd6cfca5c0f7bda58b3ed
Opcode Fuzzy Hash: cc1754389cfe8d2fc8b7ff77d433e07a207a087f1d0979c05cdf06473ae3eae8
Instruction Fuzzy Hash: 0C51D731500311BEDF14ABA5E899B2EBBA4FF86311F244867E805DF291DB748C41C7A6

Function 005C910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00557620: _wcslen.LIBCMT ref: 00557625

Part of subcall function 00556B57: _wcslen.LIBCMT ref: 00556B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 005C94E5
_wcslen.LIBCMT ref: 005C9506
_wcslen.LIBCMT ref: 005C952D
GetSaveFileNameW.COMDLG32(00000058), ref: 005C9585

Strings

X, xrefs: 005C9412

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 2547dd816b4f83f3fb5684fc7d760249f74684cf3485cc44b6e2f4e836215644
Instruction ID: b2af24ea6c46c53c438aaf7b7b9ba0eecc1789e6238db37d7b1f2e0b911f5bea
Opcode Fuzzy Hash: 2547dd816b4f83f3fb5684fc7d760249f74684cf3485cc44b6e2f4e836215644
Instruction Fuzzy Hash: D2E17E315083418FD724DF64C899F6ABBE4BFC5314F14896DE8899B2A2EB31DD05CB92

Function 0056920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00569BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00569BB2

BeginPaint.USER32(?,?,?), ref: 00569241
GetWindowRect.USER32(?,?), ref: 005692A5
ScreenToClient.USER32(?,?), ref: 005692C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005692D3
EndPaint.USER32(?,?,?,?,?), ref: 00569321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005A71EA

Part of subcall function 00569339: BeginPath.GDI32(00000000), ref: 00569357

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 4b2a0c691fe1f3274b45d77016187370b66e7eb97123dc2947d34456c6402c55
Instruction ID: 3b163a24a02e58f1de94f315bf1a3e33b3290becc501028de5d470444946e130
Opcode Fuzzy Hash: 4b2a0c691fe1f3274b45d77016187370b66e7eb97123dc2947d34456c6402c55
Instruction Fuzzy Hash: A841AE70508341AFD721DF24DC94FBA7FA9FB9A320F140629F9948B2A1C7309846DB61

Function 005C07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 005C080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 005C0847
EnterCriticalSection.KERNEL32(?), ref: 005C0863
LeaveCriticalSection.KERNEL32(?), ref: 005C08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005C08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 005C0921

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 5510be3f8d95ef45e608d661c7f03f638b934140a015beb0ba5dc5610cdf0558
Instruction ID: 002d5d3169ccf1cdd3d3d8793f10ef2510e0e80b4f9f6de55cc51aa3f07f00d8
Opcode Fuzzy Hash: 5510be3f8d95ef45e608d661c7f03f638b934140a015beb0ba5dc5610cdf0558
Instruction Fuzzy Hash: 8C414771900205EFDF149F94D885AAA7BB9FF44310F1480A9ED049F296D731DE65DBA0

Function 005E81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,005AF3AB,00000000,?,?,00000000,?,005A682C,00000004,00000000,00000000), ref: 005E824C
EnableWindow.USER32(?,00000000), ref: 005E8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 005E82D1
ShowWindow.USER32(?,00000004), ref: 005E82E5
EnableWindow.USER32(?,00000001), ref: 005E830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 005E832F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 45184e573143e68ff762e032487f4c73b67d4aedd5e4198360b9df0da58d7a6d
Instruction ID: 277544891b813625304e3da6decb1dc52ba76c8bf2912ce284ab0f11362b1f0e
Opcode Fuzzy Hash: 45184e573143e68ff762e032487f4c73b67d4aedd5e4198360b9df0da58d7a6d
Instruction Fuzzy Hash: A541D734601A80AFDB29CF16CC99BF47FE1FB1A714F181168E68C4F262C732A846CB40

Function 005B4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 005B4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 005B4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 005B4CEA
_wcslen.LIBCMT ref: 005B4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 005B4D10
_wcsstr.LIBVCRUNTIME ref: 005B4D1A

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: b90ba7fa0f8042460b3103c7c19caa6fca7029878e9c742b74fa43e1b5b22cf9
Instruction ID: df3b4ad5077f8f3dc375744461ea5c4e94303bf85824696e0529e6d7cb85bd49
Opcode Fuzzy Hash: b90ba7fa0f8042460b3103c7c19caa6fca7029878e9c742b74fa43e1b5b22cf9
Instruction Fuzzy Hash: 8621F9326042417FEB259B39EC49EBB7FACFF45750F108029F805CE192DA61EC019BA0

Function 005C581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00553AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00553A97,?,?,00552E7F,?,?,?,00000000), ref: 00553AC2

_wcslen.LIBCMT ref: 005C587B
CoInitialize.OLE32(00000000), ref: 005C5995
CoCreateInstance.OLE32(005EFCF8,00000000,00000001,005EFB68,?), ref: 005C59AE
CoUninitialize.OLE32 ref: 005C59CC

Strings

.lnk, xrefs: 005C5876, 005C58C1, 005C5985

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: b2c9a43269bcf122e96d6f6b8fd42bdef19b972ea5c21f1b2948484b70dabe97
Instruction ID: ceff71388850745864c6eb798869a90fdfbb41aae67211885f79293a1d3321b8
Opcode Fuzzy Hash: b2c9a43269bcf122e96d6f6b8fd42bdef19b972ea5c21f1b2948484b70dabe97
Instruction Fuzzy Hash: A6D165756086019FC704DFA4C494E2ABBE1FF89714F14495DF88A9B361EB31EC89CB92

Function 005B175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005B0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005B0FCA
Part of subcall function 005B0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005B0FD6
Part of subcall function 005B0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005B0FE5
Part of subcall function 005B0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005B0FEC
Part of subcall function 005B0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005B1002

GetLengthSid.ADVAPI32(?,00000000,005B1335), ref: 005B17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005B17BA
HeapAlloc.KERNEL32(00000000), ref: 005B17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 005B17DA
GetProcessHeap.KERNEL32(00000000,00000000,005B1335), ref: 005B17EE
HeapFree.KERNEL32(00000000), ref: 005B17F5

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 0d7c61fc4f7fbdf640eebadc78eadac195631c511e6d49648fa6f67efad834c6
Instruction ID: 38a0cf20913f5284fd6dbe448d9fe7a2339182a1fd4395e680c904f6362d482c
Opcode Fuzzy Hash: 0d7c61fc4f7fbdf640eebadc78eadac195631c511e6d49648fa6f67efad834c6
Instruction Fuzzy Hash: 3F11AC32600A05FFDB589FA4CC99BEE7FA9FB42355F504018F8819B210CB35E945DB64

Function 005B14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005B14FF
OpenProcessToken.ADVAPI32(00000000), ref: 005B1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 005B1515
CloseHandle.KERNEL32(00000004), ref: 005B1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005B154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 005B1563

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 1b097643c5e263dd141fec7b769135f25bca4977a31cec9fe871d521cf762953
Instruction ID: 8f34fa465756792c06b35fd1703a326b5a0e9c166ca67396ae42cd0e283cb7b8
Opcode Fuzzy Hash: 1b097643c5e263dd141fec7b769135f25bca4977a31cec9fe871d521cf762953
Instruction Fuzzy Hash: 89114472500249ABDF11CFA8DD89FDE7FA9FB48704F044029FA05A60A0C371DE65AB64

Function 00573382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00573379,00572FE5), ref: 00573390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0057339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005733B7
SetLastError.KERNEL32(00000000,?,00573379,00572FE5), ref: 00573409

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3ce19e08a65a5c3cd1e48715f6c17908b5ead8fe457625cf215cecfcdb42123f
Instruction ID: 5f1a66cac57791893a0a0b8285a368a49dafd64a4e420017e9a9e8d21ec2a106
Opcode Fuzzy Hash: 3ce19e08a65a5c3cd1e48715f6c17908b5ead8fe457625cf215cecfcdb42123f
Instruction Fuzzy Hash: 4C012833248312BEEB2927747C8959B2E56FB59376730C62AF418841F0EF124D05B544

Function 00582D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00585686,00593CD6,?,00000000,?,00585B6A,?,?,?,?,?,0057E6D1,?,00618A48), ref: 00582D78
_free.LIBCMT ref: 00582DAB
_free.LIBCMT ref: 00582DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0057E6D1,?,00618A48,00000010,00554F4A,?,?,00000000,00593CD6), ref: 00582DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0057E6D1,?,00618A48,00000010,00554F4A,?,?,00000000,00593CD6), ref: 00582DEC
_abort.LIBCMT ref: 00582DF2

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 709e41beed3be26b56d413d80f014eec191b66aef862e6fe3546a5d8c3aa4200
Instruction ID: 651a6e16728f70f6382a0d565a4b9e55dd8abee6485c458b5b1ae5ccee4579c4
Opcode Fuzzy Hash: 709e41beed3be26b56d413d80f014eec191b66aef862e6fe3546a5d8c3aa4200
Instruction Fuzzy Hash: C8F0A436646A0267C7123738BC0EA5F2D6ABFD17A1F254819FC69B61D2EE2498035360

Function 005E8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00569639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00569693
Part of subcall function 00569639: SelectObject.GDI32(?,00000000), ref: 005696A2
Part of subcall function 00569639: BeginPath.GDI32(?), ref: 005696B9
Part of subcall function 00569639: SelectObject.GDI32(?,00000000), ref: 005696E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 005E8A4E
LineTo.GDI32(?,00000003,00000000), ref: 005E8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 005E8A70
LineTo.GDI32(?,00000000,00000003), ref: 005E8A80
EndPath.GDI32(?), ref: 005E8A90
StrokePath.GDI32(?), ref: 005E8AA0

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a635acbd74a5702d5c5aaad6a3a7c544e91c76825fb9f9917298fa0127d4b5e2
Instruction ID: dfec08b70b8bd08540e1261161bfc37a81e47c9ff1e3ae97cd9313209e22ce67
Opcode Fuzzy Hash: a635acbd74a5702d5c5aaad6a3a7c544e91c76825fb9f9917298fa0127d4b5e2
Instruction Fuzzy Hash: 68115E7200014DFFDF129F90DC88EAA7F6DEB05360F008061FA599A160C7719D56DFA0

Function 005B51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005B5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 005B5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005B5230
ReleaseDC.USER32(00000000,00000000), ref: 005B5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 005B524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 005B5261

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: bea6e28ed645ea83b375b94f68764f9696d7ec159f494961a3bd5dfdacae2a22
Instruction ID: 95d043c81d2cae1e331ce2cb8b57c446682025c766967a94c45054a805f0bc09
Opcode Fuzzy Hash: bea6e28ed645ea83b375b94f68764f9696d7ec159f494961a3bd5dfdacae2a22
Instruction Fuzzy Hash: 5E018475A01704BBEB149BE99C49B4EBF78FB54751F044065FA04AB280D670D805DB60

Function 00551BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00551BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00551BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00551C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00551C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00551C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00551C22

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: a4f8d1ac2f8d9aebc127fd3c24dde02fecf08911df1bf6bbda78dc58420065b7
Instruction ID: 851dfe11e54235390e8afc796798a9ccb82c4f10122a5911a1ec83b4c4635744
Opcode Fuzzy Hash: a4f8d1ac2f8d9aebc127fd3c24dde02fecf08911df1bf6bbda78dc58420065b7
Instruction Fuzzy Hash: 320148B09027597DE3008F5A8C85A52FFA8FF19354F00411B915C4B941C7B5A864CBE5

Function 005BEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005BEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 005BEB46
GetWindowThreadProcessId.USER32(?,?), ref: 005BEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005BEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005BEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005BEB75

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 57093c8a3123f5ae23fed682b0479d84f60b297d1256fe6fbcb077df8a8391db
Instruction ID: 546f4de6f8b2d499de718d75385af98345defbc1ad39e91f86dfc4af18e9dba5
Opcode Fuzzy Hash: 57093c8a3123f5ae23fed682b0479d84f60b297d1256fe6fbcb077df8a8391db
Instruction Fuzzy Hash: A3F0B472100198BFE72857529C4EEEF3E7CEFDBB11F000158FA41D9090D7A09A06D6B4

Function 005A7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 005A7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 005A7469
GetWindowDC.USER32(?), ref: 005A7475
GetPixel.GDI32(00000000,?,?), ref: 005A7484
ReleaseDC.USER32(?,00000000), ref: 005A7496
GetSysColor.USER32(00000005), ref: 005A74B0

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: a3fa53a35e0c353f30d9e808164adec488c2efb19bf25e4a7b90501281c90267
Instruction ID: 41d80a2b683bdbcc21a7da5a3753ef07b7bcee9c03474ee9a867ae9479dd2fd3
Opcode Fuzzy Hash: a3fa53a35e0c353f30d9e808164adec488c2efb19bf25e4a7b90501281c90267
Instruction Fuzzy Hash: AA018B31400659EFDB145F68DC48BAE7FB6FB18311F1040A4F966AB0A0CB315E46EB10

Function 005B1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 005B187F
UnloadUserProfile.USERENV(?,?), ref: 005B188B
CloseHandle.KERNEL32(?), ref: 005B1894
CloseHandle.KERNEL32(?), ref: 005B189C
GetProcessHeap.KERNEL32(00000000,?), ref: 005B18A5
HeapFree.KERNEL32(00000000), ref: 005B18AC

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 8d2691d6f789b7ceb90c88a42b100cd810a7f429e616325392a119eea3937976
Instruction ID: 5f22ce5ad69ed131b2da42f6e7a6d5d6a30034649c414ec116f63cbe116ae0f6
Opcode Fuzzy Hash: 8d2691d6f789b7ceb90c88a42b100cd810a7f429e616325392a119eea3937976
Instruction Fuzzy Hash: 7CE0E536004241BBDB095FA1ED4C90ABF39FF6AB22B108624F66589070CB32D426EF50

Function 0055BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0055BEB3

Strings

D%b, xrefs: 0055BDED, 0055BD91, 0055BD1B
D%bD%b, xrefs: 0055BCA5
D%b, xrefs: 0055BCA2
D%b, xrefs: 0055BE9A

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%b$D%b$D%b$D%bD%b
API String ID: 1385522511-1913861116
Opcode ID: 74e53bde6a6a8ba792242ffc240b12e6b8b13d6bc9e27a25aa00c60c165857d0
Instruction ID: 9ac4e8363ed64c4f09ccee2d07ef06b0c6117c1cd148fcebf5956ec91cf3728c
Opcode Fuzzy Hash: 74e53bde6a6a8ba792242ffc240b12e6b8b13d6bc9e27a25aa00c60c165857d0
Instruction Fuzzy Hash: 45918B75A0020ADFDB18CF58C0A56A9BBF2FF58311F24856AD945AB350E731ED85CF90

Function 005D7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00570242: EnterCriticalSection.KERNEL32(0062070C,00621884,?,?,0056198B,00622518,?,?,?,005512F9,00000000), ref: 0057024D
Part of subcall function 00570242: LeaveCriticalSection.KERNEL32(0062070C,?,0056198B,00622518,?,?,?,005512F9,00000000), ref: 0057028A

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

Part of subcall function 005700A3: __onexit.LIBCMT ref: 005700A9

__Init_thread_footer.LIBCMT ref: 005D7BFB

Part of subcall function 005701F8: EnterCriticalSection.KERNEL32(0062070C,?,?,00568747,00622514), ref: 00570202
Part of subcall function 005701F8: LeaveCriticalSection.KERNEL32(0062070C,?,00568747,00622514), ref: 00570235

Strings

5, xrefs: 005D7C78
Variable must be of type 'Object'., xrefs: 005D7C3A
G, xrefs: 005D7C7F
+TZ, xrefs: 005D7E2E

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TZ$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2701865965
Opcode ID: 094baab377c2c62b1b32690e9ce6ab33a0b79b0f91c64769926c16c0af802e5d
Instruction ID: 941b9e57e265c5f600269894cfa62a21a20468f619c14f60392d7ae7f81156e0
Opcode Fuzzy Hash: 094baab377c2c62b1b32690e9ce6ab33a0b79b0f91c64769926c16c0af802e5d
Instruction Fuzzy Hash: 8A916D70604209EFCB24EF58D8959ADBFB2BF89300F10805BF8466B391EB719E45CB51

Function 005BC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00557620: _wcslen.LIBCMT ref: 00557625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005BC6EE
_wcslen.LIBCMT ref: 005BC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005BC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 005BC7CA

Strings

0, xrefs: 005BC6AF

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 23c68ea92d36eb3469adb043dece4cf3db63eb08d7ad688c7b059cfa59a27c5f
Instruction ID: 771e4d48ad8a4c1982df2d81ceb69dfb939359a85fc737c640997eb11635c369
Opcode Fuzzy Hash: 23c68ea92d36eb3469adb043dece4cf3db63eb08d7ad688c7b059cfa59a27c5f
Instruction Fuzzy Hash: 9651DE716043019BD714DF28D889AAB7FE8FF99310F040A2EF9A5D71A0DB60E8048B5A

Function 005DAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 005DAEA3

Part of subcall function 00557620: _wcslen.LIBCMT ref: 00557625

GetProcessId.KERNEL32(00000000), ref: 005DAF38
CloseHandle.KERNEL32(00000000), ref: 005DAF67

Strings

<, xrefs: 005DAE6B
@, xrefs: 005DAE72

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 22c855d882e42b77078fc4652d2104014d5a0ab06ea3df83c20d2c5b70b63873
Instruction ID: ed230e03e1c7358babea1be2bb8fa20275a2d088477cc328806d7f4e7db3f8ff
Opcode Fuzzy Hash: 22c855d882e42b77078fc4652d2104014d5a0ab06ea3df83c20d2c5b70b63873
Instruction Fuzzy Hash: 39716775A0021ADFCB24DF58D498A9EBFB4FF48310F04849AE856AB392D734ED45CB91

Function 005B719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 005B7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 005B723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 005B724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005B72CF

Strings

DllGetClassObject, xrefs: 005B7242

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 16b70f272b55070cd077b9576f1d10a87844878ae5758ea9f0a29874982a3326
Instruction ID: b19bc5061ab13496701d40d414c65252da1dfa8c1ecd650e1f2bc2dadd408047
Opcode Fuzzy Hash: 16b70f272b55070cd077b9576f1d10a87844878ae5758ea9f0a29874982a3326
Instruction Fuzzy Hash: EA417175A04208DFDB15CF54C885ADABFA9FF88310F1484ADBD059F20AD7B0EA45DBA0

Function 005E3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005E3E35
IsMenu.USER32(?), ref: 005E3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005E3E92
DrawMenuBar.USER32 ref: 005E3EA5

Strings

0, xrefs: 005E3D89

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: ea2b0d72507d81476e575be5f1fb0cb5340b05febc13437c7968395ae30784f9
Instruction ID: 7138398670765bda8d910301646857e6165848e483c3d17b0288640784a20420
Opcode Fuzzy Hash: ea2b0d72507d81476e575be5f1fb0cb5340b05febc13437c7968395ae30784f9
Instruction Fuzzy Hash: 35416975A00289EFDB28DF51D888EAABBB9FF49350F044129F985AB250D730EE45DF50

Function 005B1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

Part of subcall function 005B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005B3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 005B1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 005B1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 005B1EA9

Part of subcall function 00556B57: _wcslen.LIBCMT ref: 00556B6A

Strings

ListBox, xrefs: 005B1E25
ComboBox, xrefs: 005B1DF0

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 4577790ee2cefc26ad6c9988a938bc332cd21392df48cccbd346b9d49b084f0b
Instruction ID: 5a73efc48b7c6fc91538afbbd0ecfe3560f4d689f834c27de02acdc65e357d7a
Opcode Fuzzy Hash: 4577790ee2cefc26ad6c9988a938bc332cd21392df48cccbd346b9d49b084f0b
Instruction Fuzzy Hash: 9D215A71900104BADB049B64DC6ACFFBFBDFF81350B50441AFC11AB1D1DB349D0A8620

Function 005E2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 005E2F8D
LoadLibraryW.KERNEL32(?), ref: 005E2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 005E2FA9
DestroyWindow.USER32(?), ref: 005E2FB1

Strings

SysAnimate32, xrefs: 005E2F68

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: eaff7ba9e8505835fed5864ac26daa372f83ae7e843402d0d0fa5410ff498233
Instruction ID: 12a017fbb133340e20c9d8a12bee7ec1dec6082bb25d58a71aeb1d62501a50c3
Opcode Fuzzy Hash: eaff7ba9e8505835fed5864ac26daa372f83ae7e843402d0d0fa5410ff498233
Instruction Fuzzy Hash: 2621F072200285ABEB184F66DC86FBB3BBEFB59324F100218F9A0D6098D771DC519760

Function 00574D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00574D1E,005828E9,?,00574CBE,005828E9,006188B8,0000000C,00574E15,005828E9,00000002), ref: 00574D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00574DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00574D1E,005828E9,?,00574CBE,005828E9,006188B8,0000000C,00574E15,005828E9,00000002,00000000), ref: 00574DC3

Strings

mscoree.dll, xrefs: 00574D86
CorExitProcess, xrefs: 00574D98

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a73f350e85b85e180ddbd3fd5ef22824b2b69b2c96a2b4302ee1c08cd898ead7
Instruction ID: 534cd00b506a0e07a70b404b90c04453dbb256b36e9ebc065f043a3619f51caa
Opcode Fuzzy Hash: a73f350e85b85e180ddbd3fd5ef22824b2b69b2c96a2b4302ee1c08cd898ead7
Instruction Fuzzy Hash: E8F0AF30A40308BBDB159F90EC49BADBFB5FF44712F0440A8F949AA2A0CB309945EF90

Function 00554E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00554EDD,?,00621418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00554E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00554EAE
FreeLibrary.KERNEL32(00000000,?,?,00554EDD,?,00621418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00554EC0

Strings

kernel32.dll, xrefs: 00554E94
Wow64DisableWow64FsRedirection, xrefs: 00554EA8

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 139e9adab593b246e052c1dce627f4afc76d360bf7c64829aceccb5627e41731
Instruction ID: f407da3308947c20c078c52983cd4f81e95718bac358b936185b7b21e693a82e
Opcode Fuzzy Hash: 139e9adab593b246e052c1dce627f4afc76d360bf7c64829aceccb5627e41731
Instruction Fuzzy Hash: 57E08635E016225BD22917256C29A5B6D5DBF92F677050116FC41DB200DB60CD4A94A1

Function 00554E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00593CDE,?,00621418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00554E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00554E74
FreeLibrary.KERNEL32(00000000,?,?,00593CDE,?,00621418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00554E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00554E6E
kernel32.dll, xrefs: 00554E5B

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 63586dcf56e4ac69b443a2fc38bb030d1c77642940a3d935d90bfb639d88ce0c
Instruction ID: 1b7c8bb8ad590c266a712368fc2dcb664f3e47fb6b44f2ba8169714353dcebc0
Opcode Fuzzy Hash: 63586dcf56e4ac69b443a2fc38bb030d1c77642940a3d935d90bfb639d88ce0c
Instruction Fuzzy Hash: E9D0C23190267157862A1B256C29D8B2E1CBF81F163050116BC41AA210CF20CD4AD9D1

Function 005C2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005C2C05
DeleteFileW.KERNEL32(?), ref: 005C2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 005C2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005C2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005C2CC0

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 5e417b8192b178e6e0f03b05fd36279d35eb592310ebb843a85cc85eee0e378e
Instruction ID: 5a3f09b24b7391dd0439929abb2ac8eb915a3f6d1670bc1edfd7c0573e29b527
Opcode Fuzzy Hash: 5e417b8192b178e6e0f03b05fd36279d35eb592310ebb843a85cc85eee0e378e
Instruction Fuzzy Hash: 2DB13D72D0011AAFDF15DBA4CC99EDEBB7DFF48350F1040AAFA09E6151EA709E448B61

Function 005DA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 005DA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 005DA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 005DA468
CloseHandle.KERNEL32(?), ref: 005DA63D

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 3dc9e537b6f440589ae45c50d88eb55dae7e53850c902dc3f801f16222aba463
Instruction ID: 4220b47ae982b9aa0b1f9a256ba8dbb15ccc7451c2e02bb9ed9093343214ce22
Opcode Fuzzy Hash: 3dc9e537b6f440589ae45c50d88eb55dae7e53850c902dc3f801f16222aba463
Instruction Fuzzy Hash: 39A190716043019FDB20DF28D896B2ABBE1BF84714F14885EF99A9B392DB70EC45CB41

Function 0058BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,005F3700), ref: 0058BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0062121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0058BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00621270,000000FF,?,0000003F,00000000,?), ref: 0058BC36
_free.LIBCMT ref: 0058BB7F

Part of subcall function 005829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0058D7D1,00000000,00000000,00000000,00000000,?,0058D7F8,00000000,00000007,00000000,?,0058DBF5,00000000), ref: 005829DE
Part of subcall function 005829C8: GetLastError.KERNEL32(00000000,?,0058D7D1,00000000,00000000,00000000,00000000,?,0058D7F8,00000000,00000007,00000000,?,0058DBF5,00000000,00000000), ref: 005829F0

_free.LIBCMT ref: 0058BD4B

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 52f4accfad53b8239c705aa16b0635251527fe93b50441d203a15cbc890eee9d
Instruction ID: 1a60db0ef26d5e46cebc922a0f8b7d929d42908ac47d4f7d4949e870ee80c073
Opcode Fuzzy Hash: 52f4accfad53b8239c705aa16b0635251527fe93b50441d203a15cbc890eee9d
Instruction Fuzzy Hash: 5D51D87190420AEFEB24FF659C859AEBFBDFB91310B10466AF854F7191DB309E418B50

Function 005BE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 005BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005BCF22,?), ref: 005BDDFD

Part of subcall function 005BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005BCF22,?), ref: 005BDE16

Part of subcall function 005BE199: GetFileAttributesW.KERNEL32(?,005BCF95), ref: 005BE19A

lstrcmpiW.KERNEL32(?,?), ref: 005BE473
MoveFileW.KERNEL32(?,?), ref: 005BE4AC
_wcslen.LIBCMT ref: 005BE5EB
_wcslen.LIBCMT ref: 005BE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 005BE650

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 655745f303081f74c84c9f653943b58124448c9b1043d7daa39cbe94ae00b1e7
Instruction ID: b8d4da329b0e3158a56e260b6886ad51c078946911a82ad354c7415de8bd34fc
Opcode Fuzzy Hash: 655745f303081f74c84c9f653943b58124448c9b1043d7daa39cbe94ae00b1e7
Instruction Fuzzy Hash: DD5180B24083859BC724DBA0D8959DB7BECBFC4340F04492EF68993191EF75B68C8766

Function 005DB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

Part of subcall function 005DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005DB6AE,?,?), ref: 005DC9B5
Part of subcall function 005DC998: _wcslen.LIBCMT ref: 005DC9F1
Part of subcall function 005DC998: _wcslen.LIBCMT ref: 005DCA68
Part of subcall function 005DC998: _wcslen.LIBCMT ref: 005DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005DBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005DBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 005DBB63
RegCloseKey.ADVAPI32(?,?), ref: 005DBBA6
RegCloseKey.ADVAPI32(00000000), ref: 005DBBB3

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 662cc9b01dcd931ce9ccb484705f1d67d163e14102fcb2fbd34150092ad45970
Instruction ID: da4be78d78b47a1fe03bc855caaddc72c2db0a310f03deb172c0baefcaa23220
Opcode Fuzzy Hash: 662cc9b01dcd931ce9ccb484705f1d67d163e14102fcb2fbd34150092ad45970
Instruction Fuzzy Hash: 0C615E31208241EFE724DF18C495E2ABBE5FF84308F55895EF4994B292DB31ED49CB92

Function 005B8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005B8BCD
VariantClear.OLEAUT32 ref: 005B8C3E
VariantClear.OLEAUT32 ref: 005B8C9D
VariantClear.OLEAUT32(?), ref: 005B8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 005B8D3B

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: f44ba48c9118b7e8de1ec13852e9c0c26df56f4fc67fe0c87afeb15ae4efaaad
Instruction ID: 88c81d0e374b78baffc00a5f5940ef4435ea63b0fd79d3ae6c140847d83f36a9
Opcode Fuzzy Hash: f44ba48c9118b7e8de1ec13852e9c0c26df56f4fc67fe0c87afeb15ae4efaaad
Instruction Fuzzy Hash: FB515BB5A00619EFCB14CF58C894AAABBF9FF89310B15855AE915DB350E730E911CB90

Function 005C8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 005C8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 005C8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 005C8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 005C8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 005C8C5F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 9beec5d56414419a6c015d780e73f40e5617a3ffd11a6d28c051a8851b6128b2
Instruction ID: acf7af04685fda94a048b9606443c6347a9408d4eefdedcb45e5cf9aa8a4d4e1
Opcode Fuzzy Hash: 9beec5d56414419a6c015d780e73f40e5617a3ffd11a6d28c051a8851b6128b2
Instruction Fuzzy Hash: 0F514835A00219AFCB04DF64C894E6ABFF5FF88314F088459E849AB362DB31ED55CB90

Function 005D8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 005D8F40
GetProcAddress.KERNEL32(00000000,?), ref: 005D8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 005D8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 005D9032
FreeLibrary.KERNEL32(00000000), ref: 005D9052

Part of subcall function 0056F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,005C1043,?,7529E610), ref: 0056F6E6
Part of subcall function 0056F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,005AFA64,00000000,00000000,?,?,005C1043,?,7529E610,?,005AFA64), ref: 0056F70D

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 143c110d93b96b2c05be8e14b7c1a8745b21d01c858886dbc4ec1f4d59cd4367
Instruction ID: e8309fc42b3949bd0dc85ebd5c9086602afa7347b9c5a4ae0999d4543bd8ad95
Opcode Fuzzy Hash: 143c110d93b96b2c05be8e14b7c1a8745b21d01c858886dbc4ec1f4d59cd4367
Instruction Fuzzy Hash: EB511935604246DFC715DF68C4988ADBFB1FF89314F04809AE8569B362DB31ED8ACB91

Function 005E6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 005E6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 005E6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 005E6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,005CAB79,00000000,00000000), ref: 005E6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 005E6CC7

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: b67fcdf212ab61e317b416c61736075fee16fa296db3f7e519e3edf9c2b1cfc7
Instruction ID: 59b64a8e2edafd93add76ca1f05845bc80ce0a36bded0576e78c351700c15c07
Opcode Fuzzy Hash: b67fcdf212ab61e317b416c61736075fee16fa296db3f7e519e3edf9c2b1cfc7
Instruction Fuzzy Hash: BA41A535A04184AFD728CF29CC55FA57FA5FB193D0F240664E8D9AB2A0C371ED41DA40

Function 00582051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005820C3
_free.LIBCMT ref: 005820E3

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 94ae454165ce53635fa8e2ef02fe34a9c16ff96a525760288c906651c5695cdc
Instruction ID: 61589712b75e7690a7ef5ff7201e469d482b8a306523d00586bb91ab050a0fc2
Opcode Fuzzy Hash: 94ae454165ce53635fa8e2ef02fe34a9c16ff96a525760288c906651c5695cdc
Instruction Fuzzy Hash: 9F41A372A002049FCB24EF78C889A5DBFB6FF89714F258569E915EB395D631AD01CB80

Function 0056912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00569141
ScreenToClient.USER32(00000000,?), ref: 0056915E
GetAsyncKeyState.USER32(00000001), ref: 00569183
GetAsyncKeyState.USER32(00000002), ref: 0056919D

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 2c2217a7a0d779ae8fa2360518ec2ae72655f6232d341d6fad0cd524bdf480b8
Instruction ID: ed12555700a578cdc937f0d8a3d6c7016cde7bc24977e4ce23f7ec3719d1eaa0
Opcode Fuzzy Hash: 2c2217a7a0d779ae8fa2360518ec2ae72655f6232d341d6fad0cd524bdf480b8
Instruction Fuzzy Hash: BD41733150860BFBDF099F64C848BEEBBB8FB4A320F204215E469A7290C7345D54DF91

Function 005C3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 005C38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 005C3922
TranslateMessage.USER32(?), ref: 005C394B
DispatchMessageW.USER32(?), ref: 005C3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005C3966

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: c301133e4e207b84ff08972a3725720bf0b72b91f9786dc73e2df2d2543bdf23
Instruction ID: d0fda3725e751c5574641b66725e3a8043693d5f12d53990d2eb6c008fd44a72
Opcode Fuzzy Hash: c301133e4e207b84ff08972a3725720bf0b72b91f9786dc73e2df2d2543bdf23
Instruction Fuzzy Hash: 4031DC7090878A9EEB35CFB4D848FB63FA9FB16304F04856DE452C61A0E3F59686CB11

Function 005CCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,005CC21E,00000000), ref: 005CCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 005CCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,005CC21E,00000000), ref: 005CCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,005CC21E,00000000), ref: 005CCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,005CC21E,00000000), ref: 005CCFF2

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: e990c0893cec01039427295c1f89b4f745a6d14727fb4c7d12f7736a6caedad2
Instruction ID: 523e2406a46d28493fa1cde6d18712ca148455a31181e057a09b6ed75b6c3878
Opcode Fuzzy Hash: e990c0893cec01039427295c1f89b4f745a6d14727fb4c7d12f7736a6caedad2
Instruction Fuzzy Hash: AF314971A00206AFDB24DFE5D884EAABFFAFB14354B10442EF55AD6141DB30EE459B60

Function 005B1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005B1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 005B19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 005B19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 005B19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 005B19E2

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2bfd2ac1cdf18bae95cd2def8260ccc86d86c0a6902363086ceba61062e44d80
Instruction ID: bc13a47427c7f4b4cea0059ec96650a006f74efac5cfda3cfc93dba8eeecf51a
Opcode Fuzzy Hash: 2bfd2ac1cdf18bae95cd2def8260ccc86d86c0a6902363086ceba61062e44d80
Instruction Fuzzy Hash: 3231CF72900259EFCB04CFA8C9A8ADE3FB5FB04314F104225F961AB2D0C770A944DB90

Function 005E5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 005E5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 005E579D
_wcslen.LIBCMT ref: 005E57AF
_wcslen.LIBCMT ref: 005E57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 005E5816

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: eee09ab68a2adb85fca9a351a2cce180f2c2767d1ab6d158a8814623029c594d
Instruction ID: 7d7001cbb89d07557ecb5d6beba795eec22bd8835b0cb497ce4a53d1e7951e40
Opcode Fuzzy Hash: eee09ab68a2adb85fca9a351a2cce180f2c2767d1ab6d158a8814623029c594d
Instruction Fuzzy Hash: A521D5309046999ADF248F65CC84AEE7FB8FF54328F108216E999EF1C1E7708985CF50

Function 005D0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 005D0951
GetForegroundWindow.USER32 ref: 005D0968
GetDC.USER32(00000000), ref: 005D09A4
GetPixel.GDI32(00000000,?,00000003), ref: 005D09B0
ReleaseDC.USER32(00000000,00000003), ref: 005D09E8

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b18fdd6ade8f77e733c0088e2a35ab7b1e0dfb2abd5f5c8c097fdd7c606bca34
Instruction ID: 3629adad41acc0c65b6d08733b3c07465bb7de5752f4fbbddb9be7bcf0ea59c5
Opcode Fuzzy Hash: b18fdd6ade8f77e733c0088e2a35ab7b1e0dfb2abd5f5c8c097fdd7c606bca34
Instruction Fuzzy Hash: 44218035600204AFD718EF68C898A5EBFE9FF84700F00846DE84697352DA70EC08DB50

Function 0058CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0058CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0058CDE9

Part of subcall function 00583820: RtlAllocateHeap.NTDLL(00000000,?,00621444,?,0056FDF5,?,?,0055A976,00000010,00621440,005513FC,?,005513C6,?,00551129), ref: 00583852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0058CE0F
_free.LIBCMT ref: 0058CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0058CE31

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: e27c18332429d736d8be536c4ef2d6c8ae23b67f2a95be3022e0a30e158c9341
Instruction ID: 97967d846bf3757b0e4c76d9ba50342838b724b7e111cf6d5b06f57c7791c2cd
Opcode Fuzzy Hash: e27c18332429d736d8be536c4ef2d6c8ae23b67f2a95be3022e0a30e158c9341
Instruction Fuzzy Hash: 2A018472A022557F232636B66C8CD7B6D6DFFC6BA13154129FD05EB201EA718D0293B0

Function 00569639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00569693
SelectObject.GDI32(?,00000000), ref: 005696A2
BeginPath.GDI32(?), ref: 005696B9
SelectObject.GDI32(?,00000000), ref: 005696E2

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 0711440cbe957f11df4a65a60cf3d231df2feb15cb55400b5d87c75d7350ba05
Instruction ID: 53e643dea3a6f0743a2a5e99746e2954d0bee775ff0324921a272f2895acdaba
Opcode Fuzzy Hash: 0711440cbe957f11df4a65a60cf3d231df2feb15cb55400b5d87c75d7350ba05
Instruction Fuzzy Hash: F5217F70C0A74AEBDB219F64DC487AD3FAABB62315F10021AF411AF1B0D3709897DB94

Function 005B5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 005B5726
_memcmp.LIBVCRUNTIME ref: 005B5744
_memcmp.LIBVCRUNTIME ref: 005B5757
_memcmp.LIBVCRUNTIME ref: 005B576F
_memcmp.LIBVCRUNTIME ref: 005B5787

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8ee5b8d867580882b768084425006eac30d7394dfad7ad92361baf01feae4181
Instruction ID: e2584613ba38c9642a4eb9369d08565838635ed9fce547819c34215734578735
Opcode Fuzzy Hash: 8ee5b8d867580882b768084425006eac30d7394dfad7ad92361baf01feae4181
Instruction Fuzzy Hash: 36019272745A0ABBE20C5515AD86FFA7B5CFB613D8B204420FE099A241FE60FE1192A4

Function 00582DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0057F2DE,00583863,00621444,?,0056FDF5,?,?,0055A976,00000010,00621440,005513FC,?,005513C6), ref: 00582DFD
_free.LIBCMT ref: 00582E32
_free.LIBCMT ref: 00582E59
SetLastError.KERNEL32(00000000,00551129), ref: 00582E66
SetLastError.KERNEL32(00000000,00551129), ref: 00582E6F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9a3338d8a577eaf8f173efdf9b08a254e45f9a737d374020721840e9f4076832
Instruction ID: 451355a5293725eb269682d969093522e6ec3eb53f65c70e91e7f2156c7f3b1e
Opcode Fuzzy Hash: 9a3338d8a577eaf8f173efdf9b08a254e45f9a737d374020721840e9f4076832
Instruction Fuzzy Hash: A401D136245A016BC71236386C8AD3B2E6EBBE57B1F258829FC65B2192EA24CC055324

Function 005B000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,005AFF41,80070057,?,?,?,005B035E), ref: 005B002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005AFF41,80070057,?,?), ref: 005B0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005AFF41,80070057,?,?), ref: 005B0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005AFF41,80070057,?), ref: 005B0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005AFF41,80070057,?,?), ref: 005B0070

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: dff0a54fe471c0d202cbab249253f64b2508f6f51c0a82efcb2d1ebb8396f721
Instruction ID: 65bff6c4363972ba5571b3cf85d34bb3239d5d5c5451e517f67ab4be1697361d
Opcode Fuzzy Hash: dff0a54fe471c0d202cbab249253f64b2508f6f51c0a82efcb2d1ebb8396f721
Instruction Fuzzy Hash: 3101DF72600208BFDB115F69DC48BEB7EADFB44391F105024F801D6250D770ED04ABA0

Function 005BE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 005BE997
QueryPerformanceFrequency.KERNEL32(?), ref: 005BE9A5
Sleep.KERNEL32(00000000), ref: 005BE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 005BE9B7
Sleep.KERNEL32 ref: 005BE9F3

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: c1aaa079c14c6eb1be61cc1998a912e4bd4c44cb013551f3d1a54e0d839425fa
Instruction ID: 8b7041f93447c5d7f06e6af973e95609126e4c45d04b508bacf0a1e245a68f53
Opcode Fuzzy Hash: c1aaa079c14c6eb1be61cc1998a912e4bd4c44cb013551f3d1a54e0d839425fa
Instruction Fuzzy Hash: 46016931C01A29DBCF08AFE5DC9AAEDBF78FF09301F040546E542B6241CB30A659DBA1

Function 005B10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005B1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,005B0B9B,?,?,?), ref: 005B1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005B0B9B,?,?,?), ref: 005B112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005B0B9B,?,?,?), ref: 005B1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005B114D

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: f8a726ec04e64fca0efd514956efd129dd6e959e47966528a1badeecb5266533
Instruction ID: cdc64b9447ed69eb65c2d5a18f26d16fe586acd15e59712f2eb3a86724ff331a
Opcode Fuzzy Hash: f8a726ec04e64fca0efd514956efd129dd6e959e47966528a1badeecb5266533
Instruction Fuzzy Hash: 49018175100605BFDB154F68DC89EAA3F6EFF8A360B100418FA81C7350DB31DC01DA60

Function 005B0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005B0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005B0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005B0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005B0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005B1002

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 844a8a9ea33b59b3c9ff2b06348b2c6adb05123c5b5f0c2710f0b128dfe3b1fd
Instruction ID: 97492d8d9d815554008a58c8563cfb522ed0547251d1114d8d5cd247836e6f7d
Opcode Fuzzy Hash: 844a8a9ea33b59b3c9ff2b06348b2c6adb05123c5b5f0c2710f0b128dfe3b1fd
Instruction Fuzzy Hash: 13F0AF36100349ABD7251FA59C8DF9A3F6DFF9A761F500414FD85CA250DA30EC419A60

Function 005B1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005B102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005B1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005B1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005B104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005B1062

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ecae93806854dd09bba6ae4f520944fab8607922066e7513c0a95419404d183b
Instruction ID: bb51a3c2e437f6683242969bcb978c870ba3eff53f65318203ab700530eb5ae2
Opcode Fuzzy Hash: ecae93806854dd09bba6ae4f520944fab8607922066e7513c0a95419404d183b
Instruction Fuzzy Hash: D6F0AF36100345ABD7251FA5EC9CF9A3F6DFF9A761F100414FD85CA250CA30E8419A60

Function 005C030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,005C017D,?,005C32FC,?,00000001,00592592,?), ref: 005C0324
CloseHandle.KERNEL32(?,?,?,?,005C017D,?,005C32FC,?,00000001,00592592,?), ref: 005C0331
CloseHandle.KERNEL32(?,?,?,?,005C017D,?,005C32FC,?,00000001,00592592,?), ref: 005C033E
CloseHandle.KERNEL32(?,?,?,?,005C017D,?,005C32FC,?,00000001,00592592,?), ref: 005C034B
CloseHandle.KERNEL32(?,?,?,?,005C017D,?,005C32FC,?,00000001,00592592,?), ref: 005C0358
CloseHandle.KERNEL32(?,?,?,?,005C017D,?,005C32FC,?,00000001,00592592,?), ref: 005C0365

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 3dc7f1f80681aa6b6f319c5fdd9b6bcfe0fd9df3e2c14c13b037d151c9d5f819
Instruction ID: e7eb777ff0dd67683b0e5db6c39e3b6d0019c03602fd5072aa65a9c1a7d15b09
Opcode Fuzzy Hash: 3dc7f1f80681aa6b6f319c5fdd9b6bcfe0fd9df3e2c14c13b037d151c9d5f819
Instruction Fuzzy Hash: E801DC72800B81CFCB30AFA6D880802FBF9BE606153049E3ED19252971C3B0A949CE80

Function 0058D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0058D752

Part of subcall function 005829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0058D7D1,00000000,00000000,00000000,00000000,?,0058D7F8,00000000,00000007,00000000,?,0058DBF5,00000000), ref: 005829DE
Part of subcall function 005829C8: GetLastError.KERNEL32(00000000,?,0058D7D1,00000000,00000000,00000000,00000000,?,0058D7F8,00000000,00000007,00000000,?,0058DBF5,00000000,00000000), ref: 005829F0

_free.LIBCMT ref: 0058D764
_free.LIBCMT ref: 0058D776
_free.LIBCMT ref: 0058D788
_free.LIBCMT ref: 0058D79A

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 64e9ecb80721b0501f0894c2910966f024b627761ac8bcb9c10e507655916ccb
Instruction ID: 7c0a916609c9185b940bd94bdbf96068590871327a47d442058f4d0dee641bbc
Opcode Fuzzy Hash: 64e9ecb80721b0501f0894c2910966f024b627761ac8bcb9c10e507655916ccb
Instruction Fuzzy Hash: 78F0EC32544205ABC661FB68F9C6D5A7FEEFB44720B995806F848F7541C724FC808774

Function 005B5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 005B5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 005B5C6F
MessageBeep.USER32(00000000), ref: 005B5C87
KillTimer.USER32(?,0000040A), ref: 005B5CA3
EndDialog.USER32(?,00000001), ref: 005B5CBD

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 87c95504babe99e969e997fd22d4caa5cf89755a09edaf021a414170289b1517
Instruction ID: 8f77f534c101125ad9a4a423ee167f1b52ae919cb5bdc23b92b5036ff35e191e
Opcode Fuzzy Hash: 87c95504babe99e969e997fd22d4caa5cf89755a09edaf021a414170289b1517
Instruction Fuzzy Hash: 64018130500B44ABEB285B14DD8EFE67FB9BB10B05F001559A583A50E1EBF0AD899A90

Function 005822A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005822BE

Part of subcall function 005829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0058D7D1,00000000,00000000,00000000,00000000,?,0058D7F8,00000000,00000007,00000000,?,0058DBF5,00000000), ref: 005829DE
Part of subcall function 005829C8: GetLastError.KERNEL32(00000000,?,0058D7D1,00000000,00000000,00000000,00000000,?,0058D7F8,00000000,00000007,00000000,?,0058DBF5,00000000,00000000), ref: 005829F0

_free.LIBCMT ref: 005822D0
_free.LIBCMT ref: 005822E3
_free.LIBCMT ref: 005822F4
_free.LIBCMT ref: 00582305

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4253437a4fa188c22bca5724f0fe7c4c02e93d24a05bb0dab1bd3e2aee8bf73c
Instruction ID: 3161a83f8876772d4e78bf784daab48e32d64d0c0c30c13da5e4dd64cb55d207
Opcode Fuzzy Hash: 4253437a4fa188c22bca5724f0fe7c4c02e93d24a05bb0dab1bd3e2aee8bf73c
Instruction Fuzzy Hash: A8F030744859118BC722BF64BC4584C3F67B729760B052507FC18E7272C73416939BE4

Function 005695C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005695D4
StrokeAndFillPath.GDI32(?,?,005A71F7,00000000,?,?,?), ref: 005695F0
SelectObject.GDI32(?,00000000), ref: 00569603
DeleteObject.GDI32 ref: 00569616
StrokePath.GDI32(?), ref: 00569631

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 03db8e0fd7aa38f5572941ce645a6ffa5281fbcca353bffef98388b9ffc0263c
Instruction ID: 921ea10303d96be802d05c37fc6e156050e8a9ff8ccd6140499d295efb47a3fe
Opcode Fuzzy Hash: 03db8e0fd7aa38f5572941ce645a6ffa5281fbcca353bffef98388b9ffc0263c
Instruction Fuzzy Hash: 94F0F630409B89EBDB2A5F65ED5CB683F66BB22322F049214E4655E0F0C7308996EF60

Function 00580F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 005810F9
__freea.LIBCMT ref: 00581117

Part of subcall function 00581537: _free.LIBCMT ref: 0058154F

Strings

am/pm, xrefs: 0058117A
a/p, xrefs: 005811DE

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 4ba70676a41a303479f94b069d6cae66fd963183bcae0f9a2ae104bd06f8ff66
Instruction ID: 9429d5b48ef30b8e44eb7fbc50277b0e9327c026fbcdad4d9045765dd4dee9d3
Opcode Fuzzy Hash: 4ba70676a41a303479f94b069d6cae66fd963183bcae0f9a2ae104bd06f8ff66
Instruction Fuzzy Hash: C8D1F435900A06CBDB24BF68C849AFABFB9FF05700F144919ED02BB650D7359D82CB59

Function 005D61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00570242: EnterCriticalSection.KERNEL32(0062070C,00621884,?,?,0056198B,00622518,?,?,?,005512F9,00000000), ref: 0057024D
Part of subcall function 00570242: LeaveCriticalSection.KERNEL32(0062070C,?,0056198B,00622518,?,?,?,005512F9,00000000), ref: 0057028A

Part of subcall function 005700A3: __onexit.LIBCMT ref: 005700A9

__Init_thread_footer.LIBCMT ref: 005D6238

Part of subcall function 005701F8: EnterCriticalSection.KERNEL32(0062070C,?,?,00568747,00622514), ref: 00570202
Part of subcall function 005701F8: LeaveCriticalSection.KERNEL32(0062070C,?,00568747,00622514), ref: 00570235

Part of subcall function 005C359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005C35E4
Part of subcall function 005C359C: LoadStringW.USER32(00622390,?,00000FFF,?), ref: 005C360A

Strings

x#b, xrefs: 005D636F
x#b, xrefs: 005D6353
x#b, xrefs: 005D633A

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#b$x#b$x#b
API String ID: 1072379062-1364182122
Opcode ID: e0f436ffaab538a54b186eda0f4373dcf57e81028846417e0ac96624228c43a5
Instruction ID: 4201344557470f65b71daaa2ef4a014d99a4a96aa4cd62fc72345cf55dc8517e
Opcode Fuzzy Hash: e0f436ffaab538a54b186eda0f4373dcf57e81028846417e0ac96624228c43a5
Instruction Fuzzy Hash: 06C15C71A00106AFCB24DF58D895EBABBB9FF48310F14846BE9059B391DB70ED46CB90

Function 00585AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOU, xrefs: 00585BA8, 00585C6C

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID: JOU
API String ID: 0-4004259765
Opcode ID: 9eab3fe575eefe30897976dc1c7f86c8893ccb92ac0dd4147a5f7ea7417f7993
Instruction ID: 84908feab648fd351bab0d1cfddc954e482f7af3005050da2d977ae554526b6c
Opcode Fuzzy Hash: 9eab3fe575eefe30897976dc1c7f86c8893ccb92ac0dd4147a5f7ea7417f7993
Instruction Fuzzy Hash: D251BE75A0060A9BCB21BFA8D849AAEBFB8BF55311F140459FC05B7292E6319D01DB61

Function 00588A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00588B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00588B7A
__dosmaperr.LIBCMT ref: 00588B81

Strings

.W, xrefs: 00588A63

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .W
API String ID: 2434981716-1554619033
Opcode ID: 55286af1bf5f63eec15a02509c93c9313d828fb6da4c26e6ebb05b1120b9c23b
Instruction ID: 9aea3abc862115ec6d893593e55f8f2b045b38ec30bca710cd2789b69617e324
Opcode Fuzzy Hash: 55286af1bf5f63eec15a02509c93c9313d828fb6da4c26e6ebb05b1120b9c23b
Instruction Fuzzy Hash: 5C416AB0604045AFDB24AF28CC85A7D7FA6FFC5314B2885A9FC85A7653DE31CC029790

Function 005B2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005BB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005B21D0,?,?,00000034,00000800,?,00000034), ref: 005BB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 005B2760

Part of subcall function 005BB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005B21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 005BB3F8

Part of subcall function 005BB32A: GetWindowThreadProcessId.USER32(?,?), ref: 005BB355
Part of subcall function 005BB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,005B2194,00000034,?,?,00001004,00000000,00000000), ref: 005BB365
Part of subcall function 005BB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,005B2194,00000034,?,?,00001004,00000000,00000000), ref: 005BB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005B27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005B281A

Strings

@, xrefs: 005B2832

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: cc555aaefcc113a946a4c54600188ee6e3461aee1173fe1f1f7216301798641a
Instruction ID: 8cfec20dc4cf56e038409b98091b3865127be737d5a55ed140719e899dc3bd4f
Opcode Fuzzy Hash: cc555aaefcc113a946a4c54600188ee6e3461aee1173fe1f1f7216301798641a
Instruction Fuzzy Hash: AE411C72900219AFDB10DBA4CD95AEEBBB8FF49700F104059FA55B7181DBB07E45CBA1

Function 0058172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00581769
_free.LIBCMT ref: 00581834
_free.LIBCMT ref: 0058183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00581760, 00581767, 00581796, 005817CE

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 137a5c624dfc864ae2831c75bd309d1aaedc9d44bc0c21a796d86fc175beb2ef
Instruction ID: 3016eca5729b901d1d27d4cdff46b5ddb913f15f5578af8df81959bb1b460b7f
Opcode Fuzzy Hash: 137a5c624dfc864ae2831c75bd309d1aaedc9d44bc0c21a796d86fc175beb2ef
Instruction Fuzzy Hash: 65319175A04618EBDB21EB999885D9EBFBCFB95310F10416AFC04EB211D6708A82CB94

Function 005BC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 005BC306
DeleteMenu.USER32(?,00000007,00000000), ref: 005BC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00621990,00F468D8), ref: 005BC395

Strings

0, xrefs: 005BC2DF

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: f92bfd2264d6e30e435458aff8b72832b638297ad15a0cfc665abd2f2778d1a1
Instruction ID: a43d3e9e820feba3d0ecbf195efbc0c3abf16e24a4b150e593a87bd47dab0b1d
Opcode Fuzzy Hash: f92bfd2264d6e30e435458aff8b72832b638297ad15a0cfc665abd2f2778d1a1
Instruction Fuzzy Hash: 2A418D312043429FD724DF25D884BAABFE4BB85320F548A1EF9A5972D1D770F904CB66

Function 005E4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,005ECC08,00000000,?,?,?,?), ref: 005E44AA
GetWindowLongW.USER32 ref: 005E44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005E44D7

Strings

SysTreeView32, xrefs: 005E447C

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 5cdc527529216adafada0dbcf11a1340e6fbf30e48227caa44f92bf1f65c16e2
Instruction ID: 0cae8a078a6a4eccbeee1d39116176cc7bb08450a9f4ecf7dad6e090c748854b
Opcode Fuzzy Hash: 5cdc527529216adafada0dbcf11a1340e6fbf30e48227caa44f92bf1f65c16e2
Instruction Fuzzy Hash: 68319C31200286AFDF288E39DC45BEA7BA9FB48334F204715F9B9921E0D770EC559B50

Function 005B6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 005B6EED
VariantCopyInd.OLEAUT32(?,?), ref: 005B6F08
VariantClear.OLEAUT32(?), ref: 005B6F12

Strings

*j[, xrefs: 005B6E8B, 005B6E90, 005B6EF8

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j[
API String ID: 2173805711-2838499701
Opcode ID: 0ede3d854112ba27ed62143e92e188ef92427214478257536cc43df6c355b715
Instruction ID: d12daad2f9c4ada27ff50cb6333784ac78e19780f345d661cafce79f9d936d89
Opcode Fuzzy Hash: 0ede3d854112ba27ed62143e92e188ef92427214478257536cc43df6c355b715
Instruction Fuzzy Hash: 0531C471604246DFCB09AFA4E8A49FE3F75FF85301B100899F9024B2A1D738A956DBE0

Function 005D304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005D335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,005D3077,?,?), ref: 005D3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005D307A
_wcslen.LIBCMT ref: 005D309B
htons.WSOCK32(00000000,?,?,00000000), ref: 005D3106

Strings

255.255.255.255, xrefs: 005D3095, 005D309A

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 604f8de1ede8087e868187489f91844283658b3c624e180c931b6e0e38b20cc5
Instruction ID: 28ff67e38bd1fcc9c104da216531f5224a27b7d73340dc991c038429295865dc
Opcode Fuzzy Hash: 604f8de1ede8087e868187489f91844283658b3c624e180c931b6e0e38b20cc5
Instruction Fuzzy Hash: 923192396042069FC720CF6CC589AA97FE1FF54314F24845BE9158B3A2D771DE45C762

Function 005E4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 005E4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 005E4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005E471A

Strings

msctls_updown32, xrefs: 005E4684

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 6677ff6630b598e34119530898ec257a31e7c0515f9492e7d5721c8c2a9705e5
Instruction ID: 29045b96208f5181b3bd66bfc85412d10aa8ee101829f0245e7c965298c85aa9
Opcode Fuzzy Hash: 6677ff6630b598e34119530898ec257a31e7c0515f9492e7d5721c8c2a9705e5
Instruction Fuzzy Hash: D12190B5600249AFDB14DF69DCC5DB73BADFB9A3A4B040049FA009B351CB30EC52DAA0

Function 005B95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005B961D

Strings

#requireadmin, xrefs: 005B95D9
#notrayicon, xrefs: 005B95B7
#OnAutoItStartRegister, xrefs: 005B95F3

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 6b5dd437350f88c0d3c6343cc1ad5aa2d3936ee4d5e128d48b36fc5722e563be
Instruction ID: e53474c31ea98b51e15e4f46dbce8cc9c9e466e180114230382df85b06cb6ff3
Opcode Fuzzy Hash: 6b5dd437350f88c0d3c6343cc1ad5aa2d3936ee4d5e128d48b36fc5722e563be
Instruction Fuzzy Hash: 2A21353224465666C331AE25AC0AFFB7F9CBFD5300F108426FA899B081EB51BD45C3D5

Function 005E37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005E3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005E3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 005E3876

Strings

Listbox, xrefs: 005E380F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 75fa58bc1536462f1ea176d03f9fc209fe312c3031af86cb8171a7b5f74eee8f
Instruction ID: 08e090399d542143ce5cbb0138f4fcbc5beb2fef8139bbaf90f3596290d4cac0
Opcode Fuzzy Hash: 75fa58bc1536462f1ea176d03f9fc209fe312c3031af86cb8171a7b5f74eee8f
Instruction Fuzzy Hash: DA21B072614158BBEB258F56CC89EBB3B6AFF89750F108124F9849B190C671DD52C7A0

Function 005C49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005C4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 005C4A5C
SetErrorMode.KERNEL32(00000000,?,?,005ECC08), ref: 005C4AD0

Strings

%lu, xrefs: 005C4A6F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: de11721d90b0162a86ba77ac283d830ec7464dd5ecb6481eb0b4200bac3f4761
Instruction ID: a6712d5a31a8be4cf2c8053648d390dfb52f77ecce51d20e253971c4e89df135
Opcode Fuzzy Hash: de11721d90b0162a86ba77ac283d830ec7464dd5ecb6481eb0b4200bac3f4761
Instruction Fuzzy Hash: D4317F75A00209AFDB10DF54C895EAA7BF8FF48304F144099F809DB252D771ED46CB61

Function 005E41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 005E424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 005E4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 005E4271

Strings

msctls_trackbar32, xrefs: 005E4226

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 2f06017f93cefa274771f738dd55c81f0088c84f0b27f34b7bfb918838f8d4ff
Instruction ID: fbde8b05d3a8707e1341d1127a66cf4612d5f1eb8271b69e03e8ea07871f7d76
Opcode Fuzzy Hash: 2f06017f93cefa274771f738dd55c81f0088c84f0b27f34b7bfb918838f8d4ff
Instruction Fuzzy Hash: 7311A331240288BEEF245E69CC46FAB3FADFF95B64F110524FA95E60A0D671D851DB10

Function 005B2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00556B57: _wcslen.LIBCMT ref: 00556B6A

Part of subcall function 005B2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 005B2DC5
Part of subcall function 005B2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 005B2DD6
Part of subcall function 005B2DA7: GetCurrentThreadId.KERNEL32 ref: 005B2DDD
Part of subcall function 005B2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 005B2DE4

GetFocus.USER32 ref: 005B2F78

Part of subcall function 005B2DEE: GetParent.USER32(00000000), ref: 005B2DF9

GetClassNameW.USER32(?,?,00000100), ref: 005B2FC3
EnumChildWindows.USER32(?,005B303B), ref: 005B2FEB

Strings

%s%d, xrefs: 005B2FFF

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 24df3623a4f0f57902e67738b5c58edf73a2fe1e100bed21f0798fd1b0e1d44b
Instruction ID: a4c5b034259672dc4133798ffd3d675e5db086015b919ed03899a347fdd25cef
Opcode Fuzzy Hash: 24df3623a4f0f57902e67738b5c58edf73a2fe1e100bed21f0798fd1b0e1d44b
Instruction Fuzzy Hash: DC11907160024A6BCF14BF648CD9EEE3F6ABFD4314F044075BD09AB152DE70A94A9B70

Function 005E5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005E58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005E58EE
DrawMenuBar.USER32(?), ref: 005E58FD

Strings

0, xrefs: 005E588F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 2770853380ba70257bda374897782f8fc88f80d0c86a0b32ecf4246e79aa4a9c
Instruction ID: 8a3347bd51f19507f17657106caa0d7a4a16a442a539e68cc44013d99c5da9cc
Opcode Fuzzy Hash: 2770853380ba70257bda374897782f8fc88f80d0c86a0b32ecf4246e79aa4a9c
Instruction Fuzzy Hash: 53016131500259EFDB659F12DC44BEEBFB8FB45364F10809AF989DA151EB308A94EF21

Function 005AD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 005AD3BF
FreeLibrary.KERNEL32 ref: 005AD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 005AD3B9
X64, xrefs: 005AD2A8

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: f800a1f7c621a4aeab5e8d8a1c15404156452d7a272698d11f03e6167b2c72a4
Instruction ID: 238683860ffbdb47ce7ba82c86eb550a786b7699d2c3b0926ad47e01aa84ae1f
Opcode Fuzzy Hash: f800a1f7c621a4aeab5e8d8a1c15404156452d7a272698d11f03e6167b2c72a4
Instruction Fuzzy Hash: 62F05C25C0562187CB3976104C54A9D3F307F12701B954D16E443EA514D710CC48C6F1

Function 005B007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5618b973be1789e980a7c32e417dc55e4fc0bd76bac1953919aecf73a708fa2e
Instruction ID: 1cbf603e38fadea48a1dc006c2a3172bf60575c3bf7d784f8f71afb3e3403e0e
Opcode Fuzzy Hash: 5618b973be1789e980a7c32e417dc55e4fc0bd76bac1953919aecf73a708fa2e
Instruction Fuzzy Hash: 66C15D75A0021AEFDB14CF98C898AAEBBB5FF48314F209598E505EB291D731ED41DB90

Function 005D342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005D3459
CoUninitialize.OLE32 ref: 005D3463
VariantInit.OLEAUT32(?), ref: 005D346E
VariantClear.OLEAUT32(?), ref: 005D371B

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 537c2e044f69f79b0a252f6fc68f120c025b6e6b7960ad86ac725c92bb7c5e25
Instruction ID: 1df520432a11076416bd0b2ec5c5b52fc2bf1962f0bb18ea56ac071ff7dd42b6
Opcode Fuzzy Hash: 537c2e044f69f79b0a252f6fc68f120c025b6e6b7960ad86ac725c92bb7c5e25
Instruction Fuzzy Hash: E6A14E756043019FC710DF28D499A2ABBE5FF8C715F04885AF98A9B361EB30EE05CB52

Function 005B0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,005EFC08,?), ref: 005B05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,005EFC08,?), ref: 005B0608
CLSIDFromProgID.OLE32(?,?,00000000,005ECC40,000000FF,?,00000000,00000800,00000000,?,005EFC08,?), ref: 005B062D
_memcmp.LIBVCRUNTIME ref: 005B064E

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 2236d651bf2544be632d959bd9204781a118e43c0132cab793cc83892dab3595
Instruction ID: 724c869b027e6b163daf083a8e0fd2510bd320def62a93e43ff1d786f2fc182d
Opcode Fuzzy Hash: 2236d651bf2544be632d959bd9204781a118e43c0132cab793cc83892dab3595
Instruction Fuzzy Hash: 06810E75A00109EFCB04DF94C984EEEBBB9FF89315F204558E516AB290DB71AE06CF60

Function 005DA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 005DA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 005DA6BA

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

Process32NextW.KERNEL32(00000000,?), ref: 005DA79C
CloseHandle.KERNEL32(00000000), ref: 005DA7AB

Part of subcall function 0056CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00593303,?), ref: 0056CE8A

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 29975429bd2b8d4def04978c9aeda54a3ee124a9ab1f1ec65c125cc3e70b5a6a
Instruction ID: aa4452e8d0a6926a7561297c3a3807e054d9383df37acb9739a7f25b0697ff87
Opcode Fuzzy Hash: 29975429bd2b8d4def04978c9aeda54a3ee124a9ab1f1ec65c125cc3e70b5a6a
Instruction Fuzzy Hash: 52513A715083419FD714EF24C89AA6BBBE8FFC9754F40491EF98597292EB30D908CB92

Function 00591391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005914C0

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a996e9821bfb1a73eb58c8705a2f1e0baa818dc970e7199d58fafbb2592c6018
Instruction ID: aad4873a8c817d72f7ff1144affc76cac772f7c3c0cdac32e3dd23448bd7b173
Opcode Fuzzy Hash: a996e9821bfb1a73eb58c8705a2f1e0baa818dc970e7199d58fafbb2592c6018
Instruction Fuzzy Hash: BE417B35600933ABDF21BBFC9C496BE3EA4FF89370F244625F81DD6192E63488416766

Function 005E6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005E62E2
ScreenToClient.USER32(?,?), ref: 005E6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 005E6382

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: d912cb9d27ea13417e0d4dbda3387d05aeb4efdbfbcae4ae610561d2747ca031
Instruction ID: 7aa74d1356c2375f15837d9571a47c297265f929e4e40879ea665416f00dd682
Opcode Fuzzy Hash: d912cb9d27ea13417e0d4dbda3387d05aeb4efdbfbcae4ae610561d2747ca031
Instruction Fuzzy Hash: 85515E74900245AFCF14CF59D8809AE7FB6FB693A0F108559F9559B290D730ED81CB50

Function 005D1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 005D1AFD
WSAGetLastError.WSOCK32 ref: 005D1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 005D1B8A
WSAGetLastError.WSOCK32 ref: 005D1B94

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: fed818c3d42df78edb353ee35a2393b887caabdf97c1f15ec70e084780a673ca
Instruction ID: a4c1054f03d7132eacb4b2702ef02096a3a085359fb222f8d9833e1030187b28
Opcode Fuzzy Hash: fed818c3d42df78edb353ee35a2393b887caabdf97c1f15ec70e084780a673ca
Instruction Fuzzy Hash: 1641B334600601AFE720AF24C88AF267BE5BB84718F54844EF9569F3D2D772ED41CB90

Function 0058B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d1b6c00486975a34611ce4b20c3c2676852d624ab18606ad836ffdc6203c49
Instruction ID: 81ebd65a70461ce3bbff1bbc560a469c01bf91a133a9030e8b2002ff2881b611
Opcode Fuzzy Hash: d7d1b6c00486975a34611ce4b20c3c2676852d624ab18606ad836ffdc6203c49
Instruction Fuzzy Hash: 42410A75A00715AFEB24AF38CC46B6A7FEDFBC4710F10452AF946EB2A2D77199018790

Function 005C56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 005C5783
GetLastError.KERNEL32(?,00000000), ref: 005C57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005C57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005C57FA

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 5146963063fcff8272edee4cfb8aba6d87c312d66430655329b79b0cc096dddb
Instruction ID: a60ee7773c3dd08d3b33a3f6ce84a37e1ce9b0fc8cfaaa129d6cefbb8de80818
Opcode Fuzzy Hash: 5146963063fcff8272edee4cfb8aba6d87c312d66430655329b79b0cc096dddb
Instruction Fuzzy Hash: C0412A39600611DFCB10DF55C458A5EBFE1BF89321B198489EC8A5B362EB30FD45CB91

Function 0058D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00576D71,00000000,00000000,005782D9,?,005782D9,?,00000001,00576D71,?,00000001,005782D9,005782D9), ref: 0058D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0058D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0058D9AB
__freea.LIBCMT ref: 0058D9B4

Part of subcall function 00583820: RtlAllocateHeap.NTDLL(00000000,?,00621444,?,0056FDF5,?,?,0055A976,00000010,00621440,005513FC,?,005513C6,?,00551129), ref: 00583852

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 9c7603be4a70323dcb63106e3addf5b1a4bc4543223e867fdaa08495878261b9
Instruction ID: b56b0ab6827d5936f10e1c14fe8dcd42325ffc6d6d5731814fe59b5df62dcf3d
Opcode Fuzzy Hash: 9c7603be4a70323dcb63106e3addf5b1a4bc4543223e867fdaa08495878261b9
Instruction Fuzzy Hash: 9A31BD72A0021AABDB24AF65DC85EAE7FB5FB40750F054168FC08EA190EB35CD54CBA0

Function 005E52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 005E5352
GetWindowLongW.USER32(?,000000F0), ref: 005E5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005E5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005E53A8

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: ca6e4b342ec8f7d66291a89aa7476ec08d5c1238d39e8da87aa5a42cf423c9f9
Instruction ID: 6b06882789cf97606c1525f6305dc46e779517f56f3fa8d66254687f1e27ba57
Opcode Fuzzy Hash: ca6e4b342ec8f7d66291a89aa7476ec08d5c1238d39e8da87aa5a42cf423c9f9
Instruction Fuzzy Hash: FA313734A45A88EFEB3C8F16CC45BE83F66BB0D394F545802FAC0861E1E3B09D409741

Function 005BAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 005BABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 005BAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 005BAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 005BACC6

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3dd3a4307fa58bbdfe74c99868eade7481ee63aec184d5c2919a39fbd7237eb4
Instruction ID: 71ed9114fa8e9c7b9331da71905059c0b20a582334e7875e5e9fd1a2cdccd7d7
Opcode Fuzzy Hash: 3dd3a4307fa58bbdfe74c99868eade7481ee63aec184d5c2919a39fbd7237eb4
Instruction Fuzzy Hash: C7311230A00258AFFF358B6888497FA7FA5BB89310F04461AF481961D1D374ED8597A2

Function 005E7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 005E769A
GetWindowRect.USER32(?,?), ref: 005E7710
PtInRect.USER32(?,?,005E8B89), ref: 005E7720
MessageBeep.USER32(00000000), ref: 005E778C

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 847cdc121d7e215e1842699e13ea662817b4e0964d96319311dd4776f5fb9e1e
Instruction ID: 8b2eafd3665d5beed33ec692b03563819db92a39f6c1da82b16255fd6a047cad
Opcode Fuzzy Hash: 847cdc121d7e215e1842699e13ea662817b4e0964d96319311dd4776f5fb9e1e
Instruction Fuzzy Hash: FA419E34A092999FDB19CF5AC894EA97BF5FB5D304F1540A8E9949F261C330E982CB90

Function 005E16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005E16EB

Part of subcall function 005B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005B3A57
Part of subcall function 005B3A3D: GetCurrentThreadId.KERNEL32 ref: 005B3A5E
Part of subcall function 005B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005B25B3), ref: 005B3A65

GetCaretPos.USER32(?), ref: 005E16FF
ClientToScreen.USER32(00000000,?), ref: 005E174C
GetForegroundWindow.USER32 ref: 005E1752

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: bc178f993d9d53239743c0706a4f1733013802eb923015cc567615efcb25cc40
Instruction ID: 5dccfa096290b26a2e276eb51bf1205d67abea9f4151e71e1a26c1a84202f1ff
Opcode Fuzzy Hash: bc178f993d9d53239743c0706a4f1733013802eb923015cc567615efcb25cc40
Instruction Fuzzy Hash: B7313271D00249AFCB04DFA5C895CAEBFF9FF88304B50406AE455E7651D631DE45CBA0

Function 005E8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00569BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00569BB2

GetCursorPos.USER32(?), ref: 005E9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,005A7711,?,?,?,?,?), ref: 005E9016
GetCursorPos.USER32(?), ref: 005E905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,005A7711,?,?,?), ref: 005E9094

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e608946a7f4c4e5516bf16a903d5cbd6862bb7c31bce2169dbbe3bd514116c71
Instruction ID: 9f9ab21204b53fed7c40240fc6f6b09333df03d85dc8628d2c014f4355c25188
Opcode Fuzzy Hash: e608946a7f4c4e5516bf16a903d5cbd6862bb7c31bce2169dbbe3bd514116c71
Instruction Fuzzy Hash: 4521D372600158EFCB298F95CC98EFA3FB9FF8A350F444095F5454B161C3319A91EB60

Function 005BD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,005ECB68), ref: 005BD2FB
GetLastError.KERNEL32 ref: 005BD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 005BD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,005ECB68), ref: 005BD376

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: d5622ab78c0c61399479c5fec054926ecd62cf433c2e75ba7d95739bce17379f
Instruction ID: 45b73950518d44f22200378e4c2f0a21757bc5c9a6889bbee5e189993d71aa97
Opcode Fuzzy Hash: d5622ab78c0c61399479c5fec054926ecd62cf433c2e75ba7d95739bce17379f
Instruction Fuzzy Hash: BE2162745052019FC714DF28C8854AA7FF4BE95354F504E1DF899C72A2E731E94ACBA3

Function 005B1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005B102A
Part of subcall function 005B1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005B1036
Part of subcall function 005B1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005B1045
Part of subcall function 005B1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005B104C
Part of subcall function 005B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005B1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005B15BE
_memcmp.LIBVCRUNTIME ref: 005B15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005B1617
HeapFree.KERNEL32(00000000), ref: 005B161E

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: a061c48fc9461b5de7d8a09b5a7b60786735cb8d85e818c4416d60ccd215ce4b
Instruction ID: 6fac705bebeb4dd8391992a8e61dea9b1fa50a1ec758894acd5a405cb0ed5d10
Opcode Fuzzy Hash: a061c48fc9461b5de7d8a09b5a7b60786735cb8d85e818c4416d60ccd215ce4b
Instruction Fuzzy Hash: 13218C32E00509EFDF54DFA4C959BEEBBB8FF84344F584459E441AB241E730AA05DBA4

Function 005E2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 005E280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005E2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005E2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005E2840

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: d1e03d624cb364f2f1aceff9114567b4aace36cfdb1502247ee80678a41178d6
Instruction ID: 5f6c1b24f28e5534066860364f56b560079b280500218e145645c06e81f51c11
Opcode Fuzzy Hash: d1e03d624cb364f2f1aceff9114567b4aace36cfdb1502247ee80678a41178d6
Instruction Fuzzy Hash: 4021C431208291AFD7189F25C855F6A7F99FF85324F148159F8568B6D2C771FC42CB90

Function 005B78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 005B8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,005B790A,?,000000FF,?,005B8754,00000000,?,0000001C,?,?), ref: 005B8D8C
Part of subcall function 005B8D7D: lstrcpyW.KERNEL32(00000000,?,?,005B790A,?,000000FF,?,005B8754,00000000,?,0000001C,?,?,00000000), ref: 005B8DB2
Part of subcall function 005B8D7D: lstrcmpiW.KERNEL32(00000000,?,005B790A,?,000000FF,?,005B8754,00000000,?,0000001C,?,?), ref: 005B8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,005B8754,00000000,?,0000001C,?,?,00000000), ref: 005B7923
lstrcpyW.KERNEL32(00000000,?,?,005B8754,00000000,?,0000001C,?,?,00000000), ref: 005B7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,005B8754,00000000,?,0000001C,?,?,00000000), ref: 005B7984

Strings

cdecl, xrefs: 005B797B

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 40f2964d18e69db8c4ea76eb74744bc38e087bc2cd4bd2c057d485c3dc3bffde
Instruction ID: b78e6a300167799540a040885f41737acfa22765cf9372a83edc517d0ba232b4
Opcode Fuzzy Hash: 40f2964d18e69db8c4ea76eb74744bc38e087bc2cd4bd2c057d485c3dc3bffde
Instruction Fuzzy Hash: 2E11293A200346AFCB159F34D844DBA7FA9FFD9350B00402AF842CB264EB31E811D791

Function 005E7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 005E7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 005E7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 005E7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,005CB7AD,00000000), ref: 005E7D6B

Part of subcall function 00569BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00569BB2

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 72d1e8b7a61916cbcf7be9baf06fcaf901de3ee7f945cace3d1dba817d90b738
Instruction ID: ac35318f1d03e8b2056966f503ad179a644fac487d454b5d7e4e33efee39fac6
Opcode Fuzzy Hash: 72d1e8b7a61916cbcf7be9baf06fcaf901de3ee7f945cace3d1dba817d90b738
Instruction Fuzzy Hash: A9116D32508699AFCB189F29CC44A663FA9BF4A360B154724F879DB2E0D7309D51DB90

Function 005E5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 005E56BB
_wcslen.LIBCMT ref: 005E56CD
_wcslen.LIBCMT ref: 005E56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 005E5816

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: a2410ba8adcef4058093c9bfa82109b400d3095defb606581b8b62d8eabb72ff
Instruction ID: 45887963e46dc18a2fc4bfa3aaa9c1e01587f5afb4ebe49ad3bee93e2fef6cc8
Opcode Fuzzy Hash: a2410ba8adcef4058093c9bfa82109b400d3095defb606581b8b62d8eabb72ff
Instruction Fuzzy Hash: 0611E13160069996DF249F669C85AEE3FACFF11368F108426F985DA081F770CA84CB60

Function 00581D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2140f7ab4c31fd836b860ed30bed0b10ec719c903a2b7db98a259b50abd1acf2
Instruction ID: 365885b8c314ed4f2b6170542623f8795d9b568723ae85a1847a95cf51374659
Opcode Fuzzy Hash: 2140f7ab4c31fd836b860ed30bed0b10ec719c903a2b7db98a259b50abd1acf2
Instruction Fuzzy Hash: A901BCB2206A067EF62036786CC4F276E1CFF813B8B300B25FD20B11D2DA208C429364

Function 005B1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 005B1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005B1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005B1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005B1A8A

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bc23113fd0a6ef22f16f7fb7146a0790f7a7ed44dc7605939f02f064241d682d
Instruction ID: e671a12dea852f38aaac8be939d8ac12faba1312f867a6dc70f81597085688c5
Opcode Fuzzy Hash: bc23113fd0a6ef22f16f7fb7146a0790f7a7ed44dc7605939f02f064241d682d
Instruction Fuzzy Hash: 8311273A901219FFEB109BA4C985FEDBB78FB08750F200091EA01B7290D671BE50DB98

Function 005BE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005BE1FD
MessageBoxW.USER32(?,?,?,?), ref: 005BE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 005BE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 005BE24D

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: f6c7942f61407e84e9e55036a09e66696193bba7decf1b72ba35fe6b3f9047e5
Instruction ID: 9429130ea4837b58174e770a7ef184cb1ae5303b08ba178fb75f1c81789e7b8d
Opcode Fuzzy Hash: f6c7942f61407e84e9e55036a09e66696193bba7decf1b72ba35fe6b3f9047e5
Instruction Fuzzy Hash: D3116B76D04244BFC714DFA8EC4AADE7FAEEB56310F048259F824D7280C670DD0587A0

Function 0057D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0057CFF9,00000000,00000004,00000000), ref: 0057D218
GetLastError.KERNEL32 ref: 0057D224
__dosmaperr.LIBCMT ref: 0057D22B
ResumeThread.KERNEL32(00000000), ref: 0057D249

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: db049a6391d34bdf5d3d6be61191d83a2b42b952f8c41f4103241ce84c627bf6
Instruction ID: 0940ca6722dd3191290eba5694ce14d6c2638ba0e5205a366f245b8ec9f89226
Opcode Fuzzy Hash: db049a6391d34bdf5d3d6be61191d83a2b42b952f8c41f4103241ce84c627bf6
Instruction Fuzzy Hash: 4301263A8042057BC7105BA5EC09BAA7E78FFC1330F208218FC28961D1CB70C902E7B0

Function 005E9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00569BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00569BB2

GetClientRect.USER32(?,?), ref: 005E9F31
GetCursorPos.USER32(?), ref: 005E9F3B
ScreenToClient.USER32(?,?), ref: 005E9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 005E9F7A

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: bd781e8e85c34c3112b980eed6dc067c663defc2687a2a683619b1bce89039bc
Instruction ID: e02bd1e2a296d25965be3ce0198a5aaf74978fcb0461f3c02a5c88eb2feb6554
Opcode Fuzzy Hash: bd781e8e85c34c3112b980eed6dc067c663defc2687a2a683619b1bce89039bc
Instruction Fuzzy Hash: D4118C7290029AABCB19DF59D8899EE7BB9FB45301F000451F8A1E7041D330FA86CBA1

Function 0055600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0055604C
GetStockObject.GDI32(00000011), ref: 00556060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0055606A

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 7069b3d66c4d8e46e827b38c1f1ef660aab9d0309e65e39a55528c76006bf0f6
Instruction ID: f76e8d2e86163973231a999d3437b21e61f6d6f0b2d101aea9bcac7a07372156
Opcode Fuzzy Hash: 7069b3d66c4d8e46e827b38c1f1ef660aab9d0309e65e39a55528c76006bf0f6
Instruction Fuzzy Hash: 06117C72501588BFEF164F948C58AEA7F69FF19365F400206FE0556060C732DC65AB91

Function 00573B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00573B56

Part of subcall function 00573AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00573AD2
Part of subcall function 00573AA3: ___AdjustPointer.LIBCMT ref: 00573AED

_UnwindNestedFrames.LIBCMT ref: 00573B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00573B7C
CallCatchBlock.LIBVCRUNTIME ref: 00573BA4

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 56e3c2b1318a535f9e8f09e8e194954488b2a7ea858679492f88417ae7653232
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 2E01D732100149BBDF125E95EC4AEEB7F6AFF98764F048018FE5C56121C732E961BBA1

Function 00583073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005513C6,00000000,00000000,?,0058301A,005513C6,00000000,00000000,00000000,?,0058328B,00000006,FlsSetValue), ref: 005830A5
GetLastError.KERNEL32(?,0058301A,005513C6,00000000,00000000,00000000,?,0058328B,00000006,FlsSetValue,005F2290,FlsSetValue,00000000,00000364,?,00582E46), ref: 005830B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0058301A,005513C6,00000000,00000000,00000000,?,0058328B,00000006,FlsSetValue,005F2290,FlsSetValue,00000000), ref: 005830BF

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: d21ed7f28beacaef5ae668c8e9c9ee6b61eefc036af5df91060725c4b4398226
Instruction ID: d4ca9d2583234f9da44ffeaefccb3b92f728e43b6d43149e41eab2dee1554a8f
Opcode Fuzzy Hash: d21ed7f28beacaef5ae668c8e9c9ee6b61eefc036af5df91060725c4b4398226
Instruction Fuzzy Hash: 8901D436301622EBCB315AB99C889677F98BF15F61B100620FD85FB150D721D90AD7E0

Function 005B7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 005B747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 005B7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005B74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005B74CA

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 2a142398826ff8601787e3d1b4deda318dc8a03f0a09e011599bf4cc6087cc33
Instruction ID: 68534a0f9754663ee3c757c1ed536a79870727a45b4443096ecbbce38a9bec0b
Opcode Fuzzy Hash: 2a142398826ff8601787e3d1b4deda318dc8a03f0a09e011599bf4cc6087cc33
Instruction Fuzzy Hash: 2C11A1B12057189BEB248F14DC49FD27FFCFB44B01F108969A666DA191D770F908EB50

Function 005BB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,005BACD3,?,00008000), ref: 005BB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,005BACD3,?,00008000), ref: 005BB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,005BACD3,?,00008000), ref: 005BB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,005BACD3,?,00008000), ref: 005BB126

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 7b0ee38691afd4331135210cdcb1b33802dab9f72333c0fce122f63628146357
Instruction ID: 9542afd4016a76acdbfbb21a2952d95dc1412dfee4e88be1d554b502180f4952
Opcode Fuzzy Hash: 7b0ee38691afd4331135210cdcb1b33802dab9f72333c0fce122f63628146357
Instruction Fuzzy Hash: 7D117C31C0151DE7DF04AFA8D9996EEBF78FF5A310F004485D981B2141CBB0A551DB51

Function 005E7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005E7E33
ScreenToClient.USER32(?,?), ref: 005E7E4B
ScreenToClient.USER32(?,?), ref: 005E7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 005E7E8A

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 2c75901c8aa3576e1b3bf2b21fa1a554a75bc059fb577eb8a07233e3957c81ca
Instruction ID: d9e3102284cc91554e1190dc287cd0b817a04b4a780e2da0476f493b657e4256
Opcode Fuzzy Hash: 2c75901c8aa3576e1b3bf2b21fa1a554a75bc059fb577eb8a07233e3957c81ca
Instruction Fuzzy Hash: 691163B9D0024AAFDB41CFA8D8849EEBBF9FB18310F104056E951E2210D734AA55DF90

Function 005B2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 005B2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 005B2DD6
GetCurrentThreadId.KERNEL32 ref: 005B2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 005B2DE4

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f32e5f777bdf530ccc0ef53e6d2d10addbfb4e5571b802fee42fb92b584d078d
Instruction ID: 6dacacd4f2e71d98733f13378e208d18af26c7b2e44600407a9ea560642953bf
Opcode Fuzzy Hash: f32e5f777bdf530ccc0ef53e6d2d10addbfb4e5571b802fee42fb92b584d078d
Instruction Fuzzy Hash: 1FE092B2101224BBDB241B769C4EFEB3E6CFF62BA1F000019F105D50809AA0D846D6B0

Function 005E8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00569639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00569693
Part of subcall function 00569639: SelectObject.GDI32(?,00000000), ref: 005696A2
Part of subcall function 00569639: BeginPath.GDI32(?), ref: 005696B9
Part of subcall function 00569639: SelectObject.GDI32(?,00000000), ref: 005696E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 005E8887
LineTo.GDI32(?,?,?), ref: 005E8894
EndPath.GDI32(?), ref: 005E88A4
StrokePath.GDI32(?), ref: 005E88B2

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 11447af779e55c856682f77492b2c238ab81427db73ecffe7df2824a81315102
Instruction ID: 735f1dd4d56be8dab2e0aaae70c694cf02bad99d4d109f46a4ac9c819c7cef1e
Opcode Fuzzy Hash: 11447af779e55c856682f77492b2c238ab81427db73ecffe7df2824a81315102
Instruction Fuzzy Hash: 9BF0BE36005299FADB161F94AC0DFCE3F5AAF26310F048000FE41690E1C7749556DFE5

Function 005698B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005698CC
SetTextColor.GDI32(?,?), ref: 005698D6
SetBkMode.GDI32(?,00000001), ref: 005698E9
GetStockObject.GDI32(00000005), ref: 005698F1

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 947100acda7d4dacd046424387f61da436f4bee7246c414e392cdf05ad974a85
Instruction ID: a61102718ed3b037d0975dc3b0e9f2607da536d048f473373fde93e676b7a271
Opcode Fuzzy Hash: 947100acda7d4dacd046424387f61da436f4bee7246c414e392cdf05ad974a85
Instruction Fuzzy Hash: D8E06D31644784AADB255B78EC49BEC3F20FB26336F04821AF6FA580E1C3718645EB10

Function 005B162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 005B1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,005B11D9), ref: 005B163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005B11D9), ref: 005B1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,005B11D9), ref: 005B164F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 98dfcaaced95f330231922c64d7cb1892b4d8c711b5d265d60e25ac235a7c6f7
Instruction ID: 0b7aeb56d53208cc7410873b90ce24ad9be26a4559db3f75e87fad85d733f612
Opcode Fuzzy Hash: 98dfcaaced95f330231922c64d7cb1892b4d8c711b5d265d60e25ac235a7c6f7
Instruction Fuzzy Hash: 32E08C32602211EBD7605FA4AE4DB8A3F7CBF647A2F148808F6C5CD080E734D44ADB64

Function 005AD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005AD858
GetDC.USER32(00000000), ref: 005AD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 005AD882
ReleaseDC.USER32(?), ref: 005AD8A3

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7fe013e5df1e7629b002c4e82cd3dd6f19d74de5d880013757a6b9f2edc1306a
Instruction ID: b9f2792337aa8a5ffca991815382a2b4d6e516a96e60d4e9ca8fc9aa67ed15a5
Opcode Fuzzy Hash: 7fe013e5df1e7629b002c4e82cd3dd6f19d74de5d880013757a6b9f2edc1306a
Instruction Fuzzy Hash: AAE01AB4800205DFCF45AFA8D84C66EBFB1FB58311F108809E896EB250C738890AAF50

Function 005AD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005AD86C
GetDC.USER32(00000000), ref: 005AD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 005AD882
ReleaseDC.USER32(?), ref: 005AD8A3

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d741f346ffada1dfb15f4275de0548999fa26df9019a34a70d09617bf08731a4
Instruction ID: 564ccf1743b830ebf343248c316721273837ff489554a506e7221119e057aff0
Opcode Fuzzy Hash: d741f346ffada1dfb15f4275de0548999fa26df9019a34a70d09617bf08731a4
Instruction Fuzzy Hash: 3CE01AB4C00200DFCF449FA8D84C66EBFB1BB58311B108409E896EB250C738990AAF50

Function 005C4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00557620: _wcslen.LIBCMT ref: 00557625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 005C4ED4

Strings

LPT, xrefs: 005C4DFB
*, xrefs: 005C4E10

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 9c96c62e01c6c6c7427163d0596e8ff3e210d577fc35857b4a725498d50b4c6c
Instruction ID: 3e9ddfb931716f86d534b5188e305621a623fc783d48c0b032078e585e630e9b
Opcode Fuzzy Hash: 9c96c62e01c6c6c7427163d0596e8ff3e210d577fc35857b4a725498d50b4c6c
Instruction Fuzzy Hash: EB915974A002059FCB14DF98C4A4EAABBF5BF48304F19809DE84A9B362D731ED85CF91

Function 0057E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0057E30D

Strings

pow, xrefs: 0057E2E5, 0057E302

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 2538970e6e15b49bbf627b779020470d38e74640585b36bcd427dee3b50e4af1
Instruction ID: 973df0483e05705ea4fa796b8b4c7c7ade9ece01b4d2ac63b89f297cd5f5ca58
Opcode Fuzzy Hash: 2538970e6e15b49bbf627b779020470d38e74640585b36bcd427dee3b50e4af1
Instruction Fuzzy Hash: BF517CA1A0D30696CB117724D9073793FA8BB58740F30CDD8E899932A9EB34CC95FB46

Function 005D7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(005A569E,00000000,?,005ECC08,?,00000000,00000000), ref: 005D78DD

Part of subcall function 00556B57: _wcslen.LIBCMT ref: 00556B6A

CharUpperBuffW.USER32(005A569E,00000000,?,005ECC08,00000000,?,00000000,00000000), ref: 005D783B

Strings

<sa, xrefs: 005D77C8

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sa
API String ID: 3544283678-3969367581
Opcode ID: b05951e32862ba201d49077e8fa601b8daf5cc647564d808228e6cfc774294cf
Instruction ID: 9f029f2ed1882f7420e8fd617a367f74fec7157e0d5b93d6a735fda71471e81d
Opcode Fuzzy Hash: b05951e32862ba201d49077e8fa601b8daf5cc647564d808228e6cfc774294cf
Instruction Fuzzy Hash: 0E618D3291411EAACF14EBA8CCA5DFDBB78BF58301F440527F942A7191FB205A49DBA0

Function 0056E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0056E1B1

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: d7ed7090e9b4002adb3e8af950659c17b883d2ca800c5af3ee649db932703d83
Instruction ID: ee513b3d97cf7161c1a0a117c18514843344811923273a8900f5d141158270e7
Opcode Fuzzy Hash: d7ed7090e9b4002adb3e8af950659c17b883d2ca800c5af3ee649db932703d83
Instruction Fuzzy Hash: 0D514179901286DFDB18DF28C4A6AFE7FA5FF66310F244055EC919B2C0DA349D46CBA0

Function 0056F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0056F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0056F2BB

Strings

@, xrefs: 0056F2AF

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 4d95df735f33ca2a08fa0f6d7700afd765e4ab30d758147e284ee0bd8a1a92ce
Instruction ID: 7114f6b5b4a3e29ad3d4aeeaa2ac7c605fd2d9a7f136c6b03098cb6c5b7d379f
Opcode Fuzzy Hash: 4d95df735f33ca2a08fa0f6d7700afd765e4ab30d758147e284ee0bd8a1a92ce
Instruction Fuzzy Hash: 4C5116714087499BD320AF10EC9ABAFBBE8FFC5301F81885DF5D9411A5EB708529CB66

Function 005D5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 005D57E0
_wcslen.LIBCMT ref: 005D57EC

Strings

CALLARGARRAY, xrefs: 005D57E6, 005D57EB

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: e8d78da55e32bcb2ee1e4907d7d00fd70bcbeeb5002f452baf28324223dc3ef3
Instruction ID: 8636f678dff8e96c5374872f77ec415eb9d87210c3a72e52f31e9f6cba3893d9
Opcode Fuzzy Hash: e8d78da55e32bcb2ee1e4907d7d00fd70bcbeeb5002f452baf28324223dc3ef3
Instruction Fuzzy Hash: E5419F31A0020A9FCB24DFADC8859AEBFB5FF99314F20406BE505A7391E7349D81DB90

Function 005CD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005CD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 005CD13A

Strings

|, xrefs: 005CD10B

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: b7a49701c52aedc8cc0bac2d218ce1fcfc7ce5bad78e2337a08f611f5b658f84
Instruction ID: 1616693930483f091f9af2a9599b40d551c8355a067f236ca4e1e604a81b7a96
Opcode Fuzzy Hash: b7a49701c52aedc8cc0bac2d218ce1fcfc7ce5bad78e2337a08f611f5b658f84
Instruction Fuzzy Hash: 70310A75D0110AABCF15EFA4CC99EEEBFB9FF44300F000029F815A6161D731AA46DB60

Function 005E356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 005E3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 005E365C

Strings

static, xrefs: 005E35BC

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: aea1b5bbf5f087b80bce89033bf3497bfe6f5978a4add98c191fd84a4ee5f920
Instruction ID: 7ccf1ac4e8c46b4763447682454a5faaf9362ebeb1315b9ece25ef50b0fa3bdd
Opcode Fuzzy Hash: aea1b5bbf5f087b80bce89033bf3497bfe6f5978a4add98c191fd84a4ee5f920
Instruction Fuzzy Hash: 70319E71100644AEDB189F39DC85EFB7BA9FF98720F00961AF8A597290DA31ED81D760

Function 005E4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 005E461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005E4634

Strings

', xrefs: 005E458E

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4da27d6f8719a425586cd5f2dd76dfed2eca7953429a1464fb6e0e75c72522ad
Instruction ID: 2c7b861d4d7364eb56c0b111fa63cb8ae2c8367ce85b25ddb957a47befb450f0
Opcode Fuzzy Hash: 4da27d6f8719a425586cd5f2dd76dfed2eca7953429a1464fb6e0e75c72522ad
Instruction Fuzzy Hash: D7313A74A003599FDF18CF6AC990BEA7BB5FF49300F10406AE945AB341D770A941DF90

Function 005E31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 005E327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005E3287

Strings

Combobox, xrefs: 005E3249

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 956d659471ee838d9d4e3f8529de6edbb5b2d994d4cbd162d3d56e474e5673c1
Instruction ID: a5a52239f57076ad2af1a8eeef7b91386d1b4d40c01c39fb28bcda1a43259e4f
Opcode Fuzzy Hash: 956d659471ee838d9d4e3f8529de6edbb5b2d994d4cbd162d3d56e474e5673c1
Instruction Fuzzy Hash: 6311D0752002496FEF299E55DC88EBB3BAAFB94364F100124FA989B290D6319D518760

Function 005E3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0055600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0055604C
Part of subcall function 0055600E: GetStockObject.GDI32(00000011), ref: 00556060
Part of subcall function 0055600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0055606A

GetWindowRect.USER32(00000000,?), ref: 005E377A
GetSysColor.USER32(00000012), ref: 005E3794

Strings

static, xrefs: 005E3757

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 02b98d8a6ac853c10a40c20737daa4b357ae2421c0e5d185ccfb361c4ffa431c
Instruction ID: ed2f697cbf6ba236466c56ee0fb8b230cb4a9867d577e37db5963aaab88631b1
Opcode Fuzzy Hash: 02b98d8a6ac853c10a40c20737daa4b357ae2421c0e5d185ccfb361c4ffa431c
Instruction Fuzzy Hash: D21159B261024AAFDF14DFA8CC49AEA7BB9FB08314F004915F995E3250E734E911DB50

Function 005CCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 005CCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 005CCDA6

Strings

<local>, xrefs: 005CCD66

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 4073b20880c8857f4c71d9118ef32a167168a2b552639881983877f40e858fbc
Instruction ID: 27e7cbd21099055c172385d81bcf90455b22446265b424c966e501a8c3e3a147
Opcode Fuzzy Hash: 4073b20880c8857f4c71d9118ef32a167168a2b552639881983877f40e858fbc
Instruction Fuzzy Hash: 7711E371605672BED7284AA68C84FE3BE68FB127A4F00422EF10E87180D2709841D6F0

Function 005E3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005E34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005E34BA

Strings

edit, xrefs: 005E348F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: cb4d12cd966beb10da40525520ec1a2c6dd63e9a12fd6cb024fb4f8ddb034641
Instruction ID: a600cb194838f42bbf99bdede2d9596998d39d18a21f6d86ed2e7d8d9a1c4e20
Opcode Fuzzy Hash: cb4d12cd966beb10da40525520ec1a2c6dd63e9a12fd6cb024fb4f8ddb034641
Instruction Fuzzy Hash: 4E11BF71100188ABEF1A4E65DC8CABB3F6AFB55374F504724F9A0971E0C731ED519B50

Function 005B6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

CharUpperBuffW.USER32(?,?,?), ref: 005B6CB6
_wcslen.LIBCMT ref: 005B6CC2

Strings

STOP, xrefs: 005B6CBC, 005B6CC1

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: f50e49a023d72a345913aabe62d742cf60c75a8ad27a9d1bb357f4d65e0152b5
Instruction ID: a4b3552775506fad624fc521b176bc059c15f42ae147fbe857ead560217890c2
Opcode Fuzzy Hash: f50e49a023d72a345913aabe62d742cf60c75a8ad27a9d1bb357f4d65e0152b5
Instruction Fuzzy Hash: F501C4326005278BCB209FBDDC959FF7FA5FBA1710B500925E85296191EB39ED44CA50

Function 005B1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

Part of subcall function 005B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005B3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 005B1D4C

Strings

ListBox, xrefs: 005B1D16
ComboBox, xrefs: 005B1CEB

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: fbaef0695f52c23d09cf75fc94692aa91416d6916abdf7d9610c74b624389855
Instruction ID: a9c3584d06e571e13bb17942b75be5def3e9d6d063aef20d3e549743b14f5d0e
Opcode Fuzzy Hash: fbaef0695f52c23d09cf75fc94692aa91416d6916abdf7d9610c74b624389855
Instruction Fuzzy Hash: 6B012835600215EF8B08EBA4CC75CFE7F69FF82350B54091AFC226B2C1EA30690C8660

Function 005B1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

Part of subcall function 005B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005B3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 005B1C46

Strings

ListBox, xrefs: 005B1C10
ComboBox, xrefs: 005B1BE5

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4d941cfa7764ed0a30d7c134892e5606ec1f1c4d63938c3e77d66e89acb47abb
Instruction ID: 660273589a88dd090a710072c4326a14fc691a57f1f255790f2e020d267c950e
Opcode Fuzzy Hash: 4d941cfa7764ed0a30d7c134892e5606ec1f1c4d63938c3e77d66e89acb47abb
Instruction Fuzzy Hash: 7E01AC75641105A6CB04E790C97A9FF7FA9BF51340F540416A80677182EA24AE0C8675

Function 005B1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

Part of subcall function 005B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005B3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 005B1CC8

Strings

ListBox, xrefs: 005B1C94
ComboBox, xrefs: 005B1C69

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 413c0bfe90b960b159ab9a9b935b086754d31e5e79df258ed067f189f61787a3
Instruction ID: 6275cf80480163798e8ebe19c8e5a4be735a0f5ab6ef72d77c4538c78d938139
Opcode Fuzzy Hash: 413c0bfe90b960b159ab9a9b935b086754d31e5e79df258ed067f189f61787a3
Instruction Fuzzy Hash: 7C01DB75640115A7CB04E7A4CA26AFF7FA9BF51380F540416BC0277281EA24AF0CC675

Function 0056A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0056A529

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

Strings

3yZ, xrefs: 0056A545, 0056A54D, 0056A552
,%b, xrefs: 0056A509

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%b$3yZ
API String ID: 2551934079-1574708683
Opcode ID: 8df24a50f3a2e4d2a9ba13283b9b35d8983dfe60de0fa0b677055f74edd4ff4d
Instruction ID: 1af8c5dc6168b73c3a800b96de6fb23acb9a3d21fcb6ba087248588a9019aaf5
Opcode Fuzzy Hash: 8df24a50f3a2e4d2a9ba13283b9b35d8983dfe60de0fa0b677055f74edd4ff4d
Instruction Fuzzy Hash: 8701D43160061297CE14F768EC2FA5D3F55BB85721F505465F506372C2EE509D058E96

Function 005B1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00559CB3: _wcslen.LIBCMT ref: 00559CBD

Part of subcall function 005B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005B3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 005B1DD3

Strings

ListBox, xrefs: 005B1DA0
ComboBox, xrefs: 005B1D75

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: fe513e19500acf2f1071f11231772a9033ba1fb5e8a9671c636f95f58ea467e3
Instruction ID: 0267a2026e53a7e64d4a8961109e151e9446847816fb14ef646535871178d70b
Opcode Fuzzy Hash: fe513e19500acf2f1071f11231772a9033ba1fb5e8a9671c636f95f58ea467e3
Instruction Fuzzy Hash: 35F0F471A50615AACB04E7A4CC76AFF7F78BF81340F840D1AB822672C2DA64690C8264

Function 005E8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00623018,0062305C), ref: 005E81BF
CloseHandle.KERNEL32 ref: 005E81D1

Strings

\0b, xrefs: 005E818A

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0b
API String ID: 3712363035-3860674625
Opcode ID: 4a13d1a633844402f538879781564e7e55d062d69b47bf54918a264fc34e17a8
Instruction ID: 567141ffb0bfbc4d49385deb2720b62fb93c59a97117c3feb9c4da196a66cf65
Opcode Fuzzy Hash: 4a13d1a633844402f538879781564e7e55d062d69b47bf54918a264fc34e17a8
Instruction Fuzzy Hash: EEF05EB1640720BAE3206B61AC49FB73E5DEB18755F004820BB4CD92A2D7798A0597B8

Function 005D747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005D7493
_wcslen.LIBCMT ref: 005D74B9

Strings

3, 3, 16, 1, xrefs: 005D7483

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: e18e13eb6fa1b49d03c8c74c78bba1653b9ac1cff46ef6ff8cd2aca930e3be43
Instruction ID: 60092e6fc008b3d8cf2b0e87132c61fd3439426c3f85cbe2520899c0c187937c
Opcode Fuzzy Hash: e18e13eb6fa1b49d03c8c74c78bba1653b9ac1cff46ef6ff8cd2aca930e3be43
Instruction Fuzzy Hash: 38E02B02204321119732127DACC597F5E89FFCD751714182BFA89C2366FB948D91A3A1

Function 005B0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 005B0B23

Strings

AutoIt, xrefs: 005B0B17
Error allocating memory., xrefs: 005B0B1C

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 1e53eb2b5287588ab71553f2eec1982fa307012a7f8e0bf4db37c4865b96503a
Instruction ID: e0f7dfe2425940ed1de3ff9642f6839464aa1104458affc44a70e2cf3e1fe136
Opcode Fuzzy Hash: 1e53eb2b5287588ab71553f2eec1982fa307012a7f8e0bf4db37c4865b96503a
Instruction Fuzzy Hash: 2BE0D83128438926D21836557C07FC97E88FF45B25F10042BFF989A4C38BE2B89016A9

Function 00570D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0056F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00570D71,?,?,?,0055100A), ref: 0056F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0055100A), ref: 00570D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0055100A), ref: 00570D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00570D7F

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: cf8a47177421958389b8e2db6dfd2cafc13c4f0cc487d9ffec328c343521ec14
Instruction ID: da47b579167eb02e4f29bf3ad5b7cfbccb1cddb3f6faa3e4a2c2f9c7931db385
Opcode Fuzzy Hash: cf8a47177421958389b8e2db6dfd2cafc13c4f0cc487d9ffec328c343521ec14
Instruction Fuzzy Hash: 63E039742007818BD7749FA9E4482467FE4BB10744F00896DE4C6CA691EBB1E4499B91

Function 0056E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0056E3D5

Strings

8%b, xrefs: 0056E3CA
0%b, xrefs: 0056E3B5

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%b$8%b
API String ID: 1385522511-3489371734
Opcode ID: fcbee58e2e4cd86aca69063144bddd7659e58e6c0c5da0f64efae43055292d9d
Instruction ID: 3fa5f79df156561bf142b7720c6ad3c718467e3cea410c0951c2ff5fbcee94f0
Opcode Fuzzy Hash: fcbee58e2e4cd86aca69063144bddd7659e58e6c0c5da0f64efae43055292d9d
Instruction Fuzzy Hash: 9AE02035901D22DBC714971CF87A9C83B53BF44320750A564E001672D19B3438429A44

Function 005C3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 005C302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 005C3044

Strings

aut, xrefs: 005C3038

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 8a67412e8e79a7090aac74ef2f4d3eb9dce0c626b2009ed3906a9063265fd235
Instruction ID: f7c5d0d4c64aa00db517391e4f73d1db6fe2323b947779b30d3eb7fc7faa11ac
Opcode Fuzzy Hash: 8a67412e8e79a7090aac74ef2f4d3eb9dce0c626b2009ed3906a9063265fd235
Instruction Fuzzy Hash: 82D05B7550035467DA2097949C4DFC73E6CDB04751F000191B7D5D6091DAB0D585CAD0

Function 005AD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005AD220

Strings

%.3d, xrefs: 005AD22B
X64, xrefs: 005AD2A8

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 70e8fedee87002e21912c44d2a08eba72e3d807b426111aba37d311a6bde0b3b
Instruction ID: 575676389c8342e076647bbd5c84e433de2e9ccfe5b2a5589c33237150438fd3
Opcode Fuzzy Hash: 70e8fedee87002e21912c44d2a08eba72e3d807b426111aba37d311a6bde0b3b
Instruction Fuzzy Hash: 63D012A9C08109E9CB90A6D0DC49AFDBB7CBF19301F548C52FD4792440E624C548E771

Function 005E2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005E236C
PostMessageW.USER32(00000000), ref: 005E2373

Part of subcall function 005BE97B: Sleep.KERNEL32 ref: 005BE9F3

Strings

Shell_TrayWnd, xrefs: 005E2365

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ee873b24ae857a67ea9615c651dd17258cbef70e62c5e0a98bc304f6ca3fa1b4
Instruction ID: db18cbc906d967cc315477ac0fc852052a12d54d0a8a760cb367236b6369198c
Opcode Fuzzy Hash: ee873b24ae857a67ea9615c651dd17258cbef70e62c5e0a98bc304f6ca3fa1b4
Instruction Fuzzy Hash: DCD0C936381350BAE668A770DC4FFC66A15AB55B10F0549167685AE1D0C9A0B84A8A54

Function 005E2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005E232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 005E233F

Part of subcall function 005BE97B: Sleep.KERNEL32 ref: 005BE9F3

Strings

Shell_TrayWnd, xrefs: 005E2325

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: cd6e7c91a2d9b9396260d2d3f109134263702dacdd2b3e1e092ba1502a715c98
Instruction ID: 010a9195a6c5128dc08d7322d5a9ac7f261e86f0c41d2ecf921d5bd75c38e274
Opcode Fuzzy Hash: cd6e7c91a2d9b9396260d2d3f109134263702dacdd2b3e1e092ba1502a715c98
Instruction Fuzzy Hash: 40D0C93A395350BAE668A770DC4FFC66E15AB50B10F0549167685AE1D0C9A0B84A8A54

Function 0058BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0058BE93
GetLastError.KERNEL32 ref: 0058BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0058BEFC

Memory Dump Source

Source File: 00000000.00000002.2112212157.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true

Associated: 00000000.00000002.2111948488.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.00000000005EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112380094.0000000000612000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112466976.000000000061C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112507610.0000000000624000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_550000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 0f98c60dd9daac8825add9d11a906abed0ee55891ac79140b7d065f80a6f45c2
Instruction ID: 924fe6845b4df767e78e0266bb9f4092c45dc3ab39f4102bd51e45b736623712
Opcode Fuzzy Hash: 0f98c60dd9daac8825add9d11a906abed0ee55891ac79140b7d065f80a6f45c2
Instruction Fuzzy Hash: AA41D535604206AFEF25AF64DC84ABA7FADFF42310F244169FE59AB1A1DB308D01DB50

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 52.222.236.80 52.222.236.80
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2256046187.00002C919FB03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2256046187.00002C919FB03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2255753445.000005B4BDB03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2255753445.000005B4BDB03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2239676787.000001FBED7BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2239676787.000001FBED7BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263666815.000001FBED7D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2192970547.000001FBEB29F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2197326273.000001FBE6765000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2240279883.000001FBEB29F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2192970547.000001FBEB29F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2240279883.000001FBEB29F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2239676787.000001FBED7BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192441393.000001FBEBFAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2277406934.000001FBEBFAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2239676787.000001FBED7BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263666815.000001FBED7D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2297486051.000001FBE3B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2297486051.000001FBE3B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2192970547.000001FBEB29F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2197326273.000001FBE6765000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2240279883.000001FBEB29F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2192970547.000001FBEB29F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2240279883.000001FBEB29F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3295492501.000001E3D5103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3295962005.0000023DBD60C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3295492501.000001E3D5103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3295962005.0000023DBD60C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2289363039.000001FBE54A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3295492501.000001E3D5103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3295962005.0000023DBD60C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2239676787.000001FBED7BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2274890670.000001FBE4654000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2239676787.000001FBED7BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192441393.000001FBEBFAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2255434686.0000224A56D03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2239676787.000001FBED7BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304665408.000001FBE4591000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263666815.000001FBED7D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2299983057.000001FBEEA53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2292019287.000001FBEEA51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2275730258.000001FBE3FE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2310903899.000001FBE3FE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.222.236.80:443 -> 192.168.2.5:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50025 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50024 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_23468261-2687-490c-83fd-1541d34d82cb.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_23468261-2687-490c-83fd-1541d34d82cb.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre