Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1541382
MD5:	03baa19835a87ffa911cfe9fb0763541
SHA1:	96288153c5a331d55bc6e77cdeb9550037b54c74
SHA256:	d9907c5153f4feb92c3625f94a67bcf5a0475dba9f1a59181708864e62c18972
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 5044 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 03BAA19835A87FFA911CFE9FB0763541)

taskkill.exe (PID: 4396 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5160 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3404 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7164 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1488 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 5956 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4920 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5688 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4368 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de04cd66-a37e-4e35-afe9-9e338cbefd89} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 1e10aa6e910 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7192 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2896 -parentBuildID 20230927232528 -prefsHandle 3824 -prefMapHandle 3820 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b508e78f-3592-4e91-8022-e1da6e18f134} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 1e10aa7cb10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7780 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5020 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5008 -prefMapHandle 4996 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {274de6f3-6f8e-493d-a742-e2f38e2529b8} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 1e1232c8510 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.2175830359.0000000001100000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 5044	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00F5EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00F5EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F5ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F5ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00F5EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F4AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00F4AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F79576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00F79576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2114094556.0000000000FA2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6e03a0ee-a
Source: file.exe, 00000000.00000000.2114094556.0000000000FA2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_19421e70-9
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b5193f94-a
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_73b85d51-f

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000002CCE5AE8AF7 NtQuerySystemInformation,		18_2_000002CCE5AE8AF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000002CCE5B08772 NtQuerySystemInformation,		18_2_000002CCE5B08772

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F4D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00F4D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F41201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00F41201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F4E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00F4E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE8060	0_2_00EE8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F52046	0_2_00F52046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F48298	0_2_00F48298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1E4FF	0_2_00F1E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1676B	0_2_00F1676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F74873	0_2_00F74873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EECAF0	0_2_00EECAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F0CAA0	0_2_00F0CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFCC39	0_2_00EFCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F16DD9	0_2_00F16DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE91C0	0_2_00EE91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFB119	0_2_00EFB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F01394	0_2_00F01394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F0781B	0_2_00F0781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF997D	0_2_00EF997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE7920	0_2_00EE7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F07A4A	0_2_00F07A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F07CA7	0_2_00F07CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F19EEE	0_2_00F19EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6BE44	0_2_00F6BE44
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000002CCE5AE8AF7	18_2_000002CCE5AE8AF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000002CCE5B08772	18_2_000002CCE5B08772
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000002CCE5B08E9C	18_2_000002CCE5B08E9C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000002CCE5B087B2	18_2_000002CCE5B087B2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F00A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00EE9CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00EFF9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@69/13

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F537B5 GetLastError,FormatMessageW,

0_2_00F537B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F410BF AdjustTokenPrivileges,CloseHandle,		0_2_00F410BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00F416C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F551CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00F551CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F4D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00F4D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F5648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00F5648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EE42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00EE42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2748:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:612:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2273406478.000001E1269A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273070293.000001E1269D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2317207498.000001E1269E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2273070293.000001E1269D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2317207498.000001E1269E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2273070293.000001E1269D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2317207498.000001E1269E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2273070293.000001E1269D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2317207498.000001E1269E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2246833778.000001E126DD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2273070293.000001E1269D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2317207498.000001E1269E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2273070293.000001E1269D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2317207498.000001E1269E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2273070293.000001E1269D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2317207498.000001E1269E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2273070293.000001E1269D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2317207498.000001E1269E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2273070293.000001E1269D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2317207498.000001E1269E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de04cd66-a37e-4e35-afe9-9e338cbefd89} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 1e10aa6e910 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2896 -parentBuildID 20230927232528 -prefsHandle 3824 -prefMapHandle 3820 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b508e78f-3592-4e91-8022-e1da6e18f134} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 1e10aa7cb10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5020 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5008 -prefMapHandle 4996 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {274de6f3-6f8e-493d-a742-e2f38e2529b8} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 1e1232c8510 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de04cd66-a37e-4e35-afe9-9e338cbefd89} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 1e10aa6e910 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2896 -parentBuildID 20230927232528 -prefsHandle 3824 -prefMapHandle 3820 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b508e78f-3592-4e91-8022-e1da6e18f134} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 1e10aa7cb10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5020 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5008 -prefMapHandle 4996 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {274de6f3-6f8e-493d-a742-e2f38e2529b8} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 1e1232c8510 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: UxTheme.pdb source: firefox.exe, 0000000E.00000003.2327567333.000001E11CFA6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rsaenh.pdb source: firefox.exe, 0000000E.00000003.2321372932.000001E11EDB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321372932.000001E11ED5F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 0000000E.00000003.2310956336.000001E11EAB2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 0000000E.00000003.2311462329.000001E11EA83000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbpref_suggest_nonsponsoredpref_suggest_sponsored source: firefox.exe, 0000000E.00000003.2331256222.000001E11D738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2325937614.000001E11D735000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2341803602.000001E1185A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: firefox.exe, 0000000E.00000003.2331021296.000001E11E20D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: firefox.exe, 0000000E.00000003.2333571106.000001E11C8C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2341803602.000001E1185A8000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324955838.000001E11D7BD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000E.00000003.2322302664.000001E11E98C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314288958.000001E11E985000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314288958.000001E11E953000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2325895824.000001E11D73B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341106073.000001E1185A7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 0000000E.00000003.2337314979.000001E118565000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331576208.000001E11D292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326905965.000001E11D287000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2342202336.000001E118565000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2338504276.000001E118565000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2340484696.000001E118565000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2338174817.000001E118565000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2339759599.000001E118565000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341501964.000001E118565000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2325895824.000001E11D73B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2339675348.000001E1185A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: firefox.exe, 0000000E.00000003.2333784229.000001E11C85F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb0 source: firefox.exe, 0000000E.00000003.2314288958.000001E11E953000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2341056044.000001E11F551000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2340731431.000001E11F4EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xul.pdb source: firefox.exe, 0000000E.00000003.2331576208.000001E11D292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326905965.000001E11D287000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdb source: firefox.exe, 0000000E.00000003.2310956336.000001E11EAB2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: firefox.exe, 0000000E.00000003.2327053987.000001E11D266000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000E.00000003.2314288958.000001E11E953000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314288958.000001E11E91B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb source: firefox.exe, 0000000E.00000003.2324955838.000001E11D7D8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdbGCTL source: firefox.exe, 0000000E.00000003.2337314979.000001E118565000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2342202336.000001E118565000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2338504276.000001E118565000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2340484696.000001E118565000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2338174817.000001E118565000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2339759599.000001E118565000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341501964.000001E118565000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 0000000E.00000003.2321372932.000001E11ED5F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 0000000E.00000003.2310789446.000001E11EAE4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: firefox.exe, 0000000E.00000003.2327287739.000001E11CFBB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb source: firefox.exe, 0000000E.00000003.2331256222.000001E11D738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2325937614.000001E11D735000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: firefox.exe, 0000000E.00000003.2327287739.000001E11CFBB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 0000000E.00000003.2314123788.000001E11E9A4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2339675348.000001E1185A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnsapi.pdb source: firefox.exe, 0000000E.00000003.2324955838.000001E11D7D8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000E.00000003.2314288958.000001E11E953000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: firefox.exe, 0000000E.00000003.2327053987.000001E11D266000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdbcs_clip_rectangle source: firefox.exe, 0000000E.00000003.2324608316.000001E11D838000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 0000000E.00000003.2331576208.000001E11D292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326905965.000001E11D287000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nlaapi.pdb source: firefox.exe, 0000000E.00000003.2324955838.000001E11D7BD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2339907143.000001E11F4F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb source: firefox.exe, 0000000E.00000003.2321372932.000001E11ED5F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 0000000E.00000003.2321372932.000001E11ED5F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdbP4 source: firefox.exe, 0000000E.00000003.2321372932.000001E11ED5F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 0000000E.00000003.2310789446.000001E11EAE4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: firefox.exe, 0000000E.00000003.2333355176.000001E11C8FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2333571106.000001E11C8C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 0000000E.00000003.2324955838.000001E11D7D8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2339907143.000001E11F4F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000E.00000003.2314288958.000001E11E953000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: firefox.exe, 0000000E.00000003.2315713829.000001E11D8FD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 0000000E.00000003.2314079960.000001E11E9B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2322264703.000001E11E9D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: firefox.exe, 0000000E.00000003.2326829737.000001E11D2AB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: firefox.exe, 0000000E.00000003.2327567333.000001E11CFA6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: firefox.exe, 0000000E.00000003.2310956336.000001E11EAB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311462329.000001E11EA83000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2341056044.000001E11F551000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2340731431.000001E11F4EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdb source: firefox.exe, 0000000E.00000003.2333142837.000001E11CD52000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sechost.pdbINTEGER source: firefox.exe, 0000000E.00000003.2333784229.000001E11C85F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: firefox.exe, 0000000E.00000003.2331576208.000001E11D292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326905965.000001E11D287000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 0000000E.00000003.2310789446.000001E11EAE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321372932.000001E11ED5F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdbP4 source: firefox.exe, 0000000E.00000003.2327567333.000001E11CFA6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb source: firefox.exe, 0000000E.00000003.2331719151.000001E11D13A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mswsock.pdb source: firefox.exe, 0000000E.00000003.2324955838.000001E11D7D8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: firefox.exe, 0000000E.00000003.2333571106.000001E11C8C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbextensions.quarantined_domains source: firefox.exe, 0000000E.00000003.2325895824.000001E11D73B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb source: firefox.exe, 0000000E.00000003.2324955838.000001E11D7D8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: firefox.exe, 0000000E.00000003.2331576208.000001E11D292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326905965.000001E11D287000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326829737.000001E11D2AB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdbhttp-on-stop-request source: firefox.exe, 0000000E.00000003.2310789446.000001E11EAE4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: winrnr.pdb source: firefox.exe, 0000000E.00000003.2324955838.000001E11D7D8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: firefox.exe, 0000000E.00000003.2324608316.000001E11D838000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2315713829.000001E11D8FD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: firefox.exe, 0000000E.00000003.2331576208.000001E11D292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326905965.000001E11D287000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2327053987.000001E11D266000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdb source: firefox.exe, 0000000E.00000003.2326829737.000001E11D2AB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbgcore.pdb source: firefox.exe, 0000000E.00000003.2326685004.000001E11D2C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000E.00000003.2314288958.000001E11E953000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: user32.pdb source: firefox.exe, 0000000E.00000003.2333571106.000001E11C8C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: firefox.exe, 0000000E.00000003.2324608316.000001E11D838000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdb source: firefox.exe, 0000000E.00000003.2326829737.000001E11D2AB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: psapi.pdb source: firefox.exe, 0000000E.00000003.2326829737.000001E11D2AB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: firefox.exe, 0000000E.00000003.2327567333.000001E11CFA6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000E.00000003.2314288958.000001E11E91B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2341106073.000001E1185A7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 0000000E.00000003.2310789446.000001E11EAE4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: firefox.exe, 0000000E.00000003.2331576208.000001E11D292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326905965.000001E11D287000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 0000000E.00000003.2331576208.000001E11D292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326905965.000001E11D287000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbgcore.pdb`^ source: firefox.exe, 0000000E.00000003.2326829737.000001E11D2AB000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EE42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EE42DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F00A76 push ecx; ret

0_2_00F00A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00EFF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F71C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00F71C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96613

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_000002CCE5AE8AF7 rdtsc

18_2_000002CCE5AE8AF7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F4DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F4DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1C2A2 FindFirstFileExW,	0_2_00F1C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F568EE FindFirstFileW,FindClose,	0_2_00F568EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F5698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00F5698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F4D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F4D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F4D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F4D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F59642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F59642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F5979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F5979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F59B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00F59B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F55C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00F55C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EE42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EE42DE

Source: firefox.exe, 00000012.00000002.3378888504.000002CCE5960000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9\|
Source: firefox.exe, 00000010.00000002.3381282629.0000013DB1D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: firefox.exe, 00000010.00000002.3381282629.0000013DB1D00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3373461706.000002CCE51DA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3378888504.000002CCE5960000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3379730837.0000019A37500000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3373605650.0000019A370FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3380318751.0000013DB1C13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3381282629.0000013DB1D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
Source: firefox.exe, 00000010.00000002.3374406508.0000013DB175A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3381282629.0000013DB1D00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3378888504.000002CCE5960000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_000002CCE5AE8AF7 rdtsc

18_2_000002CCE5AE8AF7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F5EAA2 BlockInput,

0_2_00F5EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F12622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00F12622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EE42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EE42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F04CE8 mov eax, dword ptr fs:[00000030h]

0_2_00F04CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F40B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00F40B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F12622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F12622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F0083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F0083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F009D5 SetUnhandledExceptionFilter,	0_2_00F009D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F00C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F00C21

Source: C:\Users\user\Desktop\file.exe

0_2_00F41201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F22BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F22BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F4B226 SendInput,keybd_event,

0_2_00F4B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F622DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00F622DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00F40B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F41663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00F41663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F00698 cpuid

0_2_00F00698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F58195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00F58195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F3D27A GetUserNameW,

0_2_00F3D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F1B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00F1B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EE42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EE42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2175830359.0000000001100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5044, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2175830359.0000000001100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5044, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F61204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00F61204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F61806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00F61806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://truecolors.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe
http://json-schema.org/draft-07/schema#-	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.129	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.129.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
mitmdetection.services.mozilla.com	13.32.99.49	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	216.58.212.142	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.185.206	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.193.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4	firefox.exe, 0000000E.00000003.2308162199.000001E123A80000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000E.00000003.2308162199.000001E123A80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3374729019.000002CCE54C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3375590586.0000019A374C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2360057595.000001E123A32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2307075088.000001E123EC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2279727219.000001E123EC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.3376292952.0000013DB1B72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3374729019.000002CCE5486000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3375590586.0000019A3748F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2308734188.000001E1232D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281487277.000001E1232D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2191346881.000001E11BE67000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2327287739.000001E11CFE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2187748142.000001E11ED5B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2280175427.000001E123A94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284270430.000001E11EAE4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2315496494.000001E11E635000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2160506516.000001E11AA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2161126947.000001E11AC31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2161500787.000001E11AC52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160742610.000001E11AC0F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2307902381.000001E123AB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280175427.000001E123AB8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2273070293.000001E1269D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2188624570.000001E11E99F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2160506516.000001E11AA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2275575349.000001E123D67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2161126947.000001E11AC31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2327826088.000001E11CF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2161500787.000001E11AC52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160742610.000001E11AC0F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.2330805468.000001E11E251000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2160506516.000001E11AA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2161126947.000001E11AC31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160742610.000001E11AC0F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2317382789.000001E125308000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314079960.000001E11E9B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2322264703.000001E11E9D5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2308734188.000001E1232D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281487277.000001E1232D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=https://ac	firefox.exe, 00000010.00000002.3373861613.0000013DB1700000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2306543921.000001E124DE4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2187748142.000001E11ED7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308162199.000001E123A80000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000E.00000003.2281487277.000001E1232D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2308162199.000001E123A80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314800697.000001E11E699000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3374729019.000002CCE5403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3375590586.0000019A37403000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2242896582.000001E126825000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2240520948.000001E12680C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243125777.000001E12682F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2317480249.000001E124DE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300148521.000001E124DE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2306543921.000001E124DE4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000E.00000003.2308162199.000001E123A80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3374729019.000002CCE54C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3375590586.0000019A374C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2320756270.000001E123163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2240520948.000001E12680C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2358448702.000001E11BD29000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2317588483.000001E124DA9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000E.00000003.2323213978.000001E11E2AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2333270016.000001E11CD17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://amazon.com	firefox.exe, 0000000E.00000003.2308162199.000001E123A80000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2318707785.000001E123E69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2334036485.000001E11C7F9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000013.00000002.3375590586.0000019A37413000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2248765916.000001E1249D1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2188624570.000001E11E99F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2191346881.000001E11BE67000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2308734188.000001E123285000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2259018153.000001E11AA79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326685004.000001E11D2F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304904400.000001E11AABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2259279043.000001E1183CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2190086123.000001E11C248000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362807892.000001E11AD8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2237282108.000001E11E8C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2238155188.000001E11C9DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2165641699.000001E11AD8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2259606412.000001E11E8A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293531151.000001E123D16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2227114225.000001E11E8D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2237282108.000001E11E8A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2360153908.000001E11D1C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2358448702.000001E11BD29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225048340.000001E11CEDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2210470039.000001E11BD34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2358448702.000001E11BD24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311370764.000001E11EA8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2350453159.000001E11AAC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2251780456.000001E11CED5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2315871447.000001E11D8E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2330805468.000001E11E249000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2285177192.000001E11EA8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2285177192.000001E11EA8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2308734188.000001E123285000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2191346881.000001E11BE67000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2280175427.000001E123A94000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2248894690.000001E1249A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2306749562.000001E124983000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311992296.000001E1249A3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2323213978.000001E11E26B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2330713139.000001E11E26E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2242896582.000001E126825000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2240520948.000001E12680C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243125777.000001E12682F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2317480249.000001E124DE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300148521.000001E124DE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2306543921.000001E124DE4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2187748142.000001E11EDF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321372932.000001E11ED5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2187748142.000001E11ED5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2191346881.000001E11BE67000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2273972652.000001E126924000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2160742610.000001E11AC0F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://truecolors.firefox.com/	firefox.exe, 0000000E.00000003.2248765916.000001E1249D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000E.00000003.2160506516.000001E11AA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2275575349.000001E123D67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2191346881.000001E11BE67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2161126947.000001E11AC31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2327826088.000001E11CF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2161500787.000001E11AC52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160742610.000001E11AC0F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000E.00000003.2188624570.000001E11E99F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2191346881.000001E11BE67000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000E.00000003.2308734188.000001E1232D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281487277.000001E1232D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000010.00000002.3375478791.0000013DB1890000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3379198832.000002CCE5A60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3374726450.0000019A37330000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://twitter.com/	firefox.exe, 0000000E.00000003.2187748142.000001E11ED7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308162199.000001E123A80000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000E.00000003.2242896582.000001E126825000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2240520948.000001E12680C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243125777.000001E12682F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefox	firefox.exe, 0000000E.00000003.2281322863.000001E123A46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308162199.000001E123A62000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	firefox.exe, 00000010.00000002.3376292952.0000013DB1BCA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3374729019.000002CCE54E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3379978138.0000019A37603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.58.212.142	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
13.32.99.49	mitmdetection.services.mozilla.com	United States	16509	AMAZON-02US	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541382
Start date and time:	2024-10-24 19:03:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@69/13
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 41 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.231.229.39, 34.208.54.237, 52.13.186.250, 142.250.186.138, 142.250.186.106, 2.22.61.59, 2.22.61.56, 142.250.186.142
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
13:04:07	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
13.32.99.49	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://pendxz.w3spaces.com?dg=emFoaWRAaGhlcG8ubmV0LnFh	Get hash	malicious	HTMLPhisher	Browse
	https://ufc11.ac-page.com/town-of-sheboygan	Get hash	malicious	HTMLPhisher	Browse
	https://ipfs.io/ipfs/Qme86YdMkPs2R89rMxX1NrMwQvNgdcBEJyRcCR4XEzi9tu?filename=auto.html#test@test.de	Get hash	malicious	Unknown	Browse
	https://ppzcrx7ykra7r6ghwdg3hfmiwkwkevv5drvoc3jwrgvpz6li3toa.arweave.net/e_Io3_hUQfj4x7DNs5WIsqyiVr0cauFtNomq_Plo3Nw/	Get hash	malicious	HTMLPhisher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	ATT25322.html	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	https://app.writesonic.com/share/writing-assistant/d140c48b-3642-43bf-a085-e258c1fb4f03	Get hash	malicious	Unknown	Browse	157.240.251.35
twitter.com	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	Payment for outstanding statements.pdf	Get hash	malicious	HTMLPhisher	Browse	34.117.77.79
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
AMAZON-02US	https://na2.docusign.net/Signing/EmailStart.aspx?a=c6104538-ac3b-4407-b24b-a0b641ee4589&etti=24&acct=7853161b-6814-4528-85bc-ffe96cfca42f&er=09ab18a7-8de5-4c92-931d-cb9cd9f7b00d	Get hash	malicious	Unknown	Browse	52.42.45.237
	https://egift.activationshub.com/gift-card/view/8lPFUrjq1LGzg7JHwS8hJJRdL	Get hash	malicious	Unknown	Browse	143.204.215.107
	http://hybrid-web.global.blackspider.com/urlwrap/?q=AXicLU67UsMwEFQBX0Gf0pbtkywxowHLiZgUDEXoGVmRjbFlJX4wk4bPgT-kJgpp9u72dnb35hZ9_SB0943Q2J8S1kTT-Bk53fbGD_Po-8h4h4C_yGb70WGgwAjaOz_q4TFAY41fhvk0mSXyY4Pe5_kw3cdxP3RRa-M8k0-72IqHZXZvRruDbptBrMLl7L5dnLAh60JMfhmNFbb3x0VfmFDBDrPYPO9Wtj--jtp0271IeaVxWlvNawq24rrmlPAKkyw3hGoetMLaNOFnloGugFFS1QmrM3IGAKg1DSLdBrM0veyzSMIsryXPOUnO_1-dYIUisgSKsdoknOWcZiBlmSvMVaZwLouSpIqRslBScsxYCkWZQUkobEByul4riRAivwj9ATUqckw&Z	Get hash	malicious	Unknown	Browse	143.204.215.66
	quotation RFQ no 123609.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.248.169.48
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	13.32.99.49
	https://click.smb-hub-amer.com/CL0/https:%2F%2Faws-experience.com%2Famer%2Fsmb%2Fe%2F6585d%2Ftech201-generative-ai-activation---prompt-usering-with-amazon-bedrock/1/010f019292a0535d-76bbe2fd-5051-4597-a0cb-70909e66221c-000000/EuaOeAUnoTjz0zRaIJDPPYf78GxHTGM9U_JpcCxZuA8=180	Get hash	malicious	Unknown	Browse	108.138.26.73
	https://www.canva.com/design/DAGUUU-VdiI/DdL4Z-_loK4X7NMMbGGnJg/view?utm_content=DAGUUU-VdiI&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	75.2.57.54
	https://www.canva.com/design/DAGUUU-VdiI/DdL4Z-_loK4X7NMMbGGnJg/view?utm_content=DAGUUU-VdiI&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	13.32.99.105
	https://click.smb-hub-amer.com/CL0/https:%2F%2Faws-experience.com%2Famer%2Fsmb%2Ffaq/1/010f0192953347ae-3c905125-2a17-4574-9bc8-91e7b29508e2-000000/yNxMb5L-NyQC__8b2PYbvEt2zZ-h7CoRCEU0OPMd7LQ=181	Get hash	malicious	Unknown	Browse	108.138.26.94
	https://www.cognitoforms.com/f/dPw6PjKRNEiTBIouwlWxQQ/1	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	18.245.31.89
FASTLYUS	_Play__New__VM__01min 04sec____ATT2006587654 (Randiwestbrook) .htm	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	EXTERNALRoger Moczygemba shared DIRECT MED CLINIC - CONFIDENTIAL with you.msg	Get hash	malicious	Unknown	Browse	151.101.130.92
	https://egift.activationshub.com/gift-card/view/8lPFUrjq1LGzg7JHwS8hJJRdL	Get hash	malicious	Unknown	Browse	151.101.194.137
	http://hybrid-web.global.blackspider.com/urlwrap/?q=AXicLU67UsMwEFQBX0Gf0pbtkywxowHLiZgUDEXoGVmRjbFlJX4wk4bPgT-kJgpp9u72dnb35hZ9_SB0943Q2J8S1kTT-Bk53fbGD_Po-8h4h4C_yGb70WGgwAjaOz_q4TFAY41fhvk0mSXyY4Pe5_kw3cdxP3RRa-M8k0-72IqHZXZvRruDbptBrMLl7L5dnLAh60JMfhmNFbb3x0VfmFDBDrPYPO9Wtj--jtp0271IeaVxWlvNawq24rrmlPAKkyw3hGoetMLaNOFnloGugFFS1QmrM3IGAKg1DSLdBrM0veyzSMIsryXPOUnO_1-dYIUisgSKsdoknOWcZiBlmSvMVaZwLouSpIqRslBScsxYCkWZQUkobEByul4riRAivwj9ATUqckw&Z	Get hash	malicious	Unknown	Browse	151.101.66.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	https://egift.activationshub.com/gift-card/view/8lPFUrjq1LGzg7JHwS8hJJRdL/	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://lnk.ie/73BGS/e=?utm_campaign=&utm_medium=email&utm_source=eloqua&utm_content=EMS&elqTrackId=b3e6296b7e034428ab6cf8165586e5f3&elq=f15d0983a3e2469a9348a180a5d34fca&elqaid=2922&elqat=1&elqCampaignId=1792&elqak=8AF50EC23DDB3CA8DB8B1F52080496E6D8BDFEE307A00555CA936F9692C081A369A3	Get hash	malicious	Unknown	Browse	151.101.66.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	Payment for outstanding statements.pdf	Get hash	malicious	HTMLPhisher	Browse	34.36.216.150
	keldRUiaay.elf	Get hash	malicious	Mirai	Browse	194.198.219.41
	ATT25322.html	Get hash	malicious	Unknown	Browse	34.49.241.189
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_4009200e-1363-4450-9a5a-cfcea6a3c201.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.174678732069172
Encrypted:	false
SSDEEP:	192:0BMX8eRcbhbVbTbfbRbObtbyEl7nUrjJA6unSrDtTkdxSofL:0iBcNhnzFSJ0r61nSrDhkdxX
MD5:	FC5E14104961AC7F73EB69D2F3C139A9
SHA1:	754D8A8A61182A44DDC4ADAFD93EFA62E31F997B
SHA-256:	B2A0BF467DFFB6431C54957E9E74197815780A33DF8D2C7FFC7B711188D8C0D1
SHA-512:	359DADC8460FA22829981543CD856E3E51DB1FC3FBA17722DB941EC38AA667346DB22741A0652DD4E61C1FB158A32651DA85433ED25D388BF6EC32A1DA00943D
Malicious:	false
Preview:	{"type":"uninstall","id":"4009200e-1363-4450-9a5a-cfcea6a3c201","creationDate":"2024-10-24T18:35:56.383Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_4009200e-1363-4450-9a5a-cfcea6a3c201.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.174678732069172
Encrypted:	false
SSDEEP:	192:0BMX8eRcbhbVbTbfbRbObtbyEl7nUrjJA6unSrDtTkdxSofL:0iBcNhnzFSJ0r61nSrDhkdxX
MD5:	FC5E14104961AC7F73EB69D2F3C139A9
SHA1:	754D8A8A61182A44DDC4ADAFD93EFA62E31F997B
SHA-256:	B2A0BF467DFFB6431C54957E9E74197815780A33DF8D2C7FFC7B711188D8C0D1
SHA-512:	359DADC8460FA22829981543CD856E3E51DB1FC3FBA17722DB941EC38AA667346DB22741A0652DD4E61C1FB158A32651DA85433ED25D388BF6EC32A1DA00943D
Malicious:	false
Preview:	{"type":"uninstall","id":"4009200e-1363-4450-9a5a-cfcea6a3c201","creationDate":"2024-10-24T18:35:56.383Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.933170802630627
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsLcy598P:gXiNFS+OcUGOdwiOdwBjkYL/98P
MD5:	5C5236E8FFE7B2D0DF5F70474DB58B25
SHA1:	B39B832696DAE7AC26D0653AB817E5F0581E19D9
SHA-256:	E606B2C0D522BEDB4DFA3A7C16C66E8D36E773275C22476A07D87B6CB4D86D84
SHA-512:	05E473DF63B0AE5A0F2F5A4E76BDA1B0775D3C79251EBAE8AA130D03F2CFC8D52B06B17FB40D00364E45BF590DE00E0901BAFBD4598F81BD799C5828BCD4392F
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.933170802630627
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsLcy598P:gXiNFS+OcUGOdwiOdwBjkYL/98P
MD5:	5C5236E8FFE7B2D0DF5F70474DB58B25
SHA1:	B39B832696DAE7AC26D0653AB817E5F0581E19D9
SHA-256:	E606B2C0D522BEDB4DFA3A7C16C66E8D36E773275C22476A07D87B6CB4D86D84
SHA-512:	05E473DF63B0AE5A0F2F5A4E76BDA1B0775D3C79251EBAE8AA130D03F2CFC8D52B06B17FB40D00364E45BF590DE00E0901BAFBD4598F81BD799C5828BCD4392F
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.0733666067446506
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkigfu:DLhesh7Owd4+ji
MD5:	72A26395ECC2E58A492E7CA82A363F14
SHA1:	729EF9C64F44AA97CE612D3C69EA574C6EBAA531
SHA-256:	92BFC984C4175486A746A7B50490D17064A220B3D81CE52E70E82B042204CFB2
SHA-512:	AC2717F18F96E81EFA62D69B41A8C5034EFBEFC70BB24C2D35A254A75088BF5B617C6D99A3EAD01DB39B49C32604361C661D1EC6893D3202067DB026345B9074
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03535756160686293
Encrypted:	false
SSDEEP:	3:GtlstFhAx6a265h9/ltlstFhAx6a265hux89//alEl:GtWtEkY5TttWtEkY5O89XuM
MD5:	C84B7B8F4740253A46694614618D2C88
SHA1:	EF014C01CDC0A3E629B89342454C076597D6BB96
SHA-256:	13BE8CB8D3738B9FAFCC7D396E260F92842F26243AC5ACA407CD3A6DE847062A
SHA-512:	1451362AE52D2191FEAE7609776923011B7EE0CF14D3BD29C2D3C58B4F0D1493378FC6A26FF3802F2CEB0F396B5BC40FCCE02D59FC3B703747AF6E0E86A68125
Malicious:	false
Preview:	..-.......................o.y>..O..S..F....<.4.$..-.......................o.y>..O..S..F....<.4.$........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.034973983613053504
Encrypted:	false
SSDEEP:	3:Ol1oIjU5aqu265TLFSrV//mwl8XW3R2:K2IjAY2MTLopuw93w
MD5:	3A4960161312ED71AA3877146F6DB609
SHA1:	11147EE37909F2FB986326106BAF6E291469C1D6
SHA-256:	CAB5C0A05BA611EC1862D37B2878207DEA6DEEE12D215E1F0FFCDC79B37FD375
SHA-512:	F3EB9EB9C564E15DDA573C667AD2567BFA4D2EC881FD13C591C9C7C28B8FF59AD70669294F4153605D3D15AAEFE7DB1968226F89F664F0D731E63C73D453D3BD
Malicious:	false
Preview:	7....-..........O..S..F.).1be$.&........O..S..F..o....>y................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.467012162820892
Encrypted:	false
SSDEEP:	192:2nTFTRRUYbBp6KLZNMGaXH6qU4fUzy+/3/73A5RYiNBw8drSl:8KerFNMeccyCAdw00
MD5:	9F83A6C5A2BA1DEB50C894975956AD4D
SHA1:	791F787D14196EE1C213C7BA590E8120D34C838D
SHA-256:	76EE9A3F35C08E196251211A7254DD50C6357197369B55ADAE5FD196C3BCB3D4
SHA-512:	76F181CE1C90145E029D5AD43BCC485E4EAD617B9B7B1B9B2F6CF5D8661110697D7412BF7C777C5664E95A101498C3D41ECD5F6B6573D1F398B5ED74EBD0ACB4
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729794926);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729794926);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729794926);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172979

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.467012162820892
Encrypted:	false
SSDEEP:	192:2nTFTRRUYbBp6KLZNMGaXH6qU4fUzy+/3/73A5RYiNBw8drSl:8KerFNMeccyCAdw00
MD5:	9F83A6C5A2BA1DEB50C894975956AD4D
SHA1:	791F787D14196EE1C213C7BA590E8120D34C838D
SHA-256:	76EE9A3F35C08E196251211A7254DD50C6357197369B55ADAE5FD196C3BCB3D4
SHA-512:	76F181CE1C90145E029D5AD43BCC485E4EAD617B9B7B1B9B2F6CF5D8661110697D7412BF7C777C5664E95A101498C3D41ECD5F6B6573D1F398B5ED74EBD0ACB4
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729794926);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729794926);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729794926);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172979

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1571
Entropy (8bit):	6.336831439670958
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMIbLXnIgw/pnxQwRlszT5sKLU3eHVvwKXT8ramhujJmyOOxmOmaoA:GUpOxUwnR6Y3eNwCT8r4JNKRh4
MD5:	5E1F23EB3466CD7814D8AC97514055F1
SHA1:	6BBA14B1D376F3D47E8EB6B0383448E469746DE2
SHA-256:	ABB0543919C6AA0B2B50ED6C2A7C06E99365FA04D9C372D7E1CFEB2BA2C14A55
SHA-512:	C6FD7EF910F65FD631C84E2D76BD4318CE0993D42BC9DC74561B44E322BF7E571F1C19DB1863B7FD8CAC0E642FC998B35A33005225AEC488693FBAFBA5750A60
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{4b51a288-37b2-471b-a592-f4ca1b421ff3}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729794932301,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`896106...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...00635,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1571
Entropy (8bit):	6.336831439670958
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMIbLXnIgw/pnxQwRlszT5sKLU3eHVvwKXT8ramhujJmyOOxmOmaoA:GUpOxUwnR6Y3eNwCT8r4JNKRh4
MD5:	5E1F23EB3466CD7814D8AC97514055F1
SHA1:	6BBA14B1D376F3D47E8EB6B0383448E469746DE2
SHA-256:	ABB0543919C6AA0B2B50ED6C2A7C06E99365FA04D9C372D7E1CFEB2BA2C14A55
SHA-512:	C6FD7EF910F65FD631C84E2D76BD4318CE0993D42BC9DC74561B44E322BF7E571F1C19DB1863B7FD8CAC0E642FC998B35A33005225AEC488693FBAFBA5750A60
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{4b51a288-37b2-471b-a592-f4ca1b421ff3}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729794932301,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`896106...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...00635,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1571
Entropy (8bit):	6.336831439670958
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMIbLXnIgw/pnxQwRlszT5sKLU3eHVvwKXT8ramhujJmyOOxmOmaoA:GUpOxUwnR6Y3eNwCT8r4JNKRh4
MD5:	5E1F23EB3466CD7814D8AC97514055F1
SHA1:	6BBA14B1D376F3D47E8EB6B0383448E469746DE2
SHA-256:	ABB0543919C6AA0B2B50ED6C2A7C06E99365FA04D9C372D7E1CFEB2BA2C14A55
SHA-512:	C6FD7EF910F65FD631C84E2D76BD4318CE0993D42BC9DC74561B44E322BF7E571F1C19DB1863B7FD8CAC0E642FC998B35A33005225AEC488693FBAFBA5750A60
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{4b51a288-37b2-471b-a592-f4ca1b421ff3}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729794932301,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`896106...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...00635,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 4, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.042811512334329
Encrypted:	false
SSDEEP:	24:JBkSldh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jkSWEUo9LXtR+JdkOnohYsl
MD5:	21235938025E2102017AC8C9748948A4
SHA1:	A1EED1C4588724A8396C95FC9923C0A33B360FF8
SHA-256:	E34B06B180E3F73DC8E441650BB7FE694A9D58E927412D6ED40B0852B784824E
SHA-512:	D334B419A2A75179C17D7F53BF65FCC132ADE03B21059F0007ACDBB08284A281D8CE1C1CC598E6A070024D0DAE158E2E9618E121342BE068E87A051FE33D6061
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.009098627226663
Encrypted:	false
SSDEEP:	48:YrSAYTYHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:ycTYCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	3B46DA985EE48064E7C09FF69719E391
SHA1:	27D083F998FD574A232F083A4E3F985F03642B38
SHA-256:	38B7E482116D819FDFC617D88F728CF898591F99302DDABB9E92F3041BDCDEA0
SHA-512:	93996BC3CA6E4591AE770F069860DBF4F0185647B350664C8E2BA7893136C98842AC1896FB0E644C5A38EA1A1003B1CFD8610A7DE9BAA6225B7FAD1E9CD3654C
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-24T18:35:11.326Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.009098627226663
Encrypted:	false
SSDEEP:	48:YrSAYTYHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:ycTYCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	3B46DA985EE48064E7C09FF69719E391
SHA1:	27D083F998FD574A232F083A4E3F985F03642B38
SHA-256:	38B7E482116D819FDFC617D88F728CF898591F99302DDABB9E92F3041BDCDEA0
SHA-512:	93996BC3CA6E4591AE770F069860DBF4F0185647B350664C8E2BA7893136C98842AC1896FB0E644C5A38EA1A1003B1CFD8610A7DE9BAA6225B7FAD1E9CD3654C
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-24T18:35:11.326Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584686554946423
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	03baa19835a87ffa911cfe9fb0763541
SHA1:	96288153c5a331d55bc6e77cdeb9550037b54c74
SHA256:	d9907c5153f4feb92c3625f94a67bcf5a0475dba9f1a59181708864e62c18972
SHA512:	abbf1ea662bf8e466934ac8ee7e2ac207020408ad00812e8d4ce463b487901bd9381fa582de9544fe374ae91ad3ba35e8385df8fd766e8fbc97fe42c8cc0e62d
SSDEEP:	12288:jqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TN:jqDEvCTbMWu7rQYlBQcBiT6rprG8abN
TLSH:	DF159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671A7996 [Thu Oct 24 16:45:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F81010DA103h
jmp 00007F81010D9A0Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F81010D9BEDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F81010D9BBAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F81010DC7ADh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F81010DC7F8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F81010DC7E1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	d102fb2a732a2249cb29c6dbc5c13a95	False	0.3157634493670886	data	5.374271703427184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 19:04:02.931334019 CEST	49717	443	192.168.2.6	35.190.72.216
Oct 24, 2024 19:04:02.931430101 CEST	443	49717	35.190.72.216	192.168.2.6
Oct 24, 2024 19:04:02.931952953 CEST	49718	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:02.932429075 CEST	49717	443	192.168.2.6	35.190.72.216
Oct 24, 2024 19:04:02.937525988 CEST	80	49718	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:02.937539101 CEST	49717	443	192.168.2.6	35.190.72.216
Oct 24, 2024 19:04:02.937582970 CEST	443	49717	35.190.72.216	192.168.2.6
Oct 24, 2024 19:04:02.940114975 CEST	49718	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:02.940735102 CEST	49719	443	192.168.2.6	216.58.212.142
Oct 24, 2024 19:04:02.940804005 CEST	443	49719	216.58.212.142	192.168.2.6
Oct 24, 2024 19:04:02.940956116 CEST	49720	443	192.168.2.6	216.58.212.142
Oct 24, 2024 19:04:02.940956116 CEST	49718	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:02.940975904 CEST	443	49720	216.58.212.142	192.168.2.6
Oct 24, 2024 19:04:02.941199064 CEST	49719	443	192.168.2.6	216.58.212.142
Oct 24, 2024 19:04:02.941577911 CEST	49720	443	192.168.2.6	216.58.212.142
Oct 24, 2024 19:04:02.942549944 CEST	49719	443	192.168.2.6	216.58.212.142
Oct 24, 2024 19:04:02.942593098 CEST	443	49719	216.58.212.142	192.168.2.6
Oct 24, 2024 19:04:02.943948984 CEST	49720	443	192.168.2.6	216.58.212.142
Oct 24, 2024 19:04:02.943957090 CEST	443	49720	216.58.212.142	192.168.2.6
Oct 24, 2024 19:04:02.946696043 CEST	80	49718	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:03.538220882 CEST	80	49718	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:03.570585966 CEST	443	49717	35.190.72.216	192.168.2.6
Oct 24, 2024 19:04:03.571075916 CEST	49717	443	192.168.2.6	35.190.72.216
Oct 24, 2024 19:04:03.580038071 CEST	49718	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:03.580189943 CEST	49717	443	192.168.2.6	35.190.72.216
Oct 24, 2024 19:04:03.580219984 CEST	443	49717	35.190.72.216	192.168.2.6
Oct 24, 2024 19:04:03.580344915 CEST	49717	443	192.168.2.6	35.190.72.216
Oct 24, 2024 19:04:03.580530882 CEST	443	49717	35.190.72.216	192.168.2.6
Oct 24, 2024 19:04:03.580713034 CEST	49717	443	192.168.2.6	35.190.72.216
Oct 24, 2024 19:04:03.788388968 CEST	49722	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:03.788487911 CEST	443	49722	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:03.788604975 CEST	49722	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:03.789916039 CEST	49722	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:03.789953947 CEST	443	49722	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:03.790364027 CEST	49723	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:03.790399075 CEST	443	49723	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:03.790714979 CEST	49723	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:03.791960001 CEST	49723	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:03.791979074 CEST	443	49723	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:03.796565056 CEST	443	49719	216.58.212.142	192.168.2.6
Oct 24, 2024 19:04:03.798007011 CEST	443	49719	216.58.212.142	192.168.2.6
Oct 24, 2024 19:04:03.800075054 CEST	443	49720	216.58.212.142	192.168.2.6
Oct 24, 2024 19:04:03.800829887 CEST	443	49720	216.58.212.142	192.168.2.6
Oct 24, 2024 19:04:03.801902056 CEST	49719	443	192.168.2.6	216.58.212.142
Oct 24, 2024 19:04:03.802140951 CEST	49719	443	192.168.2.6	216.58.212.142
Oct 24, 2024 19:04:03.802170992 CEST	443	49719	216.58.212.142	192.168.2.6
Oct 24, 2024 19:04:03.803210020 CEST	49720	443	192.168.2.6	216.58.212.142
Oct 24, 2024 19:04:03.803226948 CEST	443	49720	216.58.212.142	192.168.2.6
Oct 24, 2024 19:04:03.807414055 CEST	49719	443	192.168.2.6	216.58.212.142
Oct 24, 2024 19:04:03.807442904 CEST	443	49719	216.58.212.142	192.168.2.6
Oct 24, 2024 19:04:03.807496071 CEST	49719	443	192.168.2.6	216.58.212.142
Oct 24, 2024 19:04:03.807749987 CEST	443	49719	216.58.212.142	192.168.2.6
Oct 24, 2024 19:04:03.809366941 CEST	49720	443	192.168.2.6	216.58.212.142
Oct 24, 2024 19:04:03.809382915 CEST	443	49720	216.58.212.142	192.168.2.6
Oct 24, 2024 19:04:03.809427977 CEST	49720	443	192.168.2.6	216.58.212.142
Oct 24, 2024 19:04:03.809546947 CEST	443	49720	216.58.212.142	192.168.2.6
Oct 24, 2024 19:04:03.810409069 CEST	49719	443	192.168.2.6	216.58.212.142
Oct 24, 2024 19:04:03.810420990 CEST	49720	443	192.168.2.6	216.58.212.142
Oct 24, 2024 19:04:04.122044086 CEST	49725	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:04.127408981 CEST	80	49725	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:04.131217003 CEST	49725	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:04.131264925 CEST	49725	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:04.136627913 CEST	80	49725	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:04.145766973 CEST	49718	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:04.151952028 CEST	80	49718	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:04.153476954 CEST	49726	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:04.153522968 CEST	443	49726	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:04.153693914 CEST	49726	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:04.153839111 CEST	49726	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:04.153845072 CEST	443	49726	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:04.272378922 CEST	80	49718	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:04.327291965 CEST	49718	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:04.416009903 CEST	443	49722	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:04.416110039 CEST	49722	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:04.419545889 CEST	443	49723	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:04.419922113 CEST	49723	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:04.422113895 CEST	49722	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:04.422171116 CEST	443	49722	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:04.422225952 CEST	49722	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:04.422485113 CEST	443	49722	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:04.422615051 CEST	49722	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:04.423110008 CEST	49727	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:04.423156023 CEST	443	49727	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:04.423784971 CEST	49727	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:04.425359964 CEST	49727	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:04.425373077 CEST	443	49727	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:04.425443888 CEST	49723	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:04.425452948 CEST	443	49723	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:04.425596952 CEST	49723	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:04.425730944 CEST	443	49723	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:04.425828934 CEST	49728	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:04.425837040 CEST	443	49728	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:04.425885916 CEST	49723	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:04.425954103 CEST	49728	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:04.427253962 CEST	49728	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:04.427263021 CEST	443	49728	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:04.486944914 CEST	49725	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:04.495083094 CEST	49729	443	192.168.2.6	34.160.144.191
Oct 24, 2024 19:04:04.495177984 CEST	443	49729	34.160.144.191	192.168.2.6
Oct 24, 2024 19:04:04.495693922 CEST	49729	443	192.168.2.6	34.160.144.191
Oct 24, 2024 19:04:04.495847940 CEST	49729	443	192.168.2.6	34.160.144.191
Oct 24, 2024 19:04:04.495878935 CEST	443	49729	34.160.144.191	192.168.2.6
Oct 24, 2024 19:04:04.559777021 CEST	49730	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:04.797451973 CEST	49725	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:04.814033985 CEST	49731	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:04.896105051 CEST	80	49725	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:04.896356106 CEST	80	49725	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:04.896502018 CEST	49725	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:04.896941900 CEST	80	49725	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:04.897372007 CEST	49725	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:04.898796082 CEST	80	49730	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:04.898811102 CEST	80	49725	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:04.898824930 CEST	80	49731	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:04.902734041 CEST	80	49725	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:04.904746056 CEST	443	49726	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:04.906332970 CEST	49730	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:04.906456947 CEST	49731	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:04.906718016 CEST	49730	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:04.907290936 CEST	49726	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:04.910355091 CEST	49726	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:04.910367012 CEST	443	49726	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:04.910670042 CEST	443	49726	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:04.910969019 CEST	49732	443	192.168.2.6	13.32.99.49
Oct 24, 2024 19:04:04.911057949 CEST	443	49732	13.32.99.49	192.168.2.6
Oct 24, 2024 19:04:04.911214113 CEST	49732	443	192.168.2.6	13.32.99.49
Oct 24, 2024 19:04:04.912049055 CEST	80	49730	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:04.912609100 CEST	49732	443	192.168.2.6	13.32.99.49
Oct 24, 2024 19:04:04.912646055 CEST	443	49732	13.32.99.49	192.168.2.6
Oct 24, 2024 19:04:04.915309906 CEST	49726	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:04.915384054 CEST	49726	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:04.915518045 CEST	443	49726	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:04.923521042 CEST	49726	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:05.038849115 CEST	443	49727	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:05.038944960 CEST	49727	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:05.043405056 CEST	443	49728	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:05.043591976 CEST	49728	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:05.046406031 CEST	49727	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:05.046437025 CEST	443	49727	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:05.046493053 CEST	49727	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:05.046613932 CEST	443	49727	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:05.046719074 CEST	49727	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:05.048727036 CEST	49728	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:05.048743010 CEST	443	49728	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:05.048791885 CEST	49728	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:05.048923016 CEST	443	49728	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:05.049004078 CEST	49728	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:05.130954981 CEST	49731	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:05.130983114 CEST	49718	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:05.137586117 CEST	80	49731	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:05.138020039 CEST	80	49718	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:05.138088942 CEST	49731	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:05.138115883 CEST	49718	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:05.404800892 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:05.404896975 CEST	443	49735	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:05.406864882 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:05.408267975 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:05.408313990 CEST	443	49735	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:05.517394066 CEST	80	49730	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:05.517630100 CEST	49730	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:05.523515940 CEST	80	49730	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:05.523576975 CEST	49730	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:05.529771090 CEST	443	49729	34.160.144.191	192.168.2.6
Oct 24, 2024 19:04:05.529860020 CEST	49729	443	192.168.2.6	34.160.144.191
Oct 24, 2024 19:04:05.533173084 CEST	49729	443	192.168.2.6	34.160.144.191
Oct 24, 2024 19:04:05.533199072 CEST	443	49729	34.160.144.191	192.168.2.6
Oct 24, 2024 19:04:05.533477068 CEST	443	49729	34.160.144.191	192.168.2.6
Oct 24, 2024 19:04:05.536221027 CEST	49729	443	192.168.2.6	34.160.144.191
Oct 24, 2024 19:04:05.536334038 CEST	49729	443	192.168.2.6	34.160.144.191
Oct 24, 2024 19:04:05.536434889 CEST	443	49729	34.160.144.191	192.168.2.6
Oct 24, 2024 19:04:05.536686897 CEST	49736	443	192.168.2.6	34.160.144.191
Oct 24, 2024 19:04:05.536717892 CEST	443	49736	34.160.144.191	192.168.2.6
Oct 24, 2024 19:04:05.537266016 CEST	49729	443	192.168.2.6	34.160.144.191
Oct 24, 2024 19:04:05.537295103 CEST	49736	443	192.168.2.6	34.160.144.191
Oct 24, 2024 19:04:05.537455082 CEST	49736	443	192.168.2.6	34.160.144.191
Oct 24, 2024 19:04:05.537468910 CEST	443	49736	34.160.144.191	192.168.2.6
Oct 24, 2024 19:04:05.775949001 CEST	443	49732	13.32.99.49	192.168.2.6
Oct 24, 2024 19:04:05.783350945 CEST	443	49732	13.32.99.49	192.168.2.6
Oct 24, 2024 19:04:05.788409948 CEST	49732	443	192.168.2.6	13.32.99.49
Oct 24, 2024 19:04:05.799521923 CEST	49732	443	192.168.2.6	13.32.99.49
Oct 24, 2024 19:04:05.799521923 CEST	49732	443	192.168.2.6	13.32.99.49
Oct 24, 2024 19:04:05.799557924 CEST	443	49732	13.32.99.49	192.168.2.6
Oct 24, 2024 19:04:05.799907923 CEST	443	49732	13.32.99.49	192.168.2.6
Oct 24, 2024 19:04:05.800097942 CEST	49732	443	192.168.2.6	13.32.99.49
Oct 24, 2024 19:04:06.029335022 CEST	443	49735	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:06.029817104 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:06.033668995 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:06.033700943 CEST	443	49735	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:06.033746958 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:06.033979893 CEST	443	49735	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:06.034032106 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:06.143708944 CEST	443	49736	34.160.144.191	192.168.2.6
Oct 24, 2024 19:04:06.143785000 CEST	49736	443	192.168.2.6	34.160.144.191
Oct 24, 2024 19:04:06.146889925 CEST	49736	443	192.168.2.6	34.160.144.191
Oct 24, 2024 19:04:06.146902084 CEST	443	49736	34.160.144.191	192.168.2.6
Oct 24, 2024 19:04:06.147218943 CEST	443	49736	34.160.144.191	192.168.2.6
Oct 24, 2024 19:04:06.149435997 CEST	49736	443	192.168.2.6	34.160.144.191
Oct 24, 2024 19:04:06.149508953 CEST	49736	443	192.168.2.6	34.160.144.191
Oct 24, 2024 19:04:06.149630070 CEST	443	49736	34.160.144.191	192.168.2.6
Oct 24, 2024 19:04:06.149688005 CEST	49736	443	192.168.2.6	34.160.144.191
Oct 24, 2024 19:04:07.332041025 CEST	49748	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:07.332073927 CEST	443	49748	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:07.333173990 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:07.333549023 CEST	49748	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:07.334868908 CEST	49748	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:07.334883928 CEST	443	49748	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:07.338874102 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:07.338948965 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:07.339061022 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:07.344371080 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:07.944392920 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:07.950416088 CEST	443	49748	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:07.950495005 CEST	49748	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:07.955820084 CEST	49748	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:07.955831051 CEST	443	49748	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:07.955904007 CEST	49748	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:07.956058025 CEST	443	49748	34.117.188.166	192.168.2.6
Oct 24, 2024 19:04:07.956118107 CEST	49748	443	192.168.2.6	34.117.188.166
Oct 24, 2024 19:04:08.002552986 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:08.356015921 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:08.361541986 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:08.365957975 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:08.367908001 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:08.373358965 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:08.592464924 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:08.594420910 CEST	49761	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:08.594458103 CEST	443	49761	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:08.597686052 CEST	49761	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:08.599119902 CEST	49761	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:08.599138021 CEST	443	49761	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:08.902834892 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:09.494259119 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:09.494748116 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:09.494971037 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:09.494977951 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:09.495063066 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:09.498191118 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:09.498229980 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:09.499555111 CEST	49764	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:09.499598026 CEST	443	49764	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:09.500073910 CEST	49764	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:09.502871990 CEST	49764	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:09.502887964 CEST	443	49764	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:09.536664009 CEST	49765	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:09.536691904 CEST	443	49765	34.149.100.209	192.168.2.6
Oct 24, 2024 19:04:09.537003994 CEST	49765	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:09.538373947 CEST	49765	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:09.538392067 CEST	443	49765	34.149.100.209	192.168.2.6
Oct 24, 2024 19:04:09.542195082 CEST	49766	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:09.542233944 CEST	443	49766	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:09.542344093 CEST	49766	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:09.558056116 CEST	49766	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:09.558083057 CEST	443	49766	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:09.616266966 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:09.673877001 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:10.011611938 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:10.018856049 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:10.409609079 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:10.410327911 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:10.410396099 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:10.417222977 CEST	443	49766	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:10.417314053 CEST	49766	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:10.420269966 CEST	49766	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:10.420284033 CEST	443	49766	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:10.420617104 CEST	443	49766	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:10.422204971 CEST	443	49761	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:10.422521114 CEST	443	49764	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:10.422548056 CEST	49761	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:10.422580957 CEST	49764	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:10.423932076 CEST	443	49765	34.149.100.209	192.168.2.6
Oct 24, 2024 19:04:10.424067020 CEST	49765	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:10.427459002 CEST	49766	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:10.427653074 CEST	443	49766	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:10.427805901 CEST	49766	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:10.427824020 CEST	443	49766	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:10.432058096 CEST	49761	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:10.432066917 CEST	443	49761	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:10.432264090 CEST	49761	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:10.432357073 CEST	443	49761	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:10.432476997 CEST	49765	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:10.432482004 CEST	443	49765	34.149.100.209	192.168.2.6
Oct 24, 2024 19:04:10.432574034 CEST	49765	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:10.432625055 CEST	49764	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:10.432637930 CEST	443	49764	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:10.432682037 CEST	49764	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:10.432764053 CEST	443	49765	34.149.100.209	192.168.2.6
Oct 24, 2024 19:04:10.432869911 CEST	49761	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:10.432869911 CEST	49765	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:10.432879925 CEST	443	49764	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:10.432940960 CEST	49764	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:10.635349035 CEST	443	49766	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:10.635505915 CEST	49766	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:13.926000118 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:13.931706905 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:13.939709902 CEST	49790	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:13.939795971 CEST	443	49790	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:13.939999104 CEST	49790	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:13.941299915 CEST	49790	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:13.941338062 CEST	443	49790	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:14.352262020 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:14.352869034 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:14.352929115 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:14.568089962 CEST	443	49790	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:14.571165085 CEST	49790	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:14.575731039 CEST	49790	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:14.575731993 CEST	49790	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:14.575789928 CEST	443	49790	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:14.576011896 CEST	443	49790	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:14.585763931 CEST	49790	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:14.955919981 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:14.962883949 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:15.082638025 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:15.131218910 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:15.201404095 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:15.206806898 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:15.326195002 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:15.378657103 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:15.654599905 CEST	49801	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:15.654647112 CEST	443	49801	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:15.655200958 CEST	49801	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:15.656539917 CEST	49801	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:15.656558990 CEST	443	49801	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:15.682188034 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:15.687680960 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:15.688559055 CEST	49802	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:15.688602924 CEST	443	49802	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:15.688918114 CEST	49802	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:15.688918114 CEST	49802	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:15.688978910 CEST	443	49802	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:15.809103966 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:15.861871004 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:16.249605894 CEST	49804	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:16.249696970 CEST	443	49804	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:16.249991894 CEST	49804	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:16.250273943 CEST	49804	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:16.250312090 CEST	443	49804	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:16.987299919 CEST	443	49801	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:16.987901926 CEST	49801	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:16.991806984 CEST	443	49802	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:16.991906881 CEST	49802	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:17.780386925 CEST	443	49804	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:17.780483961 CEST	49804	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:17.884268045 CEST	49802	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:17.884352922 CEST	443	49802	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:17.885416985 CEST	443	49802	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:17.886554956 CEST	49804	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:17.886634111 CEST	443	49804	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:17.886912107 CEST	443	49804	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:17.890784979 CEST	49801	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:17.890867949 CEST	443	49801	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:17.890901089 CEST	49801	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:17.890983105 CEST	49802	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:17.891058922 CEST	49802	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:17.891124010 CEST	443	49801	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:17.891141891 CEST	49804	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:17.891228914 CEST	49804	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:17.891376019 CEST	443	49804	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:17.891388893 CEST	49801	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:17.891438961 CEST	49804	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:17.891501904 CEST	443	49802	34.120.208.123	192.168.2.6
Oct 24, 2024 19:04:17.891556025 CEST	49802	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:04:18.652348995 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:18.657876968 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:18.777486086 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:18.781372070 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:18.786855936 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:18.811392069 CEST	49815	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:18.811480999 CEST	443	49815	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:18.813831091 CEST	49815	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:18.815342903 CEST	49815	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:18.815419912 CEST	443	49815	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:18.819679976 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:18.908124924 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:18.957901001 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:19.430372000 CEST	443	49815	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:19.430572033 CEST	49815	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:19.435271025 CEST	49815	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:19.435302019 CEST	443	49815	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:19.435343981 CEST	49815	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:19.435700893 CEST	443	49815	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:19.435770988 CEST	49815	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:19.437973976 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:19.443326950 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:19.563167095 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:19.565783978 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:19.572953939 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:19.606389046 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:19.695365906 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:19.738362074 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:29.526850939 CEST	49867	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:29.526891947 CEST	443	49867	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:29.527790070 CEST	49867	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:29.529236078 CEST	49867	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:29.529249907 CEST	443	49867	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:29.566135883 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:29.571508884 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:29.704196930 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:29.709650993 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:30.145407915 CEST	443	49867	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:30.145566940 CEST	49867	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:30.150588989 CEST	49867	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:30.150593996 CEST	443	49867	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:30.150685072 CEST	49867	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:30.150760889 CEST	443	49867	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:30.151827097 CEST	49867	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:30.153660059 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:30.159091949 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:30.278724909 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:30.281763077 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:30.287180901 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:30.321511030 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:30.408879042 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:30.453079939 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:30.515289068 CEST	49873	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:30.515393019 CEST	443	49873	34.149.100.209	192.168.2.6
Oct 24, 2024 19:04:30.515759945 CEST	49874	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:30.515841007 CEST	443	49874	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:30.516015053 CEST	49873	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:30.516047001 CEST	49874	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:30.516129017 CEST	49873	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:30.516149998 CEST	443	49873	34.149.100.209	192.168.2.6
Oct 24, 2024 19:04:30.516290903 CEST	49874	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:30.516313076 CEST	443	49874	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:30.520777941 CEST	49875	443	192.168.2.6	151.101.129.91
Oct 24, 2024 19:04:30.520860910 CEST	443	49875	151.101.129.91	192.168.2.6
Oct 24, 2024 19:04:30.521233082 CEST	49875	443	192.168.2.6	151.101.129.91
Oct 24, 2024 19:04:30.521233082 CEST	49875	443	192.168.2.6	151.101.129.91
Oct 24, 2024 19:04:30.521358967 CEST	443	49875	151.101.129.91	192.168.2.6
Oct 24, 2024 19:04:30.727394104 CEST	49876	443	192.168.2.6	35.190.72.216
Oct 24, 2024 19:04:30.727477074 CEST	443	49876	35.190.72.216	192.168.2.6
Oct 24, 2024 19:04:30.731973886 CEST	49876	443	192.168.2.6	35.190.72.216
Oct 24, 2024 19:04:30.733228922 CEST	49876	443	192.168.2.6	35.190.72.216
Oct 24, 2024 19:04:30.733305931 CEST	443	49876	35.190.72.216	192.168.2.6
Oct 24, 2024 19:04:30.754843950 CEST	49877	443	192.168.2.6	35.201.103.21
Oct 24, 2024 19:04:30.754924059 CEST	443	49877	35.201.103.21	192.168.2.6
Oct 24, 2024 19:04:30.755559921 CEST	49877	443	192.168.2.6	35.201.103.21
Oct 24, 2024 19:04:30.756947994 CEST	49877	443	192.168.2.6	35.201.103.21
Oct 24, 2024 19:04:30.756978989 CEST	443	49877	35.201.103.21	192.168.2.6
Oct 24, 2024 19:04:31.123038054 CEST	443	49873	34.149.100.209	192.168.2.6
Oct 24, 2024 19:04:31.123302937 CEST	49873	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:31.126425028 CEST	49873	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:31.126480103 CEST	443	49873	34.149.100.209	192.168.2.6
Oct 24, 2024 19:04:31.126844883 CEST	443	49873	34.149.100.209	192.168.2.6
Oct 24, 2024 19:04:31.128952980 CEST	49873	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:31.129034996 CEST	49873	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:31.129189014 CEST	443	49873	34.149.100.209	192.168.2.6
Oct 24, 2024 19:04:31.129853964 CEST	49873	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:31.133841991 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:31.138542891 CEST	443	49874	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.138634920 CEST	49874	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.139203072 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:31.141475916 CEST	49874	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.141495943 CEST	443	49874	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.141834974 CEST	443	49874	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.143065929 CEST	443	49875	151.101.129.91	192.168.2.6
Oct 24, 2024 19:04:31.143320084 CEST	49875	443	192.168.2.6	151.101.129.91
Oct 24, 2024 19:04:31.145726919 CEST	49875	443	192.168.2.6	151.101.129.91
Oct 24, 2024 19:04:31.145781040 CEST	443	49875	151.101.129.91	192.168.2.6
Oct 24, 2024 19:04:31.146029949 CEST	443	49875	151.101.129.91	192.168.2.6
Oct 24, 2024 19:04:31.146583080 CEST	49874	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.146653891 CEST	49874	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.146775961 CEST	443	49874	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.146986961 CEST	49874	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.148998022 CEST	49875	443	192.168.2.6	151.101.129.91
Oct 24, 2024 19:04:31.148998022 CEST	49875	443	192.168.2.6	151.101.129.91
Oct 24, 2024 19:04:31.149197102 CEST	443	49875	151.101.129.91	192.168.2.6
Oct 24, 2024 19:04:31.149341106 CEST	49875	443	192.168.2.6	151.101.129.91
Oct 24, 2024 19:04:31.156608105 CEST	49882	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.156689882 CEST	443	49882	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.156893015 CEST	49882	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.156991005 CEST	49882	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.157011032 CEST	443	49882	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.158899069 CEST	49883	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.158915997 CEST	443	49883	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.159199953 CEST	49883	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.159279108 CEST	49883	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.159285069 CEST	443	49883	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.161437988 CEST	49884	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.161521912 CEST	443	49884	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.161672115 CEST	49884	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.161776066 CEST	49884	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.161794901 CEST	443	49884	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.260667086 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:31.277414083 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:31.283840895 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:31.324440956 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:31.339138985 CEST	443	49876	35.190.72.216	192.168.2.6
Oct 24, 2024 19:04:31.339212894 CEST	49876	443	192.168.2.6	35.190.72.216
Oct 24, 2024 19:04:31.342674971 CEST	49876	443	192.168.2.6	35.190.72.216
Oct 24, 2024 19:04:31.342703104 CEST	443	49876	35.190.72.216	192.168.2.6
Oct 24, 2024 19:04:31.342756033 CEST	49876	443	192.168.2.6	35.190.72.216
Oct 24, 2024 19:04:31.342916965 CEST	443	49876	35.190.72.216	192.168.2.6
Oct 24, 2024 19:04:31.345074892 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:31.345828056 CEST	49876	443	192.168.2.6	35.190.72.216
Oct 24, 2024 19:04:31.350440979 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:31.392092943 CEST	443	49877	35.201.103.21	192.168.2.6
Oct 24, 2024 19:04:31.392183065 CEST	49877	443	192.168.2.6	35.201.103.21
Oct 24, 2024 19:04:31.396635056 CEST	49877	443	192.168.2.6	35.201.103.21
Oct 24, 2024 19:04:31.396648884 CEST	443	49877	35.201.103.21	192.168.2.6
Oct 24, 2024 19:04:31.396720886 CEST	49877	443	192.168.2.6	35.201.103.21
Oct 24, 2024 19:04:31.397015095 CEST	443	49877	35.201.103.21	192.168.2.6
Oct 24, 2024 19:04:31.409028053 CEST	49877	443	192.168.2.6	35.201.103.21
Oct 24, 2024 19:04:31.409075022 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:31.410669088 CEST	49886	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:31.410751104 CEST	443	49886	34.149.100.209	192.168.2.6
Oct 24, 2024 19:04:31.412324905 CEST	49886	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:31.412614107 CEST	49886	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:31.412678957 CEST	443	49886	34.149.100.209	192.168.2.6
Oct 24, 2024 19:04:31.455882072 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:31.469995975 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:31.473140001 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:31.478472948 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:31.525001049 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:31.599363089 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:31.640942097 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:31.768748045 CEST	443	49882	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.768996000 CEST	49882	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.771177053 CEST	443	49884	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.771404028 CEST	49884	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.771747112 CEST	49882	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.771801949 CEST	443	49882	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.772169113 CEST	443	49882	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.774024963 CEST	49884	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.774079084 CEST	443	49884	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.774359941 CEST	443	49884	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.777215004 CEST	49882	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.777309895 CEST	49882	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.777488947 CEST	443	49882	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.777661085 CEST	49884	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.777661085 CEST	49884	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.777836084 CEST	49882	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.777899027 CEST	443	49884	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.778147936 CEST	49884	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.781503916 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:31.785742044 CEST	443	49883	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.785831928 CEST	49883	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.787015915 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:31.788357973 CEST	49883	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.788367033 CEST	443	49883	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.788696051 CEST	443	49883	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.790406942 CEST	49883	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.790522099 CEST	49883	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:31.790608883 CEST	443	49883	35.244.181.201	192.168.2.6
Oct 24, 2024 19:04:31.793010950 CEST	49883	443	192.168.2.6	35.244.181.201
Oct 24, 2024 19:04:32.229166985 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:32.229496956 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:32.230526924 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:32.231765032 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:32.237555981 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:32.242063046 CEST	443	49886	34.149.100.209	192.168.2.6
Oct 24, 2024 19:04:32.242294073 CEST	49886	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:32.245351076 CEST	49886	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:32.245363951 CEST	443	49886	34.149.100.209	192.168.2.6
Oct 24, 2024 19:04:32.245765924 CEST	443	49886	34.149.100.209	192.168.2.6
Oct 24, 2024 19:04:32.248111963 CEST	49886	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:32.248178959 CEST	49886	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:32.248344898 CEST	443	49886	34.149.100.209	192.168.2.6
Oct 24, 2024 19:04:32.248431921 CEST	49886	443	192.168.2.6	34.149.100.209
Oct 24, 2024 19:04:32.250313997 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:32.256141901 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:32.358876944 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:32.375647068 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:32.378194094 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:32.383764982 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:32.427489042 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:32.521192074 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:32.568881989 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:42.386250973 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:42.391582012 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:42.533596992 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:42.538928986 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:50.183058023 CEST	57815	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:50.183140993 CEST	443	57815	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:50.183221102 CEST	57815	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:50.184879065 CEST	57815	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:50.184962034 CEST	443	57815	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:50.800126076 CEST	443	57815	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:50.800235033 CEST	57815	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:50.804071903 CEST	57815	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:50.804126024 CEST	443	57815	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:50.804193020 CEST	57815	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:50.804358959 CEST	443	57815	34.107.243.93	192.168.2.6
Oct 24, 2024 19:04:50.804816961 CEST	57815	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:04:50.806473970 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:50.811882019 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:50.931528091 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:50.934526920 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:50.939981937 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:50.979437113 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:04:51.061284065 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:04:51.110953093 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:00.695045948 CEST	57866	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:00.695128918 CEST	443	57866	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:00.695461035 CEST	57866	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:00.695595026 CEST	57866	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:00.695628881 CEST	443	57866	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:00.710839033 CEST	57867	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:00.710911989 CEST	57868	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:00.710937977 CEST	443	57867	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:00.710994005 CEST	443	57868	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:00.712449074 CEST	57869	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:00.712532043 CEST	443	57869	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:00.713759899 CEST	57870	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:00.713782072 CEST	443	57870	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:00.715646982 CEST	57868	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:00.715651989 CEST	57867	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:00.715871096 CEST	57867	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:00.715872049 CEST	57870	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:00.715873003 CEST	57869	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:00.715914011 CEST	443	57867	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:00.715956926 CEST	57868	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:00.715990067 CEST	443	57868	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:00.716090918 CEST	57870	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:00.716115952 CEST	443	57870	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:00.716155052 CEST	57869	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:00.716238022 CEST	443	57869	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:00.716769934 CEST	57871	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:00.716824055 CEST	443	57871	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:00.728815079 CEST	57871	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:00.729068995 CEST	57871	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:00.729139090 CEST	443	57871	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:00.938208103 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:00.943690062 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:01.069850922 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:01.075309038 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:01.301284075 CEST	443	57866	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.301594019 CEST	57866	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.304246902 CEST	57866	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.304279089 CEST	443	57866	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.304517984 CEST	443	57866	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.306602955 CEST	57866	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.306670904 CEST	57866	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.306763887 CEST	443	57866	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.307032108 CEST	57866	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.307442904 CEST	57872	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.307501078 CEST	443	57872	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.307945013 CEST	57872	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.308099031 CEST	57872	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.308137894 CEST	443	57872	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.324347019 CEST	443	57870	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.324428082 CEST	57870	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.327127934 CEST	57870	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.327159882 CEST	443	57870	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.328052044 CEST	443	57870	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.328706026 CEST	443	57868	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.328846931 CEST	57868	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.330641985 CEST	443	57867	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.330732107 CEST	57867	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.330868006 CEST	57868	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.330878973 CEST	443	57868	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.330921888 CEST	57870	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.331124067 CEST	57870	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.331160069 CEST	443	57870	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.331217051 CEST	443	57868	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.333266020 CEST	57867	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.333276033 CEST	443	57867	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.333600044 CEST	443	57867	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.334151983 CEST	57873	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.334218025 CEST	443	57869	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.334239006 CEST	443	57873	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.335361004 CEST	57868	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.335407019 CEST	57868	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.335550070 CEST	443	57868	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.335832119 CEST	57870	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.335869074 CEST	57868	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.335885048 CEST	57869	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.335901976 CEST	57868	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.335921049 CEST	57873	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.337960005 CEST	57867	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.338033915 CEST	57869	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.338089943 CEST	443	57869	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.338149071 CEST	443	57867	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.338211060 CEST	57867	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.338411093 CEST	57867	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.338582993 CEST	57873	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.338615894 CEST	443	57873	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.338730097 CEST	443	57869	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.342937946 CEST	57869	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.342988968 CEST	57869	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.343156099 CEST	443	57869	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.344126940 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:01.350255013 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:01.350297928 CEST	57869	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.351623058 CEST	443	57871	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.351658106 CEST	443	57871	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.352423906 CEST	57871	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.354768991 CEST	57871	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.354783058 CEST	443	57871	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.355278015 CEST	443	57871	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.357809067 CEST	57871	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.357866049 CEST	57871	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.358006954 CEST	443	57871	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.358846903 CEST	57871	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.358848095 CEST	57871	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.472755909 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:01.501959085 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:01.508447886 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:01.526647091 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:01.629914999 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:01.680330038 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:01.923360109 CEST	443	57872	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.923459053 CEST	57872	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.926353931 CEST	57872	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.926384926 CEST	443	57872	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.926601887 CEST	443	57872	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.928864956 CEST	57872	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.928958893 CEST	57872	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.929003954 CEST	443	57872	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.929820061 CEST	57872	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.931821108 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:01.937427998 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:01.957461119 CEST	443	57873	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.957581997 CEST	57873	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.960812092 CEST	57873	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.960844040 CEST	443	57873	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.961162090 CEST	443	57873	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.963355064 CEST	57873	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.963479042 CEST	57873	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:01.963777065 CEST	443	57873	34.120.208.123	192.168.2.6
Oct 24, 2024 19:05:01.963857889 CEST	57873	443	192.168.2.6	34.120.208.123
Oct 24, 2024 19:05:02.056796074 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:02.065342903 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:02.071065903 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:02.112879992 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:02.192409039 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:02.244235039 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:12.072783947 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:12.078742981 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:12.210851908 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:12.216445923 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:22.085390091 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:22.091001034 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:22.216813087 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:22.222301006 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:31.978449106 CEST	57875	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:05:31.978509903 CEST	443	57875	34.107.243.93	192.168.2.6
Oct 24, 2024 19:05:31.978693962 CEST	57875	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:05:31.980232954 CEST	57875	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:05:31.980252981 CEST	443	57875	34.107.243.93	192.168.2.6
Oct 24, 2024 19:05:32.097461939 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:32.103210926 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:32.229120970 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:32.234878063 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:32.605519056 CEST	443	57875	34.107.243.93	192.168.2.6
Oct 24, 2024 19:05:32.605644941 CEST	57875	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:05:32.611015081 CEST	57875	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:05:32.611041069 CEST	443	57875	34.107.243.93	192.168.2.6
Oct 24, 2024 19:05:32.611143112 CEST	57875	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:05:32.611423016 CEST	443	57875	34.107.243.93	192.168.2.6
Oct 24, 2024 19:05:32.611888885 CEST	57875	443	192.168.2.6	34.107.243.93
Oct 24, 2024 19:05:32.614010096 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:32.620826960 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:32.742818117 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:32.746479034 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:32.751974106 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:32.783938885 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:32.874665976 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:32.915450096 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:42.757384062 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:42.762784004 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:42.895370960 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:42.900794983 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:52.768835068 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:52.774310112 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:05:52.922868967 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:05:52.928633928 CEST	80	49755	34.107.221.82	192.168.2.6
Oct 24, 2024 19:06:02.782630920 CEST	49749	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:06:02.788147926 CEST	80	49749	34.107.221.82	192.168.2.6
Oct 24, 2024 19:06:02.945420027 CEST	49755	80	192.168.2.6	34.107.221.82
Oct 24, 2024 19:06:02.950776100 CEST	80	49755	34.107.221.82	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 19:04:02.904541016 CEST	61672	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:02.909423113 CEST	50550	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:02.914067030 CEST	53	61672	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:02.932280064 CEST	56852	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:02.933317900 CEST	58850	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:02.934084892 CEST	53430	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:02.940658092 CEST	53	56852	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:02.941126108 CEST	53	58850	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:02.941554070 CEST	60108	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:02.941557884 CEST	53	53430	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:02.946527004 CEST	53764	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:02.946657896 CEST	54222	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:02.950436115 CEST	53	60108	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:02.954449892 CEST	53	53764	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:02.955070972 CEST	53	54222	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:03.759726048 CEST	56525	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:03.767386913 CEST	62258	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:03.768577099 CEST	53	56525	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:03.771399975 CEST	50594	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:03.771908045 CEST	59693	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:03.782957077 CEST	53	62258	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:03.785451889 CEST	53	50594	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:03.786386967 CEST	53	59693	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:03.788532019 CEST	53274	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:03.789112091 CEST	53615	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:03.797795057 CEST	53	53615	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:03.797875881 CEST	53	53274	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:03.810257912 CEST	54392	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:03.810997009 CEST	57658	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:03.818423033 CEST	53	57658	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:03.818820953 CEST	53	54392	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:04.113297939 CEST	51130	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:04.153785944 CEST	54744	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:04.162638903 CEST	53	54744	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:04.170938015 CEST	54825	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:04.179085970 CEST	53	54825	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:04.485685110 CEST	59225	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:04.493551016 CEST	53	59225	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:04.495526075 CEST	54570	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:04.877722979 CEST	62395	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:04.881513119 CEST	55256	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:04.899373055 CEST	53	54570	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:04.904084921 CEST	53	62395	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:04.907145023 CEST	54820	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:04.908180952 CEST	57353	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:04.914401054 CEST	53	54820	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:04.918873072 CEST	53	57353	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:04.933489084 CEST	62625	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:04.943244934 CEST	53	61364	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:04.944674969 CEST	53	62625	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:07.603684902 CEST	63094	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:07.613879919 CEST	53	63094	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:07.614587069 CEST	61903	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:07.622953892 CEST	53	61903	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:07.623562098 CEST	51008	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:07.630970001 CEST	53	51008	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:08.003453970 CEST	56908	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:08.011893034 CEST	53	56908	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:08.012861967 CEST	60151	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:08.021086931 CEST	53	60151	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:08.021579981 CEST	51212	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:08.029290915 CEST	53	51212	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:09.500053883 CEST	56858	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:09.508595943 CEST	53	56858	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:09.523967028 CEST	60382	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:09.530039072 CEST	58703	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:09.531816006 CEST	53	60382	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:09.534509897 CEST	51851	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:09.539028883 CEST	53	58703	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:09.540646076 CEST	50708	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:09.542243958 CEST	53	51851	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:09.548474073 CEST	53	50708	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:09.550425053 CEST	51322	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:09.559156895 CEST	53	51322	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:15.655275106 CEST	64446	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:15.662878036 CEST	53	64446	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:18.811739922 CEST	65184	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:18.819726944 CEST	53	65184	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:20.965554953 CEST	49977	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:20.965554953 CEST	60826	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:20.965889931 CEST	60369	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:20.973139048 CEST	53	49977	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:20.973151922 CEST	53	60369	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:20.973787069 CEST	53268	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:20.974162102 CEST	61861	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:20.977288961 CEST	53	60826	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:20.977828979 CEST	50468	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:20.981730938 CEST	53	53268	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:20.981915951 CEST	53	61861	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:20.982199907 CEST	63722	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:20.982702971 CEST	60822	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:20.986237049 CEST	53	50468	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:20.986686945 CEST	61153	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:20.990035057 CEST	53	63722	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:20.990196943 CEST	53	60822	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:20.990536928 CEST	56758	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:20.991121054 CEST	55935	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:20.994148016 CEST	53	61153	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:20.998317957 CEST	53	56758	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:20.998559952 CEST	53	55935	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:21.253484964 CEST	59759	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:21.253485918 CEST	63209	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:21.321641922 CEST	53	63209	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:21.322448969 CEST	49788	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:21.574261904 CEST	53	59759	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:21.575022936 CEST	55677	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:21.578927040 CEST	53	49788	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:21.582829952 CEST	53	55677	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:29.527744055 CEST	58467	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:29.535238981 CEST	53	58467	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:30.511651993 CEST	57134	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:30.514594078 CEST	63470	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:30.520036936 CEST	53	57134	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:30.521033049 CEST	58174	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:30.523756981 CEST	53	63470	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:30.530951977 CEST	53	58174	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:30.531418085 CEST	51105	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:30.542361021 CEST	53	51105	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:30.734827042 CEST	58800	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:30.742677927 CEST	53	58800	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:30.755404949 CEST	64206	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:30.764650106 CEST	53	64206	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:30.766511917 CEST	55966	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:30.776463032 CEST	53	55966	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:41.291059017 CEST	53	65273	162.159.36.2	192.168.2.6
Oct 24, 2024 19:04:41.946701050 CEST	53	59181	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:50.182382107 CEST	57210	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:50.190818071 CEST	53	57210	1.1.1.1	192.168.2.6
Oct 24, 2024 19:04:50.192276001 CEST	52146	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:04:50.199660063 CEST	53	52146	1.1.1.1	192.168.2.6
Oct 24, 2024 19:05:00.732234955 CEST	49732	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:05:00.739986897 CEST	53	49732	1.1.1.1	192.168.2.6
Oct 24, 2024 19:05:01.346595049 CEST	63459	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:05:31.969340086 CEST	57174	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:05:31.977530003 CEST	53	57174	1.1.1.1	192.168.2.6
Oct 24, 2024 19:05:31.978434086 CEST	62639	53	192.168.2.6	1.1.1.1
Oct 24, 2024 19:05:31.986008883 CEST	53	62639	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2024 19:04:02.904541016 CEST	192.168.2.6	1.1.1.1	0x5b73	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:02.909423113 CEST	192.168.2.6	1.1.1.1	0x77f4	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:02.932280064 CEST	192.168.2.6	1.1.1.1	0x1292	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:02.933317900 CEST	192.168.2.6	1.1.1.1	0x44c3	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:02.934084892 CEST	192.168.2.6	1.1.1.1	0x2ed9	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:02.941554070 CEST	192.168.2.6	1.1.1.1	0x8d42	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 19:04:02.946527004 CEST	192.168.2.6	1.1.1.1	0xe1ff	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 19:04:02.946657896 CEST	192.168.2.6	1.1.1.1	0xb750	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 24, 2024 19:04:03.759726048 CEST	192.168.2.6	1.1.1.1	0xb9dc	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:03.767386913 CEST	192.168.2.6	1.1.1.1	0xc13c	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:03.771399975 CEST	192.168.2.6	1.1.1.1	0x55c2	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:03.771908045 CEST	192.168.2.6	1.1.1.1	0x7390	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:03.788532019 CEST	192.168.2.6	1.1.1.1	0x7584	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:03.789112091 CEST	192.168.2.6	1.1.1.1	0x9869	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:03.810257912 CEST	192.168.2.6	1.1.1.1	0x48ad	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 19:04:03.810997009 CEST	192.168.2.6	1.1.1.1	0x7402	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 19:04:04.113297939 CEST	192.168.2.6	1.1.1.1	0xa05b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.153785944 CEST	192.168.2.6	1.1.1.1	0xaf9e	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.170938015 CEST	192.168.2.6	1.1.1.1	0xcbdf	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 19:04:04.485685110 CEST	192.168.2.6	1.1.1.1	0xa182	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.495526075 CEST	192.168.2.6	1.1.1.1	0x9c1f	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.877722979 CEST	192.168.2.6	1.1.1.1	0xfeae	Standard query (0)	mitmdetection.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.881513119 CEST	192.168.2.6	1.1.1.1	0xe8c4	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.907145023 CEST	192.168.2.6	1.1.1.1	0x8044	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 19:04:04.908180952 CEST	192.168.2.6	1.1.1.1	0x25c	Standard query (0)	mitmdetection.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.933489084 CEST	192.168.2.6	1.1.1.1	0xa3d4	Standard query (0)	mitmdetection.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 19:04:07.603684902 CEST	192.168.2.6	1.1.1.1	0x2f0b	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:07.614587069 CEST	192.168.2.6	1.1.1.1	0x6449	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:07.623562098 CEST	192.168.2.6	1.1.1.1	0x65a5	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 19:04:08.003453970 CEST	192.168.2.6	1.1.1.1	0xabbe	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:08.012861967 CEST	192.168.2.6	1.1.1.1	0x4d5b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:08.021579981 CEST	192.168.2.6	1.1.1.1	0x81a3	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 19:04:09.500053883 CEST	192.168.2.6	1.1.1.1	0xfb67	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:09.523967028 CEST	192.168.2.6	1.1.1.1	0x1e67	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:09.530039072 CEST	192.168.2.6	1.1.1.1	0x2c06	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 19:04:09.534509897 CEST	192.168.2.6	1.1.1.1	0xa5f2	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 19:04:09.540646076 CEST	192.168.2.6	1.1.1.1	0xb63b	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:09.550425053 CEST	192.168.2.6	1.1.1.1	0x1653	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 19:04:15.655275106 CEST	192.168.2.6	1.1.1.1	0xa447	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 19:04:18.811739922 CEST	192.168.2.6	1.1.1.1	0xdcee	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 19:04:20.965554953 CEST	192.168.2.6	1.1.1.1	0x3d59	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.965554953 CEST	192.168.2.6	1.1.1.1	0x819f	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.965889931 CEST	192.168.2.6	1.1.1.1	0x78a1	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973787069 CEST	192.168.2.6	1.1.1.1	0x1403	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.974162102 CEST	192.168.2.6	1.1.1.1	0x4890	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.977828979 CEST	192.168.2.6	1.1.1.1	0xf6e	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.982199907 CEST	192.168.2.6	1.1.1.1	0xcf2f	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 24, 2024 19:04:20.982702971 CEST	192.168.2.6	1.1.1.1	0xa5a	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 24, 2024 19:04:20.986686945 CEST	192.168.2.6	1.1.1.1	0xb483	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 24, 2024 19:04:20.990536928 CEST	192.168.2.6	1.1.1.1	0x159d	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.991121054 CEST	192.168.2.6	1.1.1.1	0x51e8	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:21.253484964 CEST	192.168.2.6	1.1.1.1	0x4407	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:21.253485918 CEST	192.168.2.6	1.1.1.1	0x16ec	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:21.322448969 CEST	192.168.2.6	1.1.1.1	0xc2c4	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 24, 2024 19:04:21.575022936 CEST	192.168.2.6	1.1.1.1	0x7a3b	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 24, 2024 19:04:29.527744055 CEST	192.168.2.6	1.1.1.1	0x686a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 19:04:30.511651993 CEST	192.168.2.6	1.1.1.1	0x999	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:30.514594078 CEST	192.168.2.6	1.1.1.1	0x7fad	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 19:04:30.521033049 CEST	192.168.2.6	1.1.1.1	0x8a4c	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:30.531418085 CEST	192.168.2.6	1.1.1.1	0xbc1b	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 24, 2024 19:04:30.734827042 CEST	192.168.2.6	1.1.1.1	0x4494	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:30.755404949 CEST	192.168.2.6	1.1.1.1	0x6f2d	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:30.766511917 CEST	192.168.2.6	1.1.1.1	0x88cf	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 19:04:50.182382107 CEST	192.168.2.6	1.1.1.1	0xa21d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:50.192276001 CEST	192.168.2.6	1.1.1.1	0xf27c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 19:05:00.732234955 CEST	192.168.2.6	1.1.1.1	0xa16a	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 19:05:01.346595049 CEST	192.168.2.6	1.1.1.1	0xbd6f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:05:31.969340086 CEST	192.168.2.6	1.1.1.1	0xef08	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:05:31.978434086 CEST	192.168.2.6	1.1.1.1	0x828	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 24, 2024 19:04:02.913513899 CEST	1.1.1.1	192.168.2.6	0x9a6	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:02.914067030 CEST	1.1.1.1	192.168.2.6	0x5b73	No error (0)	youtube.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:02.922034979 CEST	1.1.1.1	192.168.2.6	0x77f4	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:02.922034979 CEST	1.1.1.1	192.168.2.6	0x77f4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:02.940658092 CEST	1.1.1.1	192.168.2.6	0x1292	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:02.941126108 CEST	1.1.1.1	192.168.2.6	0x44c3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:02.941557884 CEST	1.1.1.1	192.168.2.6	0x2ed9	No error (0)	youtube.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:02.954449892 CEST	1.1.1.1	192.168.2.6	0xe1ff	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 24, 2024 19:04:02.955070972 CEST	1.1.1.1	192.168.2.6	0xb750	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 24, 2024 19:04:03.768577099 CEST	1.1.1.1	192.168.2.6	0xb9dc	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:03.782957077 CEST	1.1.1.1	192.168.2.6	0xc13c	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:03.782957077 CEST	1.1.1.1	192.168.2.6	0xc13c	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:03.785451889 CEST	1.1.1.1	192.168.2.6	0x55c2	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:03.786386967 CEST	1.1.1.1	192.168.2.6	0x7390	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:03.786386967 CEST	1.1.1.1	192.168.2.6	0x7390	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:03.797795057 CEST	1.1.1.1	192.168.2.6	0x9869	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:03.797875881 CEST	1.1.1.1	192.168.2.6	0x7584	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.121387959 CEST	1.1.1.1	192.168.2.6	0xa05b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:04.121387959 CEST	1.1.1.1	192.168.2.6	0xa05b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.152728081 CEST	1.1.1.1	192.168.2.6	0x549e	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:04.152728081 CEST	1.1.1.1	192.168.2.6	0x549e	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.162638903 CEST	1.1.1.1	192.168.2.6	0xaf9e	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.493551016 CEST	1.1.1.1	192.168.2.6	0xa182	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:04.493551016 CEST	1.1.1.1	192.168.2.6	0xa182	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:04.493551016 CEST	1.1.1.1	192.168.2.6	0xa182	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.899373055 CEST	1.1.1.1	192.168.2.6	0x9c1f	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.902303934 CEST	1.1.1.1	192.168.2.6	0xe8c4	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:04.904084921 CEST	1.1.1.1	192.168.2.6	0xfeae	No error (0)	mitmdetection.services.mozilla.com		13.32.99.49	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.904084921 CEST	1.1.1.1	192.168.2.6	0xfeae	No error (0)	mitmdetection.services.mozilla.com		13.32.99.14	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.904084921 CEST	1.1.1.1	192.168.2.6	0xfeae	No error (0)	mitmdetection.services.mozilla.com		13.32.99.66	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.904084921 CEST	1.1.1.1	192.168.2.6	0xfeae	No error (0)	mitmdetection.services.mozilla.com		13.32.99.17	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.914401054 CEST	1.1.1.1	192.168.2.6	0x8044	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 24, 2024 19:04:04.918873072 CEST	1.1.1.1	192.168.2.6	0x25c	No error (0)	mitmdetection.services.mozilla.com		13.32.99.49	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.918873072 CEST	1.1.1.1	192.168.2.6	0x25c	No error (0)	mitmdetection.services.mozilla.com		13.32.99.17	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.918873072 CEST	1.1.1.1	192.168.2.6	0x25c	No error (0)	mitmdetection.services.mozilla.com		13.32.99.66	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.918873072 CEST	1.1.1.1	192.168.2.6	0x25c	No error (0)	mitmdetection.services.mozilla.com		13.32.99.14	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:04.944674969 CEST	1.1.1.1	192.168.2.6	0xa3d4	No error (0)	mitmdetection.services.mozilla.com			28	IN (0x0001)	false
Oct 24, 2024 19:04:04.944674969 CEST	1.1.1.1	192.168.2.6	0xa3d4	No error (0)	mitmdetection.services.mozilla.com			28	IN (0x0001)	false
Oct 24, 2024 19:04:04.944674969 CEST	1.1.1.1	192.168.2.6	0xa3d4	No error (0)	mitmdetection.services.mozilla.com			28	IN (0x0001)	false
Oct 24, 2024 19:04:04.944674969 CEST	1.1.1.1	192.168.2.6	0xa3d4	No error (0)	mitmdetection.services.mozilla.com			28	IN (0x0001)	false
Oct 24, 2024 19:04:04.944674969 CEST	1.1.1.1	192.168.2.6	0xa3d4	No error (0)	mitmdetection.services.mozilla.com			28	IN (0x0001)	false
Oct 24, 2024 19:04:04.944674969 CEST	1.1.1.1	192.168.2.6	0xa3d4	No error (0)	mitmdetection.services.mozilla.com			28	IN (0x0001)	false
Oct 24, 2024 19:04:04.944674969 CEST	1.1.1.1	192.168.2.6	0xa3d4	No error (0)	mitmdetection.services.mozilla.com			28	IN (0x0001)	false
Oct 24, 2024 19:04:04.944674969 CEST	1.1.1.1	192.168.2.6	0xa3d4	No error (0)	mitmdetection.services.mozilla.com			28	IN (0x0001)	false
Oct 24, 2024 19:04:07.613879919 CEST	1.1.1.1	192.168.2.6	0x2f0b	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:07.613879919 CEST	1.1.1.1	192.168.2.6	0x2f0b	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:07.613879919 CEST	1.1.1.1	192.168.2.6	0x2f0b	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:07.622953892 CEST	1.1.1.1	192.168.2.6	0x6449	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:08.011893034 CEST	1.1.1.1	192.168.2.6	0xabbe	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:08.021086931 CEST	1.1.1.1	192.168.2.6	0x4d5b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:09.498486042 CEST	1.1.1.1	192.168.2.6	0xba5c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:09.508595943 CEST	1.1.1.1	192.168.2.6	0xfb67	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:09.531816006 CEST	1.1.1.1	192.168.2.6	0x1e67	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:09.531816006 CEST	1.1.1.1	192.168.2.6	0x1e67	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:09.541153908 CEST	1.1.1.1	192.168.2.6	0x705c	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:09.541153908 CEST	1.1.1.1	192.168.2.6	0x705c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:09.548474073 CEST	1.1.1.1	192.168.2.6	0xb63b	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:13.936024904 CEST	1.1.1.1	192.168.2.6	0x5227	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973139048 CEST	1.1.1.1	192.168.2.6	0x3d59	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973139048 CEST	1.1.1.1	192.168.2.6	0x3d59	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973139048 CEST	1.1.1.1	192.168.2.6	0x3d59	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973139048 CEST	1.1.1.1	192.168.2.6	0x3d59	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973139048 CEST	1.1.1.1	192.168.2.6	0x3d59	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973139048 CEST	1.1.1.1	192.168.2.6	0x3d59	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973139048 CEST	1.1.1.1	192.168.2.6	0x3d59	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973139048 CEST	1.1.1.1	192.168.2.6	0x3d59	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973139048 CEST	1.1.1.1	192.168.2.6	0x3d59	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973139048 CEST	1.1.1.1	192.168.2.6	0x3d59	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973139048 CEST	1.1.1.1	192.168.2.6	0x3d59	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973139048 CEST	1.1.1.1	192.168.2.6	0x3d59	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973139048 CEST	1.1.1.1	192.168.2.6	0x3d59	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973139048 CEST	1.1.1.1	192.168.2.6	0x3d59	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973139048 CEST	1.1.1.1	192.168.2.6	0x3d59	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973139048 CEST	1.1.1.1	192.168.2.6	0x3d59	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973139048 CEST	1.1.1.1	192.168.2.6	0x3d59	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973151922 CEST	1.1.1.1	192.168.2.6	0x78a1	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:20.973151922 CEST	1.1.1.1	192.168.2.6	0x78a1	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.977288961 CEST	1.1.1.1	192.168.2.6	0x819f	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:20.977288961 CEST	1.1.1.1	192.168.2.6	0x819f	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.981730938 CEST	1.1.1.1	192.168.2.6	0x1403	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.981915951 CEST	1.1.1.1	192.168.2.6	0x4890	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.981915951 CEST	1.1.1.1	192.168.2.6	0x4890	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.981915951 CEST	1.1.1.1	192.168.2.6	0x4890	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.981915951 CEST	1.1.1.1	192.168.2.6	0x4890	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.981915951 CEST	1.1.1.1	192.168.2.6	0x4890	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.981915951 CEST	1.1.1.1	192.168.2.6	0x4890	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.981915951 CEST	1.1.1.1	192.168.2.6	0x4890	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.981915951 CEST	1.1.1.1	192.168.2.6	0x4890	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.981915951 CEST	1.1.1.1	192.168.2.6	0x4890	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.981915951 CEST	1.1.1.1	192.168.2.6	0x4890	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.981915951 CEST	1.1.1.1	192.168.2.6	0x4890	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.981915951 CEST	1.1.1.1	192.168.2.6	0x4890	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.981915951 CEST	1.1.1.1	192.168.2.6	0x4890	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.981915951 CEST	1.1.1.1	192.168.2.6	0x4890	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.981915951 CEST	1.1.1.1	192.168.2.6	0x4890	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.981915951 CEST	1.1.1.1	192.168.2.6	0x4890	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.986237049 CEST	1.1.1.1	192.168.2.6	0xf6e	No error (0)	star-mini.c10r.facebook.com		157.240.252.35	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.990035057 CEST	1.1.1.1	192.168.2.6	0xcf2f	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 24, 2024 19:04:20.990196943 CEST	1.1.1.1	192.168.2.6	0xa5a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 24, 2024 19:04:20.990196943 CEST	1.1.1.1	192.168.2.6	0xa5a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 24, 2024 19:04:20.990196943 CEST	1.1.1.1	192.168.2.6	0xa5a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 24, 2024 19:04:20.990196943 CEST	1.1.1.1	192.168.2.6	0xa5a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 24, 2024 19:04:20.994148016 CEST	1.1.1.1	192.168.2.6	0xb483	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 24, 2024 19:04:20.998317957 CEST	1.1.1.1	192.168.2.6	0x159d	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:20.998317957 CEST	1.1.1.1	192.168.2.6	0x159d	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.998317957 CEST	1.1.1.1	192.168.2.6	0x159d	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.998317957 CEST	1.1.1.1	192.168.2.6	0x159d	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.998317957 CEST	1.1.1.1	192.168.2.6	0x159d	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:20.998559952 CEST	1.1.1.1	192.168.2.6	0x51e8	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:21.321641922 CEST	1.1.1.1	192.168.2.6	0x16ec	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:21.574261904 CEST	1.1.1.1	192.168.2.6	0x4407	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:21.574261904 CEST	1.1.1.1	192.168.2.6	0x4407	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:21.574261904 CEST	1.1.1.1	192.168.2.6	0x4407	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:21.574261904 CEST	1.1.1.1	192.168.2.6	0x4407	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:30.512794971 CEST	1.1.1.1	192.168.2.6	0x8743	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:30.512794971 CEST	1.1.1.1	192.168.2.6	0x8743	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:30.520036936 CEST	1.1.1.1	192.168.2.6	0x999	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:30.520036936 CEST	1.1.1.1	192.168.2.6	0x999	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:30.520036936 CEST	1.1.1.1	192.168.2.6	0x999	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:30.520036936 CEST	1.1.1.1	192.168.2.6	0x999	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:30.530951977 CEST	1.1.1.1	192.168.2.6	0x8a4c	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:30.530951977 CEST	1.1.1.1	192.168.2.6	0x8a4c	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:30.530951977 CEST	1.1.1.1	192.168.2.6	0x8a4c	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:30.530951977 CEST	1.1.1.1	192.168.2.6	0x8a4c	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:30.742677927 CEST	1.1.1.1	192.168.2.6	0x4494	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:30.742677927 CEST	1.1.1.1	192.168.2.6	0x4494	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:30.764650106 CEST	1.1.1.1	192.168.2.6	0x6f2d	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:04:31.792859077 CEST	1.1.1.1	192.168.2.6	0x1661	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:31.792859077 CEST	1.1.1.1	192.168.2.6	0x1661	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:04:50.190818071 CEST	1.1.1.1	192.168.2.6	0xa21d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:05:00.702425003 CEST	1.1.1.1	192.168.2.6	0xfc23	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:05:01.355228901 CEST	1.1.1.1	192.168.2.6	0xbd6f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 19:05:01.355228901 CEST	1.1.1.1	192.168.2.6	0xbd6f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 24, 2024 19:05:31.977530003 CEST	1.1.1.1	192.168.2.6	0xef08	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49718	34.107.221.82	80	5688	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 19:04:02.940956116 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 19:04:03.538220882 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81110 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 19:04:04.145766973 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 19:04:04.272378922 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81111 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49725	34.107.221.82	80	5688	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 19:04:04.131264925 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49730	34.107.221.82	80	5688	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 19:04:04.906718016 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 19:04:05.517394066 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84298 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49749	34.107.221.82	80	5688	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 19:04:07.339061022 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 19:04:07.944392920 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81114 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 19:04:08.592464924 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 19:04:08.902834892 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 19:04:09.616266966 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81116 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 19:04:13.926000118 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 19:04:14.352262020 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81120 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 19:04:14.352869034 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81120 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 19:04:15.201404095 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 19:04:15.326195002 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81122 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 19:04:18.652348995 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 19:04:18.777486086 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81125 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 19:04:19.437973976 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 19:04:19.563167095 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81126 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 19:04:29.566135883 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 19:04:30.153660059 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 19:04:30.278724909 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81137 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 19:04:31.133841991 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 19:04:31.260667086 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81138 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 19:04:31.345074892 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 19:04:31.469995975 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81138 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 19:04:31.781503916 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 19:04:32.229166985 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81138 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 19:04:32.229496956 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81138 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 19:04:32.250313997 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 19:04:32.375647068 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81139 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 19:04:42.386250973 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 19:04:50.806473970 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 19:04:50.931528091 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81157 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 19:05:00.938208103 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 19:05:01.344126940 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 19:05:01.472755909 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81168 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 19:05:01.931821108 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 19:05:02.056796074 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81168 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 19:05:12.072783947 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 19:05:22.085390091 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 19:05:32.097461939 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 19:05:32.614010096 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 19:05:32.742818117 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 18:32:13 GMT Age: 81199 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 19:05:42.757384062 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 19:05:52.768835068 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 19:06:02.782630920 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49755	34.107.221.82	80	5688	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 19:04:08.367908001 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 19:04:09.494259119 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84301 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 19:04:09.494748116 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84301 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 19:04:09.494971037 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84301 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 19:04:10.011611938 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 19:04:10.409609079 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84303 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 19:04:10.410327911 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84303 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 19:04:14.955919981 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 19:04:15.082638025 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84308 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 19:04:15.682188034 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 19:04:15.809103966 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84308 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 19:04:18.781372070 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 19:04:18.908124924 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84311 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 19:04:19.565783978 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 19:04:19.695365906 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84312 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 19:04:29.704196930 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 19:04:30.281763077 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 19:04:30.408879042 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84323 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 19:04:31.277414083 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 19:04:31.409075022 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84324 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 19:04:31.473140001 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 19:04:31.599363089 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84324 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 19:04:32.231765032 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 19:04:32.358876944 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84325 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 19:04:32.378194094 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 19:04:32.521192074 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84325 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 19:04:42.533596992 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 19:04:50.934526920 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 19:04:51.061284065 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84344 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 19:05:01.069850922 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 19:05:01.501959085 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 19:05:01.629914999 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84354 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 19:05:02.065342903 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 19:05:02.192409039 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84355 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 19:05:12.210851908 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 19:05:22.216813087 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 19:05:32.229120970 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 19:05:32.746479034 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 19:05:32.874665976 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 17:39:07 GMT Age: 84385 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 19:05:42.895370960 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 19:05:52.922868967 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 19:06:02.945420027 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	13:03:55
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xee0000
File size:	919'552 bytes
MD5 hash:	03BAA19835A87FFA911CFE9FB0763541
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.2175830359.0000000001100000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:03:55
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xca0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:03:55
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:03:57
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xca0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:03:57
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:03:57
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xca0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:03:57
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:03:57
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xca0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:03:57
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:03:58
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xca0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:03:58
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:03:58
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:03:58
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:03:58
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	13:03:59
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de04cd66-a37e-4e35-afe9-9e338cbefd89} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 1e10aa6e910 socket
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	13:04:01
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2896 -parentBuildID 20230927232528 -prefsHandle 3824 -prefMapHandle 3820 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b508e78f-3592-4e91-8022-e1da6e18f134} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 1e10aa7cb10 rdd
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	13:04:08
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5020 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5008 -prefMapHandle 4996 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {274de6f3-6f8e-493d-a742-e2f38e2529b8} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 1e1232c8510 utility
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.6%
Total number of Nodes:	1523
Total number of Limit Nodes:	59

Executed Functions

Function 00EE42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00EE430D

Part of subcall function 00EE6B57: _wcslen.LIBCMT ref: 00EE6B6A

GetCurrentProcess.KERNEL32(?,00F7CB64,00000000,?,?), ref: 00EE4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00EE4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00EE4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00EE4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00EE4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00EE447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00EE44A0

Strings

|O, xrefs: 00F236F8
kernel32.dll, xrefs: 00EE444F
GetNativeSystemInfo, xrefs: 00EE4460

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 7c365def109847d8896c3282abdb44e3b9c79fa3b214af836992006149a939ae
Instruction ID: a8275c0d80ffc5b2c411db0ae93026d6e60b2d27315e83ca3e011366ce953374
Opcode Fuzzy Hash: 7c365def109847d8896c3282abdb44e3b9c79fa3b214af836992006149a939ae
Instruction Fuzzy Hash: 5FA1C6A5A1A3DCCFCB11C7A97CE01D93FE47B26300B8C56A9D081A3BA1F2244544FF62

Function 00EE42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00EE50AA,?,?,00000000,00000000), ref: 00EE42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00EE50AA,?,?,00000000,00000000), ref: 00EE42C9
LoadResource.KERNEL32(?,00000000,?,?,00EE50AA,?,?,00000000,00000000,?,?,?,?,?,?,00EE4F20), ref: 00F235BE
SizeofResource.KERNEL32(?,00000000,?,?,00EE50AA,?,?,00000000,00000000,?,?,?,?,?,?,00EE4F20), ref: 00F235D3
LockResource.KERNEL32(00EE50AA,?,?,00EE50AA,?,?,00000000,00000000,?,?,?,?,?,?,00EE4F20,?), ref: 00F235E6

Strings

SCRIPT, xrefs: 00EE42BF

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 96f904eb29d454c3317529f9945694a48de8a31261318897c6ad54067509a621
Instruction ID: 041eba9f4dc0f3faa81c57ed2dd6077a8d4d431430da13c59d84a08675c40b07
Opcode Fuzzy Hash: 96f904eb29d454c3317529f9945694a48de8a31261318897c6ad54067509a621
Instruction Fuzzy Hash: 7611CEB0200308BFD7219B66DC48F277BBAEBC9B51F14816DF506E62A0DB71DC00D662

Function 00F22BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00EE2B6B

Part of subcall function 00EE3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FB1418,?,00EE2E7F,?,?,?,00000000), ref: 00EE3A78

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00FA2224), ref: 00F22C10
ShellExecuteW.SHELL32(00000000,?,?,00FA2224), ref: 00F22C17

Strings

runas, xrefs: 00F22C0B

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 4ceb7f0245702d3916679bfb0a482d3c8a7a7c9442aec001d7224c5a30969c8f
Instruction ID: 2e6a1b267fc0d7c74c7933161e337d1462876064b1548de6c12aa1f48031c478
Opcode Fuzzy Hash: 4ceb7f0245702d3916679bfb0a482d3c8a7a7c9442aec001d7224c5a30969c8f
Instruction Fuzzy Hash: 1811E4312083CDAAC714FF32D8559AEB7E8AB91740F54242DF186330A3DF208A4AA752

Function 00F4D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F4D501
Process32FirstW.KERNEL32(00000000,?), ref: 00F4D50F
Process32NextW.KERNEL32(00000000,?), ref: 00F4D52F
CloseHandle.KERNELBASE(00000000), ref: 00F4D5DC

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 86370758dbc4500c616f14f66db4e2308c748c86bcf0ef62caf93b4104864cbd
Instruction ID: d9c7e3ee201bed654a9fd4624ce9817091240c7fd1076d95ad1be2fb199494be
Opcode Fuzzy Hash: 86370758dbc4500c616f14f66db4e2308c748c86bcf0ef62caf93b4104864cbd
Instruction Fuzzy Hash: E631AF321083449FD304EF54D881AAFBBE8EFD9354F54092DF585921A2EB719984DB93

Function 00F4DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00F25222), ref: 00F4DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00F4DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00F4DBEE
FindClose.KERNEL32(00000000), ref: 00F4DBFA

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: e37a2d64e8791652c2d326fa9583064c08b81cf316995f89074b5b1616da212a
Instruction ID: 1650242c195eeaeb63e7e92f731b9dfaf0122e2983722f0900ee04c81c32047e
Opcode Fuzzy Hash: e37a2d64e8791652c2d326fa9583064c08b81cf316995f89074b5b1616da212a
Instruction Fuzzy Hash: DEF0E5318109185782216BBCAC4D8AA3B6C9F02334B50471AFE3AC20F0EBB05DD4E6D6

Function 00F04CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00F128E9,?,00F04CBE,00F128E9,00FA88B8,0000000C,00F04E15,00F128E9,00000002,00000000,?,00F128E9), ref: 00F04D09
TerminateProcess.KERNEL32(00000000,?,00F04CBE,00F128E9,00FA88B8,0000000C,00F04E15,00F128E9,00000002,00000000,?,00F128E9), ref: 00F04D10
ExitProcess.KERNEL32 ref: 00F04D22

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 2cf359476552b7af16f333466154c0e7fd30efb38175e3c6f351debd503e2ce6
Instruction ID: 3eace73432f4a99786f6d59e7af53396bb47256b6e2ada72ebb9179da595e48f
Opcode Fuzzy Hash: 2cf359476552b7af16f333466154c0e7fd30efb38175e3c6f351debd503e2ce6
Instruction Fuzzy Hash: 57E0B671401248BBDF11AF54DD09A583B6AEB41795B104018FD099A172CB39ED82FA81

Function 00F6AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00F6B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F6B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F6B1D4
_wcslen.LIBCMT ref: 00F6B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F6B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F6B236
_wcslen.LIBCMT ref: 00F6B332

Part of subcall function 00F505A7: GetStdHandle.KERNEL32(000000F6), ref: 00F505C6

_wcslen.LIBCMT ref: 00F6B34B
_wcslen.LIBCMT ref: 00F6B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F6B3B6
GetLastError.KERNEL32(00000000), ref: 00F6B407
CloseHandle.KERNEL32(?), ref: 00F6B439
CloseHandle.KERNEL32(00000000), ref: 00F6B44A
CloseHandle.KERNEL32(00000000), ref: 00F6B45C
CloseHandle.KERNEL32(00000000), ref: 00F6B46E
CloseHandle.KERNEL32(?), ref: 00F6B4E3

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: de7e3e4aa6c4ab628e43b7b18d0920edb598a119da6759d58ee42d32072a161e
Instruction ID: 3338d9d6a13c8fc8bcf7fa433d23475c4e9373248e749dc36520fc2f628bdd05
Opcode Fuzzy Hash: de7e3e4aa6c4ab628e43b7b18d0920edb598a119da6759d58ee42d32072a161e
Instruction Fuzzy Hash: 5DF1CE31A083449FC714EF24C891B2FBBE5AF85324F14855DF9899B2A2DB31EC84DB52

Function 00EED730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00EED807
timeGetTime.WINMM ref: 00EEDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EEDB28
TranslateMessage.USER32(?), ref: 00EEDB7B
DispatchMessageW.USER32(?), ref: 00EEDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EEDB9F
Sleep.KERNELBASE(0000000A), ref: 00EEDBB1

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 164059e9fc38ca6a5070d74ab27c4204a0826a621af6f9aa7a45fdd6757649e5
Instruction ID: f1daf6a668566fe3a703c89486d509f6d254aaf600a817173e88d8c4e602ff4c
Opcode Fuzzy Hash: 164059e9fc38ca6a5070d74ab27c4204a0826a621af6f9aa7a45fdd6757649e5
Instruction Fuzzy Hash: 9F421430608389DFD728CF25CC84BAAB7E0BF85324F14561DE459A7291D7B5E884EF92

Function 00EE2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00EE2D07
RegisterClassExW.USER32(00000030), ref: 00EE2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EE2D42
InitCommonControlsEx.COMCTL32(?), ref: 00EE2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EE2D6F
LoadIconW.USER32(000000A9), ref: 00EE2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EE2D94

Strings

AutoIt v3 GUI, xrefs: 00EE2D23
TaskbarCreated, xrefs: 00EE2D37
0, xrefs: 00EE2CE9
+, xrefs: 00EE2CF0

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 3a93f445d68a06d0d56fa6679543f80ca8dc4a20fe4ea22a7a7a5fd8ff8c448a
Instruction ID: ab3f2a6fb2fd318af1df9c042536486c2782df891b207e5ad7f430d52a6f9c38
Opcode Fuzzy Hash: 3a93f445d68a06d0d56fa6679543f80ca8dc4a20fe4ea22a7a7a5fd8ff8c448a
Instruction Fuzzy Hash: 3D21F2B190134CAFDB00DFA4EC99BDDBBB4FB08701F10821AF615A62A0D7B14584EF92

Function 00F2065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F2039A: CreateFileW.KERNELBASE(00000000,00000000,?,00F20704,?,?,00000000,?,00F20704,00000000,0000000C), ref: 00F203B7

GetLastError.KERNEL32 ref: 00F2076F
__dosmaperr.LIBCMT ref: 00F20776
GetFileType.KERNELBASE(00000000), ref: 00F20782
GetLastError.KERNEL32 ref: 00F2078C
__dosmaperr.LIBCMT ref: 00F20795
CloseHandle.KERNEL32(00000000), ref: 00F207B5
CloseHandle.KERNEL32(?), ref: 00F208FF
GetLastError.KERNEL32 ref: 00F20931
__dosmaperr.LIBCMT ref: 00F20938

Strings

H, xrefs: 00F208BD

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 8bf6d548b4297dab376a4b3b98f0e5af3ba261601bfa468d1dd58d9391e6a5f2
Instruction ID: fa6b67bbb5a553c4d2ddd7fc75e19c4e3fe81e53addad44ebc699de08687bffd
Opcode Fuzzy Hash: 8bf6d548b4297dab376a4b3b98f0e5af3ba261601bfa468d1dd58d9391e6a5f2
Instruction Fuzzy Hash: DAA1F333A001188FDF19EF68EC91BAE7BA0AB46320F14015DF8159B2D2DB359952EB91

Function 00EE344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EE3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FB1418,?,00EE2E7F,?,?,?,00000000), ref: 00EE3A78

Part of subcall function 00EE3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EE3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00EE356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F2318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F231CE
RegCloseKey.ADVAPI32(?), ref: 00F23210
_wcslen.LIBCMT ref: 00F23277
_wcslen.LIBCMT ref: 00F23286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00EE3560
\Include\, xrefs: 00EE3527
Include, xrefs: 00F23184, 00F231C5
\, xrefs: 00F2328C

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 809f60f2c0abb093e6cff054aeaf4a41ce748dbf74abfc75f1413f3b7d5a75a0
Instruction ID: cf23491716dd0701e06a2a5e89f7d1299e9cb951a3839e2ddba75e769ee62c8f
Opcode Fuzzy Hash: 809f60f2c0abb093e6cff054aeaf4a41ce748dbf74abfc75f1413f3b7d5a75a0
Instruction Fuzzy Hash: B471E4B14043489EC344EF29EC8186FBBE8FF85740F445A2EF545931A1EB349A48EF62

Function 00EE2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00EE2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00EE2B9D
LoadIconW.USER32(00000063), ref: 00EE2BB3
LoadIconW.USER32(000000A4), ref: 00EE2BC5
LoadIconW.USER32(000000A2), ref: 00EE2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00EE2BEF
RegisterClassExW.USER32(?), ref: 00EE2C40

Part of subcall function 00EE2CD4: GetSysColorBrush.USER32(0000000F), ref: 00EE2D07
Part of subcall function 00EE2CD4: RegisterClassExW.USER32(00000030), ref: 00EE2D31
Part of subcall function 00EE2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EE2D42
Part of subcall function 00EE2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00EE2D5F
Part of subcall function 00EE2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EE2D6F
Part of subcall function 00EE2CD4: LoadIconW.USER32(000000A9), ref: 00EE2D85
Part of subcall function 00EE2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EE2D94

Strings

0, xrefs: 00EE2C0F
#, xrefs: 00EE2C16
AutoIt v3, xrefs: 00EE2C2F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 6f4f0c42356eb9157d5eacf0aad97ca45abc3143c598c1999a0bded820946676
Instruction ID: b9155c00201683ea69fd2d62d082b973eba71af01dcffc2b9023043a0ddb125c
Opcode Fuzzy Hash: 6f4f0c42356eb9157d5eacf0aad97ca45abc3143c598c1999a0bded820946676
Instruction Fuzzy Hash: 86212F71E0035CABDB109FA5ECA5A9E7FF4FB48B50F58411EE604A66A0E7B10540EF91

Function 00EE3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00EE316A,?,?), ref: 00EE31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00EE316A,?,?), ref: 00EE3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EE3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00EE316A,?,?), ref: 00EE3232
CreatePopupMenu.USER32 ref: 00EE3246
PostQuitMessage.USER32(00000000), ref: 00EE3267

Strings

TaskbarCreated, xrefs: 00EE322D

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: fa90f64bdda98bbb4349fd5e5fcaf5452182200bbe4790e6b9f13434660b4c07
Instruction ID: 04b4084614b497164922f4743c683ec941586e4f24dbcbfc8f257643a26427f3
Opcode Fuzzy Hash: fa90f64bdda98bbb4349fd5e5fcaf5452182200bbe4790e6b9f13434660b4c07
Instruction Fuzzy Hash: 94418E3020428CB7EB181B7AEC5DBF93A54F705345F44222DF645A71B2DB71CA40BBA2

Function 00EE1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00EE1459
CoUninitialize.COMBASE ref: 00EE14F8
UnregisterHotKey.USER32(?), ref: 00EE16DD
DestroyWindow.USER32(?), ref: 00F224B9
FreeLibrary.KERNEL32(?), ref: 00F2251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F2254B

Strings

close all, xrefs: 00EE1454

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 5f5e7da128d620fac83c5e45a06b135639035c460a63e16bee3d2ed34fd3b2c0
Instruction ID: c5a343bac67cff00eacb36a59c9c32787b13443e9ca8dcf4c32ef844b92db9b6
Opcode Fuzzy Hash: 5f5e7da128d620fac83c5e45a06b135639035c460a63e16bee3d2ed34fd3b2c0
Instruction Fuzzy Hash: 4BD1DE31701266DFCB28EF16D895A29F7A0BF04710F1492ADE54A7B262CB30ED52DF91

Function 00EE2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00EE2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00EE2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00EE1CAD,?), ref: 00EE2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00EE1CAD,?), ref: 00EE2CCF

Strings

edit, xrefs: 00EE2CAC
AutoIt v3, xrefs: 00EE2C89, 00EE2C8E, 00EE2C8F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 4faebefb19494e6d6cc2e9f6799bbc08e463f921fa719215117e2044c4c3ace6
Instruction ID: ddfb3191e74192d3232a3d29a5662193821d73b49231d1bc8f728c4e255d80b4
Opcode Fuzzy Hash: 4faebefb19494e6d6cc2e9f6799bbc08e463f921fa719215117e2044c4c3ace6
Instruction Fuzzy Hash: CCF03A755402987AEB300723AC98E773EBDE7C6F50B58411EFA04A31A0E6620841FFB1

Function 00EE3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00EE3B0F,SwapMouseButtons,00000004,?), ref: 00EE3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00EE3B0F,SwapMouseButtons,00000004,?), ref: 00EE3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00EE3B0F,SwapMouseButtons,00000004,?), ref: 00EE3B83

Strings

Control Panel\Mouse, xrefs: 00EE3B3E

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 5dde83e8dad289e460e221677d6056c329ddcf3221ba6201f8d90630bae641f1
Instruction ID: 0a41b82ea842bfb76b1d1dcfdc9715147f3d9eda65724057e091ea2a25065628
Opcode Fuzzy Hash: 5dde83e8dad289e460e221677d6056c329ddcf3221ba6201f8d90630bae641f1
Instruction Fuzzy Hash: D1112AB551024CFFDB208FA6DC48AEEBBB9EF44744B105559E806E7110D2319E40A7A0

Function 00EE3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F233A2

Part of subcall function 00EE6B57: _wcslen.LIBCMT ref: 00EE6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00EE3A04

Strings

Line: , xrefs: 00F233EB

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 7b308562af64de95cc8364c207a90730e9c1a4ed48bbed8f608c148026e12c35
Instruction ID: cb4eef1a420d7486c8003540c6d769208505a51619350680ff9220aaca55ce28
Opcode Fuzzy Hash: 7b308562af64de95cc8364c207a90730e9c1a4ed48bbed8f608c148026e12c35
Instruction Fuzzy Hash: E331F8714083889AD324EB21DC49BDB77D8AF44714F14152EF599A30D1EF749A44DBC3

Function 00EFFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00F00668

Part of subcall function 00F032A4: RaiseException.KERNEL32(?,?,?,00F0068A,?,00FB1444,?,?,?,?,?,?,00F0068A,00EE1129,00FA8738,00EE1129), ref: 00F03304

__CxxThrowException@8.LIBVCRUNTIME ref: 00F00685

Strings

Unknown exception, xrefs: 00F00692

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 3787e045e1e6ff64d7be94b59f5f1c94b7982cae468a1b31aa7abe6c28545e5f
Instruction ID: 26bfed96641ad3ed406e545a242c727661473cbace7c3e9b1ff380c5679a7b7a
Opcode Fuzzy Hash: 3787e045e1e6ff64d7be94b59f5f1c94b7982cae468a1b31aa7abe6c28545e5f
Instruction Fuzzy Hash: 04F0F63490020D77CF00B664DC46EAEB76D6E00354F604571F914D65D2EFB6EA26F9C1

Function 00EE10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EE1BF4
Part of subcall function 00EE1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00EE1BFC
Part of subcall function 00EE1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EE1C07
Part of subcall function 00EE1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EE1C12
Part of subcall function 00EE1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00EE1C1A
Part of subcall function 00EE1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00EE1C22

Part of subcall function 00EE1B4A: RegisterWindowMessageW.USER32(00000004,?,00EE12C4), ref: 00EE1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00EE136A
OleInitialize.OLE32 ref: 00EE1388
CloseHandle.KERNEL32(00000000,00000000), ref: 00F224AB

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: cdd62206d9f13cbe9032a6b382a25ae78cd5dd7c31fe6da83b68583677e40277
Instruction ID: b02a77872e341010b8675c289c2df03318999adce4b72fc5490c53552c7b9389
Opcode Fuzzy Hash: cdd62206d9f13cbe9032a6b382a25ae78cd5dd7c31fe6da83b68583677e40277
Instruction Fuzzy Hash: 7571B0B491124C8EC3A4DF7ABCE56953BE1FB893403E8932ED10AD7262EB308445EF51

Function 00F4C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00EE3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F4C259
KillTimer.USER32(?,00000001,?,?), ref: 00F4C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F4C270

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 65a50c3b4e2b4a161927cf64f9fa0a3b2a5b5f26af07e1f592ea57b9decfb3ac
Instruction ID: 9f7da9f61d1e112cbb6452d4352e1d1c5568160c4060b960cf2732771c9cb4b8
Opcode Fuzzy Hash: 65a50c3b4e2b4a161927cf64f9fa0a3b2a5b5f26af07e1f592ea57b9decfb3ac
Instruction Fuzzy Hash: AF31D471905344AFEB628F648895BE6BFECAB02308F00109ED69AA3241C7B45A84DB91

Function 00F186AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00F185CC,?,00FA8CC8,0000000C), ref: 00F18704
GetLastError.KERNEL32(?,00F185CC,?,00FA8CC8,0000000C), ref: 00F1870E
__dosmaperr.LIBCMT ref: 00F18739

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 55ccb3507a5ed0a9cadeacb0c5d9dc3299482e98090a0474b31d1743735fdfb4
Instruction ID: 52cc4fe02b051c7e5f0b5c34e0009ba5c318dc39bf1afee219de535bb252e0ff
Opcode Fuzzy Hash: 55ccb3507a5ed0a9cadeacb0c5d9dc3299482e98090a0474b31d1743735fdfb4
Instruction Fuzzy Hash: A6012B33E0562456D6646234AE857FE774A4BD1BF4F39021EF8189B1D2DEA48CC3B190

Function 00EEDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00EEDB7B
DispatchMessageW.USER32(?), ref: 00EEDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EEDB9F
Sleep.KERNELBASE(0000000A), ref: 00EEDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00F31CC9

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 4279c855db140b4361f860406b9f9c3a9b0716683fa8a209cf6d871ae7b16cd9
Instruction ID: 5f4b466d4acd30ed87a684dc38f7e81d9e90deb6ae0cf35a8e72eac94a5af136
Opcode Fuzzy Hash: 4279c855db140b4361f860406b9f9c3a9b0716683fa8a209cf6d871ae7b16cd9
Instruction Fuzzy Hash: 53F054306043889BE734C761DC95FEA73ACFB44350F505619E609930D0EB309488AB56

Function 00EF1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00EF17F6

Strings

CALL, xrefs: 00EF17C6

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 64afdefda30a9bee150661f5e44c12e359bd204ab218c71168d15c34bc64a90d
Instruction ID: c8f150608ca79ee119b741a1246d336893f5517a9fc36915808aea74821e3b6d
Opcode Fuzzy Hash: 64afdefda30a9bee150661f5e44c12e359bd204ab218c71168d15c34bc64a90d
Instruction Fuzzy Hash: 46229C70608249DFC714DF14C880B2ABBF1BF85354F1899ADF696AB3A1D731E845DB82

Function 00EE2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00F22C8C

Part of subcall function 00EE3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE3A97,?,?,00EE2E7F,?,?,?,00000000), ref: 00EE3AC2

Part of subcall function 00EE2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EE2DC4

Strings

X, xrefs: 00F22C5A

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: af54bb69e57e5865900e913d86e7ada1438b8f87abc1eb2def13e9d08bbae737
Instruction ID: af3742e5502a3b7a8b4f999fbb9426bc0441e87b5dc33d99e48ee4a2503034a0
Opcode Fuzzy Hash: af54bb69e57e5865900e913d86e7ada1438b8f87abc1eb2def13e9d08bbae737
Instruction Fuzzy Hash: 9021A170A0029CAACB41DF95CC49BEE7BFCAF49314F048059E515F7281DBB85A899BA1

Function 00EE3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EE3908

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: a192f5e648d570147702efb90153fef67032d704c56a6a7615182baad728b6ce
Instruction ID: edc8c224bdd71c51fcdc1ff41055c7ff0ec38a637f88a467f973a4f2f72beeac
Opcode Fuzzy Hash: a192f5e648d570147702efb90153fef67032d704c56a6a7615182baad728b6ce
Instruction Fuzzy Hash: E731D5B05043448FD320DF35D898797BBF4FB49308F04092EF69993280E771AA44DB52

Function 00EFF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00EFF661

Part of subcall function 00EED730: GetInputState.USER32 ref: 00EED807

Sleep.KERNEL32(00000000), ref: 00F3F2DE

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 5ffc2ba4ef87ce509145c0f059df9f81a23875d79995f96608c430f03ad64268
Instruction ID: cd44f9103e912542fe0f1d7d423c5f4b820d4d6ec747ba2429c3b81fb13059d0
Opcode Fuzzy Hash: 5ffc2ba4ef87ce509145c0f059df9f81a23875d79995f96608c430f03ad64268
Instruction Fuzzy Hash: DCF08C312402099FD314EF6AE849B6AB7E9EF49760F00002EE95ED7361DB70A844CBA1

Function 00EE4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EE4EDD,?,00FB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EE4E9C
Part of subcall function 00EE4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00EE4EAE
Part of subcall function 00EE4E90: FreeLibrary.KERNEL32(00000000,?,?,00EE4EDD,?,00FB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EE4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00FB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EE4EFD

Part of subcall function 00EE4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F23CDE,?,00FB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EE4E62
Part of subcall function 00EE4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00EE4E74
Part of subcall function 00EE4E59: FreeLibrary.KERNEL32(00000000,?,?,00F23CDE,?,00FB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EE4E87

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: b84ffa97e7d2fb6bf0fb59bc83c9e6c19e9801f83bb43786d94092ccb3c56b51
Instruction ID: 31cbf9d9fece8d85564e6cedb3d8be0a6481124d3376ea4253d8f1870444da62
Opcode Fuzzy Hash: b84ffa97e7d2fb6bf0fb59bc83c9e6c19e9801f83bb43786d94092ccb3c56b51
Instruction Fuzzy Hash: 9F11E372700209AACB14BB66DC02FAD77E5AF44B11F10982EF542BA1D1EE749A45E790

Function 00F18402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00F18440

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: fcc0e26e6a4a55815f9d497d91afef936bdd0335f2784f55934f8f53368672da
Instruction ID: 5c2558216d8a9604a063b8430f719fdcf9b0c403a4c294ee37c84952c38f7abc
Opcode Fuzzy Hash: fcc0e26e6a4a55815f9d497d91afef936bdd0335f2784f55934f8f53368672da
Instruction Fuzzy Hash: AE11487290410AAFCB05DF58E9409DA7BF5EF48310F104059F808AB312DA31DA12DBA4

Function 00F15000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F14C7D: RtlAllocateHeap.NTDLL(00000008,00EE1129,00000000,?,00F12E29,00000001,00000364,?,?,?,00F0F2DE,00F13863,00FB1444,?,00EFFDF5,?), ref: 00F14CBE

_free.LIBCMT ref: 00F1506C

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 71a329d8986cb4ff1f3649662ac517d685a0b9544a3b47a4bb5dab54aa98a54d
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 17012672604705ABE3218EA99C81ADAFBE8FBC9370F65051DE18483280EA30A845C6B4

Function 00F0E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 44985a01e4c990800aa4df4984705257593a658a11df228ca6e8f78c7c8f8468
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: E6F02832920A1496DB313AA9EC05B9B33989F52375F100B19F421D31D2CF79E842BAA5

Function 00F14C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00EE1129,00000000,?,00F12E29,00000001,00000364,?,?,?,00F0F2DE,00F13863,00FB1444,?,00EFFDF5,?), ref: 00F14CBE

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d5617cde8296f4a99bbfe203aec80fcad2c15fcc5d70e3e7ccf6596a0986d078
Instruction ID: 57042ed4935e619e8d6852b97e1747d34d553a9e72f9a2580425f2eb4dc45b75
Opcode Fuzzy Hash: d5617cde8296f4a99bbfe203aec80fcad2c15fcc5d70e3e7ccf6596a0986d078
Instruction Fuzzy Hash: F0F0E932A0223467DB215F669C09BDA7788BFD17B1B144125FC19E75C1CA70F880B6F0

Function 00F13820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00FB1444,?,00EFFDF5,?,?,00EEA976,00000010,00FB1440,00EE13FC,?,00EE13C6,?,00EE1129), ref: 00F13852

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3113a80be8b6607aa6121d63a78b2ff31ecf6d20dbda2fa4eaa3ec0033585d2d
Instruction ID: 492f2b00c0fa0752b5973458199c9fa68501be7f82a9a69f51317bfe199ab61a
Opcode Fuzzy Hash: 3113a80be8b6607aa6121d63a78b2ff31ecf6d20dbda2fa4eaa3ec0033585d2d
Instruction Fuzzy Hash: 76E02B3390022496D73127779C04BDB7748AF427B0F090130FD08928C1DB20ED81B5F1

Function 00EE4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00FB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EE4F6D

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4b7893622d754afc6b8936687103fe18681656d87cc7c6289c2780e750baffc0
Instruction ID: 8230a00006932904699f31b77ff4681ec56d5b0d5c1dad6499af53acbe9098c6
Opcode Fuzzy Hash: 4b7893622d754afc6b8936687103fe18681656d87cc7c6289c2780e750baffc0
Instruction Fuzzy Hash: 7DF0A0B0205785CFCB348F22E490812B7E0BF00719310A97EE1DA93550C7359C44EF40

Function 00F72A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00F72A66

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: a37782539629f16ce94813f197dfb2fc002341e2ab815075d4366586bb9fa8ef
Instruction ID: a0deade9944983d4fb8295f773772c13ed5603b340c01610f42f43ac4b5404e5
Opcode Fuzzy Hash: a37782539629f16ce94813f197dfb2fc002341e2ab815075d4366586bb9fa8ef
Instruction Fuzzy Hash: E3E04F36750116AAD754EA30EC80AFA775CEB50395B10853BAC1ED2101DF38A995A6E1

Function 00EE30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00EE314E

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 16c5ea2d244d940f85571c17668a1f98d769b16fa982238693a66386e36f4c36
Instruction ID: e80666f931ef7a2a517681e3dcde27ca4ceef2e97c94cbb540aca0e04a2d3657
Opcode Fuzzy Hash: 16c5ea2d244d940f85571c17668a1f98d769b16fa982238693a66386e36f4c36
Instruction Fuzzy Hash: F0F082709043089FE7529B24DC897957AECB701708F0401E9A24896181E7745788DF51

Function 00EE2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EE2DC4

Part of subcall function 00EE6B57: _wcslen.LIBCMT ref: 00EE6B6A

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 0a35d847288558c78e22a9792a49c00eaf0cdf460709317cef1e32a7606bc5ea
Instruction ID: 2795fe6db040d20e915b58e8ae67758403eb87feddd8d5bf0d4b373c430f7a4b
Opcode Fuzzy Hash: 0a35d847288558c78e22a9792a49c00eaf0cdf460709317cef1e32a7606bc5ea
Instruction Fuzzy Hash: 15E0CD726001285BC71092589C05FDA77DDEFC87D0F050075FD09E7258D964ADC0C591

Function 00EE2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00EE3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EE3908

Part of subcall function 00EED730: GetInputState.USER32 ref: 00EED807

SetCurrentDirectoryW.KERNEL32(?), ref: 00EE2B6B

Part of subcall function 00EE30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00EE314E

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 05995e1a014944ade3bc60f0bafbbe5158ad29e038993ee6e053fcddbb6846fb
Instruction ID: be3578a61fc47c899064275374ddc86e324b3c7e1a83c78c7d3258c3f903f861
Opcode Fuzzy Hash: 05995e1a014944ade3bc60f0bafbbe5158ad29e038993ee6e053fcddbb6846fb
Instruction Fuzzy Hash: 81E086213042CC47C608BB77A86A5ADB7D99BD2355F80353EF156A31A3CE2549854752

Function 00F2039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00F20704,?,?,00000000,?,00F20704,00000000,0000000C), ref: 00F203B7

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 484d24ac040687085b599b2595d4b675d1a863ba837ddd03927ebb283c179de1
Instruction ID: 9bceb2d2f9d3cc701824c1707cf0fdba5535298af3ce516cb809df80810538cc
Opcode Fuzzy Hash: 484d24ac040687085b599b2595d4b675d1a863ba837ddd03927ebb283c179de1
Instruction Fuzzy Hash: 1CD06C3204010DBBDF028F84DD06EDA3BAAFB48714F014060BE1856020C772E861AB91

Function 00EE1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00EE1CBC

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: b5063e781daf9a7ef1bba77c9bdaabc648df49662d858848061d6701ad54adce
Instruction ID: 962f706c409ba1066c44677635d647fcde024927934dff5220a2955ea84b0bc4
Opcode Fuzzy Hash: b5063e781daf9a7ef1bba77c9bdaabc648df49662d858848061d6701ad54adce
Instruction Fuzzy Hash: 83C0923628030CAFF2248B80FC9AF1077A4B348B00F4C8101F60DA95E3D7A22860FF91

Non-executed Functions

Function 00F79576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00EF9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00F7961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F7965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00F7969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F796C9
SendMessageW.USER32 ref: 00F796F2
GetKeyState.USER32(00000011), ref: 00F7978B
GetKeyState.USER32(00000009), ref: 00F79798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F797AE
GetKeyState.USER32(00000010), ref: 00F797B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F797E9
SendMessageW.USER32 ref: 00F79810
SendMessageW.USER32(?,00001030,?,00F77E95), ref: 00F79918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00F7992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F79941
SetCapture.USER32(?), ref: 00F7994A
ClientToScreen.USER32(?,?), ref: 00F799AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F799BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F799D6
ReleaseCapture.USER32 ref: 00F799E1
GetCursorPos.USER32(?), ref: 00F79A19
ScreenToClient.USER32(?,?), ref: 00F79A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F79A80
SendMessageW.USER32 ref: 00F79AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F79AEB
SendMessageW.USER32 ref: 00F79B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F79B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F79B4A
GetCursorPos.USER32(?), ref: 00F79B68
ScreenToClient.USER32(?,?), ref: 00F79B75
GetParent.USER32(?), ref: 00F79B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F79BFA
SendMessageW.USER32 ref: 00F79C2B
ClientToScreen.USER32(?,?), ref: 00F79C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F79CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F79CDE
SendMessageW.USER32 ref: 00F79D01
ClientToScreen.USER32(?,?), ref: 00F79D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F79D82

Part of subcall function 00EF9944: GetWindowLongW.USER32(?,000000EB), ref: 00EF9952

GetWindowLongW.USER32(?,000000F0), ref: 00F79E05

Strings

@GUI_DRAGID, xrefs: 00F7997D
F, xrefs: 00F79D07

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: ddf0e5a4d21f531e59e62ab5682d4d876d23f8b90df34bf768bd5425e69ef3fa
Instruction ID: 1549367e8c4696e145018f00e8260610e280ce1a25c991564a671732d25b0d2d
Opcode Fuzzy Hash: ddf0e5a4d21f531e59e62ab5682d4d876d23f8b90df34bf768bd5425e69ef3fa
Instruction Fuzzy Hash: 6D429171508245AFD724CF24CC84AAABBE5FF48320F14861EF69D972A1D7B1D850EF92

Function 00F74873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00F748F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00F74908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00F74927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00F7494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00F7495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00F7497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00F749AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00F749D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00F74A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00F74A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00F74A7E
IsMenu.USER32(?), ref: 00F74A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F74AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F74B20
GetWindowLongW.USER32(?,000000F0), ref: 00F74B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00F74BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00F74C82
wsprintfW.USER32 ref: 00F74CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F74CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00F74CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F74D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F74D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00F74D5A

Strings

%d/%02d/%02d, xrefs: 00F74CA8

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 8ed96f2bb8b86769ad24bf1183ebc3c08c93b10c0d5597e17b5f4add79e5ae72
Instruction ID: bc5be919bed02dbb6cd7ded0fa32715e28a887934621b59157a0b94c9609c9f0
Opcode Fuzzy Hash: 8ed96f2bb8b86769ad24bf1183ebc3c08c93b10c0d5597e17b5f4add79e5ae72
Instruction Fuzzy Hash: B612C471900258ABEB258F24CC49FAE7BF8EF49720F10811AF51DEB1E1D774A941EB52

Function 00EFF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00EFF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F3F474
IsIconic.USER32(00000000), ref: 00F3F47D
ShowWindow.USER32(00000000,00000009), ref: 00F3F48A
SetForegroundWindow.USER32(00000000), ref: 00F3F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F3F4AA
GetCurrentThreadId.KERNEL32 ref: 00F3F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F3F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F3F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F3F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00F3F4DE
SetForegroundWindow.USER32(00000000), ref: 00F3F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F3F4F6
keybd_event.USER32(00000012,00000000), ref: 00F3F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F3F50B
keybd_event.USER32(00000012,00000000), ref: 00F3F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F3F519
keybd_event.USER32(00000012,00000000), ref: 00F3F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F3F528
keybd_event.USER32(00000012,00000000), ref: 00F3F52D
SetForegroundWindow.USER32(00000000), ref: 00F3F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00F3F557

Strings

Shell_TrayWnd, xrefs: 00F3F46F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 309aa38b7a88161fd749486dfeff4bcfe0a7efaaa050020e10b70874a2366a51
Instruction ID: 08dcace26af53d67d991cc22c173b1bfe4bc1db62ba84a6741aab3f77bf11bea
Opcode Fuzzy Hash: 309aa38b7a88161fd749486dfeff4bcfe0a7efaaa050020e10b70874a2366a51
Instruction Fuzzy Hash: 2C315471E4021CBBEB206BB59C4AFBF7E6CEB44B60F140069F605EA1D1C6B15D40BAA1

Function 00F41201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00F416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F4170D
Part of subcall function 00F416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F4173A
Part of subcall function 00F416C3: GetLastError.KERNEL32 ref: 00F4174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00F41286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00F412A8
CloseHandle.KERNEL32(?), ref: 00F412B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F412D1
GetProcessWindowStation.USER32 ref: 00F412EA
SetProcessWindowStation.USER32(00000000), ref: 00F412F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F41310

Part of subcall function 00F410BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F411FC), ref: 00F410D4
Part of subcall function 00F410BF: CloseHandle.KERNEL32(?,?,00F411FC), ref: 00F410E9

Strings

winsta0, xrefs: 00F412CC
, xrefs: 00F4125A
default, xrefs: 00F4130B

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 11c5dd282cb732a1417afd7ad3b8787400852cbc680c19804f77605cd3c31444
Instruction ID: 65e37e571fa40749bbee7fe23c7cd8c2373ff63c7fcfda588a295afc874c28fc
Opcode Fuzzy Hash: 11c5dd282cb732a1417afd7ad3b8787400852cbc680c19804f77605cd3c31444
Instruction Fuzzy Hash: A1817671900209ABDF20DFA4DC49FEE7FB9BF09710F144129FA14A62A0D7749A94EB61

Function 00F40B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F41114
Part of subcall function 00F410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F40B9B,?,?,?), ref: 00F41120
Part of subcall function 00F410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F40B9B,?,?,?), ref: 00F4112F
Part of subcall function 00F410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F40B9B,?,?,?), ref: 00F41136
Part of subcall function 00F410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F4114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F40BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F40C00
GetLengthSid.ADVAPI32(?), ref: 00F40C17
GetAce.ADVAPI32(?,00000000,?), ref: 00F40C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F40C6D
GetLengthSid.ADVAPI32(?), ref: 00F40C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F40C8C
HeapAlloc.KERNEL32(00000000), ref: 00F40C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F40CB4
CopySid.ADVAPI32(00000000), ref: 00F40CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F40CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F40D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F40D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F40D45
HeapFree.KERNEL32(00000000), ref: 00F40D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F40D55
HeapFree.KERNEL32(00000000), ref: 00F40D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F40D65
HeapFree.KERNEL32(00000000), ref: 00F40D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00F40D78
HeapFree.KERNEL32(00000000), ref: 00F40D7F

Part of subcall function 00F41193: GetProcessHeap.KERNEL32(00000008,00F40BB1,?,00000000,?,00F40BB1,?), ref: 00F411A1
Part of subcall function 00F41193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F40BB1,?), ref: 00F411A8
Part of subcall function 00F41193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F40BB1,?), ref: 00F411B7

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4d5e58be5454d28d9dd516a3a27033042b12de3f2b8cf00c34ab837cf69a2200
Instruction ID: db403e4a931a8d70cfb251f55cd233417b4cdd8b71bcefad34af19a5b1107867
Opcode Fuzzy Hash: 4d5e58be5454d28d9dd516a3a27033042b12de3f2b8cf00c34ab837cf69a2200
Instruction Fuzzy Hash: 4A716072D0020AABDF10DFE5DC44FAEBBB8BF48310F044529EE18E6151DB75A945DBA1

Function 00F5EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00F7CC08), ref: 00F5EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00F5EB37
GetClipboardData.USER32(0000000D), ref: 00F5EB43
CloseClipboard.USER32 ref: 00F5EB4F
GlobalLock.KERNEL32(00000000), ref: 00F5EB87
CloseClipboard.USER32 ref: 00F5EB91
GlobalUnlock.KERNEL32(00000000), ref: 00F5EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00F5EBC9
GetClipboardData.USER32(00000001), ref: 00F5EBD1
GlobalLock.KERNEL32(00000000), ref: 00F5EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00F5EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00F5EC38
GetClipboardData.USER32(0000000F), ref: 00F5EC44
GlobalLock.KERNEL32(00000000), ref: 00F5EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00F5EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00F5EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00F5ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00F5ECF3
CountClipboardFormats.USER32 ref: 00F5ED14
CloseClipboard.USER32 ref: 00F5ED59

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 1dad09dfc4b15244c55fcc625b07482465602a435ef2e289760183ac4628cd7f
Instruction ID: 2bb33c8ac129ee8375dee67fd370c1f84027f8da7ea6cb7e9e1cd95425a133ea
Opcode Fuzzy Hash: 1dad09dfc4b15244c55fcc625b07482465602a435ef2e289760183ac4628cd7f
Instruction Fuzzy Hash: 0661F435204305AFD304EF20DC88F2AB7E4AF84715F14452DF95A972A2DB31DE49EBA2

Function 00F5698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F569BE
FindClose.KERNEL32(00000000), ref: 00F56A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F56A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F56A75

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00F56AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00F56ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00F56B6A
%4d, xrefs: 00F56BB1
%03d, xrefs: 00F56DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00F56B32
%02d, xrefs: 00F56C00, 00F56C0A, 00F56C5A, 00F56CAA, 00F56CFA, 00F56D4A

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 448190853c0e10c795746409f7bbb92799c547283e146505c5338cae9d2af61f
Instruction ID: 89d36e982ea67da92dad222a878cf9e97707dbf142728b1b839c0f2f19f8c92e
Opcode Fuzzy Hash: 448190853c0e10c795746409f7bbb92799c547283e146505c5338cae9d2af61f
Instruction Fuzzy Hash: F8D18272508344AFC314EBA1C881EAFB7ECAF98704F44591DF995D7192EB34DA48CB62

Function 00F59642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00F59663
GetFileAttributesW.KERNEL32(?), ref: 00F596A1
SetFileAttributesW.KERNEL32(?,?), ref: 00F596BB
FindNextFileW.KERNEL32(00000000,?), ref: 00F596D3
FindClose.KERNEL32(00000000), ref: 00F596DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00F596FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00F5974A
SetCurrentDirectoryW.KERNEL32(00FA6B7C), ref: 00F59768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F59772
FindClose.KERNEL32(00000000), ref: 00F5977F
FindClose.KERNEL32(00000000), ref: 00F5978F

Strings

*.*, xrefs: 00F596F5

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 29dcf92533947e26acd3347dc3d6e0e6998f990d81bb9e7637d349183d0b8f6c
Instruction ID: e4f019ef919ceb1a4355e7681c73a94a51e9131281cadf5c5980dd42359543a6
Opcode Fuzzy Hash: 29dcf92533947e26acd3347dc3d6e0e6998f990d81bb9e7637d349183d0b8f6c
Instruction Fuzzy Hash: 1E31F83250560DAEDF189FB4EC08ADE37AC9F49321F144056FD18E20A0DBB4DD88EE51

Function 00F5979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00F597BE
FindNextFileW.KERNEL32(00000000,?), ref: 00F59819
FindClose.KERNEL32(00000000), ref: 00F59824
FindFirstFileW.KERNEL32(*.*,?), ref: 00F59840
SetCurrentDirectoryW.KERNEL32(?), ref: 00F59890
SetCurrentDirectoryW.KERNEL32(00FA6B7C), ref: 00F598AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F598B8
FindClose.KERNEL32(00000000), ref: 00F598C5
FindClose.KERNEL32(00000000), ref: 00F598D5

Part of subcall function 00F4DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F4DB00

Strings

*.*, xrefs: 00F5983B

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: d35851d4294d66b258b4494e286dc082927030a7cb0b2f3046d30f3ad849c436
Instruction ID: 4feb3a1c40e60c1476acef352fdf79a40c16d92a924af9fa08fc8db6fa270a2b
Opcode Fuzzy Hash: d35851d4294d66b258b4494e286dc082927030a7cb0b2f3046d30f3ad849c436
Instruction Fuzzy Hash: 3B31E531904219AADB14AFB4EC48ADE37AC9F46332F144159ED14E21E1DBB0DA88FB61

Function 00F6BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F6C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F6B6AE,?,?), ref: 00F6C9B5
Part of subcall function 00F6C998: _wcslen.LIBCMT ref: 00F6C9F1
Part of subcall function 00F6C998: _wcslen.LIBCMT ref: 00F6CA68
Part of subcall function 00F6C998: _wcslen.LIBCMT ref: 00F6CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F6BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00F6BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00F6BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F6C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F6C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F6C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F6C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00F6C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F6C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F6C382
RegCloseKey.ADVAPI32(00000000), ref: 00F6C38F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 78c8a109257f4652bab1c47afebf02e8dfb40036cfa0abe83e04e131c560459e
Instruction ID: 32ae7e9b380030d602a91a33a246653747f935489d470c054161fa51a29a794d
Opcode Fuzzy Hash: 78c8a109257f4652bab1c47afebf02e8dfb40036cfa0abe83e04e131c560459e
Instruction Fuzzy Hash: 03026F71604240AFC714DF24C895E2ABBE5EF89314F18C49DF88ADB2A2D731EC45DB92

Function 00F58195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F58257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00F58267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F58273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F58310
SetCurrentDirectoryW.KERNEL32(?), ref: 00F58324
SetCurrentDirectoryW.KERNEL32(?), ref: 00F58356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F5838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00F58395

Strings

*.*, xrefs: 00F5839B

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: b45e45a4196b1368353256886bb1577f7ebfc5d768b57b9d5c3337b2c821fc20
Instruction ID: 3147fbb48214ff2b84f6454d60546660d2277feeeb07f14e30af4026740324d0
Opcode Fuzzy Hash: b45e45a4196b1368353256886bb1577f7ebfc5d768b57b9d5c3337b2c821fc20
Instruction Fuzzy Hash: 4C618C725043459FC710EF60C8409AEB7E8FF89350F04881DFA99E7251DB35E94ADB92

Function 00F4D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE3A97,?,?,00EE2E7F,?,?,?,00000000), ref: 00EE3AC2

Part of subcall function 00F4E199: GetFileAttributesW.KERNEL32(?,00F4CF95), ref: 00F4E19A

FindFirstFileW.KERNEL32(?,?), ref: 00F4D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00F4D1DD
MoveFileW.KERNEL32(?,?), ref: 00F4D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F4D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F4D237

Part of subcall function 00F4D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00F4D21C,?,?), ref: 00F4D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00F4D253
FindClose.KERNEL32(00000000), ref: 00F4D264

Strings

\*.*, xrefs: 00F4D0CD, 00F4D0D6, 00F4D0EB

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 72dbc8b6462434b714aac313168c1324293ee9cd3462366122bf4b9c0a1a9001
Instruction ID: a36a964753fffbcf60387305c73030d5479c2aa0b2a8749847206dbc164117b3
Opcode Fuzzy Hash: 72dbc8b6462434b714aac313168c1324293ee9cd3462366122bf4b9c0a1a9001
Instruction Fuzzy Hash: 26619E31C0114D9BCF15EBE1DD929EDBBB5AF54300F244069E805731A2EB356F49EB61

Function 00F5ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00F5ED91
EmptyClipboard.USER32 ref: 00F5ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00F5EDAC
CloseClipboard.USER32 ref: 00F5EEA3

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 14082a180b8b02e1e91a8196414f8856c56030e4439526c180bccf46bb4675ca
Instruction ID: 7f27a0b287829867dfb91ddc7b3dafb6f3ee85a635d82a4df8ff854ead10abea
Opcode Fuzzy Hash: 14082a180b8b02e1e91a8196414f8856c56030e4439526c180bccf46bb4675ca
Instruction Fuzzy Hash: D641EE31604211AFE724CF15D889B19BBE1FF04329F19C09DE9298B6A2C731ED86DBC1

Function 00F4E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00F416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F4170D
Part of subcall function 00F416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F4173A
Part of subcall function 00F416C3: GetLastError.KERNEL32 ref: 00F4174A

ExitWindowsEx.USER32(?,00000000), ref: 00F4E932

Strings

SeShutdownPrivilege, xrefs: 00F4E902
, xrefs: 00F4E95C
@, xrefs: 00F4E925
, xrefs: 00F4E920

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 71e9b43ad6f2d3998bae403051fde2016b0bfa573eef9f3ffbe50139726236e4
Instruction ID: c88b1579a8a5f8df4ad08f2104700a9393e3288a8fb6063f4aade31a066ad65a
Opcode Fuzzy Hash: 71e9b43ad6f2d3998bae403051fde2016b0bfa573eef9f3ffbe50139726236e4
Instruction Fuzzy Hash: 7001F973A10215ABFB6426B89C86FBF7A9CBB14750F190825FC03E31D2D6A59C80B2D0

Function 00F61204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F61276
WSAGetLastError.WSOCK32 ref: 00F61283
bind.WSOCK32(00000000,?,00000010), ref: 00F612BA
WSAGetLastError.WSOCK32 ref: 00F612C5
closesocket.WSOCK32(00000000), ref: 00F612F4
listen.WSOCK32(00000000,00000005), ref: 00F61303
WSAGetLastError.WSOCK32 ref: 00F6130D
closesocket.WSOCK32(00000000), ref: 00F6133C

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 2fa651ccac782c970e7049db1ecf23edbd57d145b8f2cdbf0b27e7321b6a8f3e
Instruction ID: 72d6e5caedc9938cfdd251b562a2852975a638ad25b7c60d0482d71fae6fe437
Opcode Fuzzy Hash: 2fa651ccac782c970e7049db1ecf23edbd57d145b8f2cdbf0b27e7321b6a8f3e
Instruction Fuzzy Hash: 18418F31A001449FD710DF24D499B2ABBE6BF46328F1C818CE85A9F296C771EC85DBE1

Function 00F1B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F1B9D4
_free.LIBCMT ref: 00F1B9F8
_free.LIBCMT ref: 00F1BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00F83700), ref: 00F1BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00FB121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00F1BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00FB1270,000000FF,?,0000003F,00000000,?), ref: 00F1BC36
_free.LIBCMT ref: 00F1BD4B

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 6e97d4e5fdb9077bf7952d3f7df0d77f74acf58839c2db0ff271d01904d96014
Instruction ID: d80c88a3ccefab45d6d9e24e936f0452a112c4e8f04ccba2bfcff1635ad67818
Opcode Fuzzy Hash: 6e97d4e5fdb9077bf7952d3f7df0d77f74acf58839c2db0ff271d01904d96014
Instruction Fuzzy Hash: 6CC12571D04209EFDB24DF69DC51BEA7BB8EF41320F54419AE890D7291EB348E81BB90

Function 00F4D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE3A97,?,?,00EE2E7F,?,?,?,00000000), ref: 00EE3AC2

Part of subcall function 00F4E199: GetFileAttributesW.KERNEL32(?,00F4CF95), ref: 00F4E19A

FindFirstFileW.KERNEL32(?,?), ref: 00F4D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F4D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F4D481
FindClose.KERNEL32(00000000), ref: 00F4D498
FindClose.KERNEL32(00000000), ref: 00F4D4A1

Strings

\*.*, xrefs: 00F4D3F2

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 6fa2917ed19cd4b46ca5b173101838f6cb4a4756df97e5551dda8ce7a99bbb9f
Instruction ID: 291b8111241ddebd8c9a2bd5f035c303349b3e61ddb283f40c691293df2bba6c
Opcode Fuzzy Hash: 6fa2917ed19cd4b46ca5b173101838f6cb4a4756df97e5551dda8ce7a99bbb9f
Instruction Fuzzy Hash: 4931A3310083899FC304EF60D8558AF7BE8BE91314F445A2DF8D5A31A2EB30EA49D763

Function 00F1E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00F1E645

Strings

1#IND, xrefs: 00F1F83D
1#QNAN, xrefs: 00F1F84B
1#INF, xrefs: 00F1F852
1#SNAN, xrefs: 00F1F844

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 389c9c1110b8979a193b5a2d6f289c1d4f606efdd98f39d789d0dc5fc6dfae8e
Instruction ID: beca3dafc4acbeffedf1e318c89eb4e16ad3a1577dc60038e63f0b06e9e573c5
Opcode Fuzzy Hash: 389c9c1110b8979a193b5a2d6f289c1d4f606efdd98f39d789d0dc5fc6dfae8e
Instruction Fuzzy Hash: F3C23C72E046298FDB25CE28DD407E9B7B5EB48315F1441EAD84DE7280E778AEC5AF40

Function 00F5648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F564DC
CoInitialize.OLE32(00000000), ref: 00F56639
CoCreateInstance.OLE32(00F7FCF8,00000000,00000001,00F7FB68,?), ref: 00F56650
CoUninitialize.OLE32 ref: 00F568D4

Strings

.lnk, xrefs: 00F564BA, 00F56524, 00F565E0

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 32da21795ebfcc5e70ac508347bc83c79db48993a78104197b8c8bae65cbbf12
Instruction ID: 54f4703f6d79094f5d2563baf87b22cae8c231441cc3fc6499c91c55b372a042
Opcode Fuzzy Hash: 32da21795ebfcc5e70ac508347bc83c79db48993a78104197b8c8bae65cbbf12
Instruction Fuzzy Hash: 5FD16A716082459FC314EF24C88196BB7E8FF98314F54496DF595DB2A2EB30EE09CB92

Function 00F622DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00F622E8

Part of subcall function 00F5E4EC: GetWindowRect.USER32(?,?), ref: 00F5E504

GetDesktopWindow.USER32 ref: 00F62312
GetWindowRect.USER32(00000000), ref: 00F62319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00F62355
GetCursorPos.USER32(?), ref: 00F62381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F623DF

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 09d94cdf89d0112458d1623ae6ae8420ccf75af03c26321f157b4bad584c0177
Instruction ID: 2af6d82b5877dc7cdf46b3b97d1229cf8829f27bf5517402a86ce9d5e177ac46
Opcode Fuzzy Hash: 09d94cdf89d0112458d1623ae6ae8420ccf75af03c26321f157b4bad584c0177
Instruction Fuzzy Hash: C131BC72505719ABD720DF54CC49A5BBBA9FF84320F00091DF98997281DB34EA48DB92

Function 00F59B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00F59B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00F59C8B

Part of subcall function 00F53874: GetInputState.USER32 ref: 00F538CB
Part of subcall function 00F53874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F53966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00F59BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00F59C75

Strings

*.*, xrefs: 00F59B5D

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: e6b633ae98d307b2704469afea547f991519b22003685bb2a3e21071d68a6581
Instruction ID: 0fbbbb77e5fd39da7fcd15431e2226783eb443cde51917180557a78c3a380d1a
Opcode Fuzzy Hash: e6b633ae98d307b2704469afea547f991519b22003685bb2a3e21071d68a6581
Instruction Fuzzy Hash: EF418171D0420AEFDF19DF64C849AEE7BF8EF05311F244059E915A2191EB709E88EF61

Function 00EF997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00EF9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00EF9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00EF9A4E
GetSysColor.USER32(0000000F), ref: 00EF9B23
SetBkColor.GDI32(?,00000000), ref: 00EF9B36

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: dd6ac1a1a85d7622b57db13eee0f90a0787bfc47a8890f59da726e5fa9348d42
Instruction ID: db052f976b62497f6b13a7013cfb71d6b1b6c54e9923d25899617f59703418a3
Opcode Fuzzy Hash: dd6ac1a1a85d7622b57db13eee0f90a0787bfc47a8890f59da726e5fa9348d42
Instruction Fuzzy Hash: 23A140B050894CBEE734BE3C8C99FBB359DEB82364F14510AF651E6593CA259D01F272

Function 00F61806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F6304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F6307A
Part of subcall function 00F6304E: _wcslen.LIBCMT ref: 00F6309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F6185D
WSAGetLastError.WSOCK32 ref: 00F61884
bind.WSOCK32(00000000,?,00000010), ref: 00F618DB
WSAGetLastError.WSOCK32 ref: 00F618E6
closesocket.WSOCK32(00000000), ref: 00F61915

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 29402321d0c4cbf8a203b61e29e85d5691fe4d71297f38b2cd1927e8a9d1f88f
Instruction ID: 40f29db0cb4e2d2453715dbe20c25245bfdb592b24da2e710bbe35bd053a0c61
Opcode Fuzzy Hash: 29402321d0c4cbf8a203b61e29e85d5691fe4d71297f38b2cd1927e8a9d1f88f
Instruction Fuzzy Hash: 3451B371A00204AFDB10AF24C886F2A77E5AB44718F18845CF95AAF3D3D771AD41DBE1

Function 00F71C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00F71CC0
IsWindowEnabled.USER32 ref: 00F71CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00F71CDB
IsIconic.USER32 ref: 00F71CE9
IsZoomed.USER32 ref: 00F71CF7

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 038a2ccf76f9a48d5191a2a23615f55e0d81491e455e7320fdd2409f482e17b6
Instruction ID: c5cef6dd9c137da1e0419df116586ce7cedfac43c77ed23d910f9e60812c5a34
Opcode Fuzzy Hash: 038a2ccf76f9a48d5191a2a23615f55e0d81491e455e7320fdd2409f482e17b6
Instruction Fuzzy Hash: 5421B431B402105FD7218F5ED884B567BE5FF85324B19C06EE84D8B251CB71DC46EB92

Function 00EE8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00EE843C
VUUU, xrefs: 00EE83FA
VUUU, xrefs: 00F25DF0
ERCP, xrefs: 00EE813C
VUUU, xrefs: 00EE83E8

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: bbf5791f129e3430da93feefba79356c9afdaaec70820688c69304c98c0d00a5
Instruction ID: e5d7ef8aa40ea081fa21663e3cb2dabb426d292793d26df308e82e7428675e6f
Opcode Fuzzy Hash: bbf5791f129e3430da93feefba79356c9afdaaec70820688c69304c98c0d00a5
Instruction Fuzzy Hash: CEA28E70E0066ACBDF24CF59D9407EDB7B1BF54714F2481AAE819B7285EB309D81EB90

Function 00F4AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00F4AAAC
SetKeyboardState.USER32(00000080), ref: 00F4AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00F4AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00F4AB88

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f5c4f890415b8d320c98c3bdf1bb345d8b2c063b647cc764b0b7beb62d2e6d06
Instruction ID: 2f974eead32f2121506016c8889cc54da197c4d157165a8f3192c6e75953e12c
Opcode Fuzzy Hash: f5c4f890415b8d320c98c3bdf1bb345d8b2c063b647cc764b0b7beb62d2e6d06
Instruction Fuzzy Hash: 0E31F671EC0648AEFB35CA648C05BFA7FA6EB84320F04421AF985561D1D3798981E7A3

Function 00F5CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00F5CE89
GetLastError.KERNEL32(?,00000000), ref: 00F5CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00F5CEFE

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: dd45b40d0f74697fb63e8fc1122f7adfc4f1fbbf3065566108378b12871d4da1
Instruction ID: ab992f12b9a0e695cfd1056ccc71ca6ccf7eb8c0eca36fa00fe2153c89270841
Opcode Fuzzy Hash: dd45b40d0f74697fb63e8fc1122f7adfc4f1fbbf3065566108378b12871d4da1
Instruction Fuzzy Hash: B52190B19003059FD720DF65C949BA677F8EB40365F10441EEA47E2151E774ED49EBA0

Function 00F48298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F482AA

Strings

|, xrefs: 00F482DA
(, xrefs: 00F482F0

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 6098e4bdc00a7bfa9f50eb47c8163222a316f88dbd9594233c96e2583c722efb
Instruction ID: 8c0c949f36240f1083d9805181b4ea9b8a529328fbafa58a82974948bc7b3951
Opcode Fuzzy Hash: 6098e4bdc00a7bfa9f50eb47c8163222a316f88dbd9594233c96e2583c722efb
Instruction Fuzzy Hash: FA323A75A007059FC728CF59C480A6ABBF0FF48760B15C56EE95ADB3A1EB70E942DB40

Function 00F55C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F55CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00F55D17
FindClose.KERNEL32(?), ref: 00F55D5F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: ddd4433dcaf208bb2cb1a3ad32705bb9b15b8742c259478fa52338c99f408d8a
Instruction ID: 4718c97f42971625193000fd1b803716defec59274a0ee0e1ab808690bcae2c1
Opcode Fuzzy Hash: ddd4433dcaf208bb2cb1a3ad32705bb9b15b8742c259478fa52338c99f408d8a
Instruction Fuzzy Hash: FD518A75A04A019FC714CF28C494A9AB7F4FF49324F14855EEA5A8B3A2CB30ED49DB91

Function 00F12622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00F1271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F12724
UnhandledExceptionFilter.KERNEL32(?), ref: 00F12731

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a1724f3d5345f3bb5cfca2bd67fd2c6a0c57abf540b18444a67ad10ee6e84f74
Instruction ID: 0c128f656c2ed60277fb00859fdbaf631f432c4536fd961be7e75dc1a0fe47fb
Opcode Fuzzy Hash: a1724f3d5345f3bb5cfca2bd67fd2c6a0c57abf540b18444a67ad10ee6e84f74
Instruction Fuzzy Hash: A431D67490121C9BCB61DF68DC887DDB7B8AF18310F5041EAE40CA72A1EB349F819F55

Function 00F551CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F551DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F55238
SetErrorMode.KERNEL32(00000000), ref: 00F552A1

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0f8f655eba7234da06bed22ecbaff8bd4d2bfd16f24a1ea70d5ddec379323c33
Instruction ID: 10d7f5ea104390fb8b90d1a225c1cd779a078d784c08a0a16a58b0532dca7771
Opcode Fuzzy Hash: 0f8f655eba7234da06bed22ecbaff8bd4d2bfd16f24a1ea70d5ddec379323c33
Instruction Fuzzy Hash: EC315E75A00518DFDB00DF54D894EADBBF4FF49318F188099E909AB362DB31E85ACB91

Function 00F416C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00EFFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F00668
Part of subcall function 00EFFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F00685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F4170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F4173A
GetLastError.KERNEL32 ref: 00F4174A

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: dd87c04a74da3ba5c96593ad6265c59cc178d6011ab6d2f37c29859bc40069ff
Instruction ID: 63bd3061628989227590a40f3f12d59e17886af0f0b4d082bdf1589fe4f82c97
Opcode Fuzzy Hash: dd87c04a74da3ba5c96593ad6265c59cc178d6011ab6d2f37c29859bc40069ff
Instruction Fuzzy Hash: 4511C1B2400308AFD7189F54DC86E6ABBF9FF04714B20852EE45693241EB70FC818A60

Function 00F4D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F4D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00F4D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F4D650

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: a0b5901bf8f8182dc6f42257f1514888449334946dd6c6970c05e9e09660472f
Instruction ID: 49055d0035ea973987b02d459cc22b10313eb95d3bd2da67dd3ce3ec671a667b
Opcode Fuzzy Hash: a0b5901bf8f8182dc6f42257f1514888449334946dd6c6970c05e9e09660472f
Instruction Fuzzy Hash: B2113C75E05228BBDB108F999C45FAFBFBCEB45B60F108165F908E7290D6704A059BA1

Function 00F41663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F4168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F416A1
FreeSid.ADVAPI32(?), ref: 00F416B1

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: cbefa19c97c0732609a5046b3ea00017e00d19cde9ec06b87d20099811cdf6fd
Instruction ID: 07913e0cabbdb31e36b3fe95e7dd033e54738e4cd63673a2bbbdd0a581692a2d
Opcode Fuzzy Hash: cbefa19c97c0732609a5046b3ea00017e00d19cde9ec06b87d20099811cdf6fd
Instruction Fuzzy Hash: 34F0F47195030DFBDB00DFE49C89EAEBBBDFB08604F504565E901E2181E774AA849BA1

Function 00F1C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00F1C36C

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 8d2daf6a09d728d0ba946a3e0cdb4c6b3dfdef34e0c1b45b57bc2db96ccac213
Instruction ID: 4658455d6ccc4b08e9992162328fd02bc810f8a683211da217cb5ccffdf53f9d
Opcode Fuzzy Hash: 8d2daf6a09d728d0ba946a3e0cdb4c6b3dfdef34e0c1b45b57bc2db96ccac213
Instruction Fuzzy Hash: 1D412672940219AFCB249FB9CC49EFB77B8EB84724F5042A9F915D7180E6709DC1EB90

Function 00F3D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00F3D28C

Strings

X64, xrefs: 00F3D2A8

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: b6d2dc5e359dbf7c56193148799e362a8b764511647e11e42aa859c5b18f78cd
Instruction ID: d0dfb2cdccd6d04f316988da363c5182be0ec7acde4169af8b294455b159d0aa
Opcode Fuzzy Hash: b6d2dc5e359dbf7c56193148799e362a8b764511647e11e42aa859c5b18f78cd
Instruction Fuzzy Hash: 95D0C9B580511DEACF94CB90EC88DDAB77CBB04305F100155F506E2000DB3095489F50

Function 00F0CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: fb5fbc7b504f2f85a737696394cf4e2be384ec7c098b7d8b0e5e767eb514a1c3
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: D9021E72E011199FDF14CFA9C8806ADFBF1FF48324F258269D919E7380D731A941AB94

Function 00F568EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F56918
FindClose.KERNEL32(00000000), ref: 00F56961

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 46ac5ae91b1f4e5328d8b1d0647b02d68fbd15e0ed355025f62f029a8b775612
Instruction ID: 296330aaa7c5e09851a19ed107ac3fae95ce92cda9c38c666d84eb54988b318d
Opcode Fuzzy Hash: 46ac5ae91b1f4e5328d8b1d0647b02d68fbd15e0ed355025f62f029a8b775612
Instruction Fuzzy Hash: 6711D0316046049FC710CF2AD484A16BBE1FF84329F55C69DE9798F2A2CB30EC49CB91

Function 00F537B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00F64891,?,?,00000035,?), ref: 00F537E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00F64891,?,?,00000035,?), ref: 00F537F4

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a49af9a5224ef985b6f7798d0d5f600725fa5a8f6875ce8254f3f22d0d5edcf0
Instruction ID: 0fbd29a887fa40f22f2fd345cb92a6e64a0520a95b756cfe9e6e35e915df2733
Opcode Fuzzy Hash: a49af9a5224ef985b6f7798d0d5f600725fa5a8f6875ce8254f3f22d0d5edcf0
Instruction Fuzzy Hash: 0DF0EC71A042282AE71017765C4DFDB769DEFC4761F000165F509D2281D9605944D7F1

Function 00F4B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00F4B25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00F4B270

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 85218d1f91f25541be56b5eb07e1057e245cd9fd88465b92f929d6414406409a
Instruction ID: 0c63613ff0c69e7d276ef1a9d3bba382c242550cda29fd53a0c711c237dd98d6
Opcode Fuzzy Hash: 85218d1f91f25541be56b5eb07e1057e245cd9fd88465b92f929d6414406409a
Instruction Fuzzy Hash: 48F01D7180424EABDB059FA0C805BAE7FB4FF04315F048009F955A5192D779C651AF95

Function 00F410BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F411FC), ref: 00F410D4
CloseHandle.KERNEL32(?,?,00F411FC), ref: 00F410E9

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: a7d5cae7763d2023882d4d577374f5868dfa970ce6fe6f9bda6dd6059cfa6db5
Instruction ID: a4a33b9f9ed14acb7ef245f87281d38633c74087a3f9f7fb71ec0de9e3e1860c
Opcode Fuzzy Hash: a7d5cae7763d2023882d4d577374f5868dfa970ce6fe6f9bda6dd6059cfa6db5
Instruction Fuzzy Hash: BEE0BF72014614AEF7252B55FC05E777BE9FF04320B14882DF5A5904B1DB626CD0EB50

Function 00EECAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00F30C40

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 6aec0d481f930496f4bc2c28afed43dfb421a43423c9c856041f84729478c581
Instruction ID: 4d6d95b4aff65fc22c155b4b02aea172406dfc8a99fb0456dadb3d126759bf7c
Opcode Fuzzy Hash: 6aec0d481f930496f4bc2c28afed43dfb421a43423c9c856041f84729478c581
Instruction Fuzzy Hash: D4328B30A0025CDBCF14DF91C890AEDB7F5BF04318F24606AE816BB292DB35AD46DB61

Function 00F1676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F16766,?,?,00000008,?,?,00F1FEFE,00000000), ref: 00F16998

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3bf6711a0e6157535f650abd0e453b957f222df8ffda37b9811260db68139498
Instruction ID: 6e65022b4e3c725f2c2b5a9ea8dd66553eaee92dd23d05926ae5371397ec7994
Opcode Fuzzy Hash: 3bf6711a0e6157535f650abd0e453b957f222df8ffda37b9811260db68139498
Instruction Fuzzy Hash: C9B13D32A10609DFD715CF28C486BA57BE0FF45364F29C658E899CF2A2C735E991DB40

Function 00EFB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00F3851F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 19bc2162c65e19ff453343afe6dfa84d89a61a94a37c90f72dc556599ca3ef17
Instruction ID: a25beb7da8ea6aa1f4b6273985e688a22ec5216934b88c5eb33a9b60894dcaa8
Opcode Fuzzy Hash: 19bc2162c65e19ff453343afe6dfa84d89a61a94a37c90f72dc556599ca3ef17
Instruction Fuzzy Hash: 01124E71D002299BCB14CF58C9806FEB7F5FF48720F14819AE949EB251EB749A81DBA0

Function 00F5EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00F5EABD

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: a577725a2848674272127299fab787160a6a41ef909f34bda7f371155f759fbe
Instruction ID: def32bb62d86294da5289f9fb1298e6ed49fa151e7201d7abd88f059e8c97d4d
Opcode Fuzzy Hash: a577725a2848674272127299fab787160a6a41ef909f34bda7f371155f759fbe
Instruction Fuzzy Hash: A8E01A322002089FC710EF6AD844E9AB7EDAF98760F00841AFD4AD7251DA74A9459B91

Function 00F009D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00F003EE), ref: 00F009DA

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 99d96f70f5533ff652ac2fc0b3307093ce8b631ff2837442c8da9c0e93839b98
Instruction ID: a68dc56e0525c037dbcbf021e888eec9825401ff7e0fa8a5a9c4ca3cb3ac5daf
Opcode Fuzzy Hash: 99d96f70f5533ff652ac2fc0b3307093ce8b631ff2837442c8da9c0e93839b98
Instruction Fuzzy Hash:

Function 00F0781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00F0798B

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 36adef5d54279ed39cb34d1f8ef482a382cefbe20f784dba0c0812e145edd992
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: B5516872E0C7455BDB38B528885D7BF63C59B42360F2885C9D882C72C2C619FE46F362

Function 00F16DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d5fe4bbb7a05d8b694e6a8368c90309633db89b7a451503337d75b62588376c
Instruction ID: fcebe26d47f2ca35f54421547cd0cd4f63d45b40147a600630553d4e4efd69d1
Opcode Fuzzy Hash: 6d5fe4bbb7a05d8b694e6a8368c90309633db89b7a451503337d75b62588376c
Instruction Fuzzy Hash: 37323332D29F014DD723A634CC22375A699AFB73D5F24C737E81AB59A5EB29D4C36200

Function 00EFCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1ace1424b01bb6d6d26c88f00ecaf652d32812b7e72e50f48d6cb97434e2a56
Instruction ID: bd6c40a379aa09965cc25e8e33a41c5519d4443a8cf79668431353523e4dd448
Opcode Fuzzy Hash: d1ace1424b01bb6d6d26c88f00ecaf652d32812b7e72e50f48d6cb97434e2a56
Instruction Fuzzy Hash: 34322732E0015D8BCF28CF28C59467DBBA1EB45374F38816AD959BB291D234DD81FB90

Function 00EE7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59fefb165639af7f175b857a1f4ed966e19d883c59f1a0ce8a93c697719e4744
Instruction ID: 90ed1af82e316e9ae25e8104816b7895f866567fa02fc7b8b06d5806c9b62098
Opcode Fuzzy Hash: 59fefb165639af7f175b857a1f4ed966e19d883c59f1a0ce8a93c697719e4744
Instruction Fuzzy Hash: 9B22D0B0E0061ADFDF14CF65D881AAEB3F6FF44710F245229E856A7291EB36AD10DB50

Function 00EE91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6b59fa1f795b8b8508f9d8c2d7014e7fc2a4f21b31192d6b77f4646d905c32
Instruction ID: 9d8dc67e9898423a5b003c43f221ed08b40b0465623bd2393b58fb842017bbe6
Opcode Fuzzy Hash: bf6b59fa1f795b8b8508f9d8c2d7014e7fc2a4f21b31192d6b77f4646d905c32
Instruction Fuzzy Hash: 2202D9B1E00219EBDF04DF55E881BADB7F1FF44310F208169E916AB291EB35AE50DB91

Function 00F19EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55227d178a1b214f2b31f6a883e6c30fd3adc2eaa5face9fa1a0585e5da12353
Instruction ID: 15b0ac4a4c3518c2b17b36ea54744784cea634510c9eee2c03e310083180d4b9
Opcode Fuzzy Hash: 55227d178a1b214f2b31f6a883e6c30fd3adc2eaa5face9fa1a0585e5da12353
Instruction Fuzzy Hash: E9B1E130E2AF454DD32396398835336B65CAFBB6D5F91D71BFC2674D22EB2286835240

Function 00F07A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc113c066c60d20f87784c52cf7b4b0cf400e67c41d5e8e6328b405139827d3
Instruction ID: 3f131c16b32f406c3c4aa3c3332cd1468f28735b5d4252c246b56b5fc1474f8a
Opcode Fuzzy Hash: 9cc113c066c60d20f87784c52cf7b4b0cf400e67c41d5e8e6328b405139827d3
Instruction Fuzzy Hash: 666189B1F08349A6DA34B9288C95BBE7384DF81320F1009D9E883CB2D5DA59BE43F355

Function 00F07CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56fb22f53f4627b2e5d79af4e6804a34d3204cb87c143398216f7fd9060f93a5
Instruction ID: 245a09ab36cffed2a101b69785776aef4ea9f9ada6f47d49503e5380a78f6432
Opcode Fuzzy Hash: 56fb22f53f4627b2e5d79af4e6804a34d3204cb87c143398216f7fd9060f93a5
Instruction Fuzzy Hash: DE617972F0A70966DE387A288C51BBF3384AF42760F1009D9E983DB2C1DA16FD42F255

Function 00F52046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff4d899319a15468adf6195fd8670bb4cf83701a9690b9ea90a5b268c6e95cc
Instruction ID: c5154d03ffcd1903d406789358db52f1a5bccad4f70c4cac27eb38cb885f54c8
Opcode Fuzzy Hash: 8ff4d899319a15468adf6195fd8670bb4cf83701a9690b9ea90a5b268c6e95cc
Instruction Fuzzy Hash: C021D5327216158BDB28CF79C86267E73E5A754320F148A2EE4A7C37D1DE39A904DB80

Function 00F62ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F62B30
DeleteObject.GDI32(00000000), ref: 00F62B43
DestroyWindow.USER32 ref: 00F62B52
GetDesktopWindow.USER32 ref: 00F62B6D
GetWindowRect.USER32(00000000), ref: 00F62B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00F62CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00F62CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F62CF8
GetClientRect.USER32(00000000,?), ref: 00F62D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F62D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F62D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F62D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F62D80
GlobalLock.KERNEL32(00000000), ref: 00F62D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F62D98
GlobalUnlock.KERNEL32(00000000), ref: 00F62DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F62DA8
GlobalFree.KERNEL32(00000000), ref: 00F62DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F62DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00F7FC38,00000000), ref: 00F62DDB
GlobalFree.KERNEL32(00000000), ref: 00F62DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00F62E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00F62E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F62E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F6303F

Strings

static, xrefs: 00F62D3A, 00F62E91
DISPLAY, xrefs: 00F62EA2
, xrefs: 00F62FC5
AutoIt v3, xrefs: 00F62CF2

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 0a253d1f185bba24ed35edc42b9fe3b50ed3aacd4d1fb346a27bd8970853f163
Instruction ID: b3f2c686dde72eaebde3222986c5296279c57b057485427de1dc1ecd490aaacc
Opcode Fuzzy Hash: 0a253d1f185bba24ed35edc42b9fe3b50ed3aacd4d1fb346a27bd8970853f163
Instruction Fuzzy Hash: B6026E71900208AFDB14DF64CC89EAE7BB9FB48310F04815CF919AB2A1DB74AD45DFA1

Function 00F770D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00F7712F
GetSysColorBrush.USER32(0000000F), ref: 00F77160
GetSysColor.USER32(0000000F), ref: 00F7716C
SetBkColor.GDI32(?,000000FF), ref: 00F77186
SelectObject.GDI32(?,?), ref: 00F77195
InflateRect.USER32(?,000000FF,000000FF), ref: 00F771C0
GetSysColor.USER32(00000010), ref: 00F771C8
CreateSolidBrush.GDI32(00000000), ref: 00F771CF
FrameRect.USER32(?,?,00000000), ref: 00F771DE
DeleteObject.GDI32(00000000), ref: 00F771E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00F77230
FillRect.USER32(?,?,?), ref: 00F77262
GetWindowLongW.USER32(?,000000F0), ref: 00F77284

Part of subcall function 00F773E8: GetSysColor.USER32(00000012), ref: 00F77421
Part of subcall function 00F773E8: SetTextColor.GDI32(?,?), ref: 00F77425
Part of subcall function 00F773E8: GetSysColorBrush.USER32(0000000F), ref: 00F7743B
Part of subcall function 00F773E8: GetSysColor.USER32(0000000F), ref: 00F77446
Part of subcall function 00F773E8: GetSysColor.USER32(00000011), ref: 00F77463
Part of subcall function 00F773E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F77471
Part of subcall function 00F773E8: SelectObject.GDI32(?,00000000), ref: 00F77482
Part of subcall function 00F773E8: SetBkColor.GDI32(?,00000000), ref: 00F7748B
Part of subcall function 00F773E8: SelectObject.GDI32(?,?), ref: 00F77498
Part of subcall function 00F773E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00F774B7
Part of subcall function 00F773E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F774CE
Part of subcall function 00F773E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00F774DB

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 35fc0b6fa1c6d51c9260ae61500c0d078cfcda37282510ecc692a778ab9b9ab4
Instruction ID: f1f7a20b50d3aaf0d55ecc595043391b0e2c1a8087b8fc50f66c37cc61de03ad
Opcode Fuzzy Hash: 35fc0b6fa1c6d51c9260ae61500c0d078cfcda37282510ecc692a778ab9b9ab4
Instruction Fuzzy Hash: 09A1A172408305AFD700AF60DC48A6B7BA9FF49320F144A1DF96A961E1D771E984EB93

Function 00F62711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00F6273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F6286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00F628A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00F628B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00F62900
GetClientRect.USER32(00000000,?), ref: 00F6290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00F62955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F62964
GetStockObject.GDI32(00000011), ref: 00F62974
SelectObject.GDI32(00000000,00000000), ref: 00F62978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00F62988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F62991
DeleteDC.GDI32(00000000), ref: 00F6299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F629C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00F629DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00F62A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F62A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00F62A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00F62A77
GetStockObject.GDI32(00000011), ref: 00F62A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F62A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00F62A97

Strings

msctls_progress32, xrefs: 00F62A13
static, xrefs: 00F6294F, 00F62A71
DISPLAY, xrefs: 00F6295A
AutoIt v3, xrefs: 00F628F8

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: c6dc768b99e14a366cce9dd40fb5ff269a381fe131feb3fb9d37be168a35cc83
Instruction ID: 23d875353d4238c39343fb247e9c7fb19d30056510b4e5ab9f0a1f8c3b74326f
Opcode Fuzzy Hash: c6dc768b99e14a366cce9dd40fb5ff269a381fe131feb3fb9d37be168a35cc83
Instruction Fuzzy Hash: 65B15C71A00609AFEB14DF68DC89FAE7BA9FB08710F144219FA15E7290D774ED40DB94

Function 00F54ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F54AED
GetDriveTypeW.KERNEL32(?,00F7CB68,?,\\.\,00F7CC08), ref: 00F54BCA
SetErrorMode.KERNEL32(00000000,00F7CB68,?,\\.\,00F7CC08), ref: 00F54D36

Strings

RAMDisk, xrefs: 00F54BF4
Network, xrefs: 00F54C02
SCSI, xrefs: 00F54C8A
SAS, xrefs: 00F54CC9
FileBackedVirtual, xrefs: 00F54CEC
Virtual, xrefs: 00F54CE5
RAID, xrefs: 00F54CBB
SATA, xrefs: 00F54CD0
Removable, xrefs: 00F54C10, 00F54C15
PhysicalDrive, xrefs: 00F54B76
\\.\, xrefs: 00F54B3F
1394, xrefs: 00F54C9F
Fibre, xrefs: 00F54CAD
Fixed, xrefs: 00F54C09
iSCSI, xrefs: 00F54CC2
USB, xrefs: 00F54CB4
Unknown, xrefs: 00F54BED, 00F54C83
MMC, xrefs: 00F54CDE
SSA, xrefs: 00F54CA6
ATAPI, xrefs: 00F54C91
SSD, xrefs: 00F54C4A
CDROM, xrefs: 00F54BFB
ATA, xrefs: 00F54C98

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: faf09dcd49e8c9454619ae5e7012ffb6546dc19e5d1e870a6897f51d07b00bb8
Instruction ID: dd5eeaebfb28ffcb3acc7c6bf445282c0109e736e0815a2d491cb0057285dd54
Opcode Fuzzy Hash: faf09dcd49e8c9454619ae5e7012ffb6546dc19e5d1e870a6897f51d07b00bb8
Instruction Fuzzy Hash: E361E671605109ABCB04DF24C985E6C77B1AB8535AB284015FD06EB292DB35FDC9FF82

Function 00F773E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00F77421
SetTextColor.GDI32(?,?), ref: 00F77425
GetSysColorBrush.USER32(0000000F), ref: 00F7743B
GetSysColor.USER32(0000000F), ref: 00F77446
CreateSolidBrush.GDI32(?), ref: 00F7744B
GetSysColor.USER32(00000011), ref: 00F77463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F77471
SelectObject.GDI32(?,00000000), ref: 00F77482
SetBkColor.GDI32(?,00000000), ref: 00F7748B
SelectObject.GDI32(?,?), ref: 00F77498
InflateRect.USER32(?,000000FF,000000FF), ref: 00F774B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F774CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00F774DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F7752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F77554
InflateRect.USER32(?,000000FD,000000FD), ref: 00F77572
DrawFocusRect.USER32(?,?), ref: 00F7757D
GetSysColor.USER32(00000011), ref: 00F7758E
SetTextColor.GDI32(?,00000000), ref: 00F77596
DrawTextW.USER32(?,00F770F5,000000FF,?,00000000), ref: 00F775A8
SelectObject.GDI32(?,?), ref: 00F775BF
DeleteObject.GDI32(?), ref: 00F775CA
SelectObject.GDI32(?,?), ref: 00F775D0
DeleteObject.GDI32(?), ref: 00F775D5
SetTextColor.GDI32(?,?), ref: 00F775DB
SetBkColor.GDI32(?,?), ref: 00F775E5

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c3155240c091023a65be1a99834d6744995d74d7cb70207e40dac17f5f40e7a1
Instruction ID: 63149c6809ea93f1efa344fe5b45620af2cf60c25ef4502b1e2a19a1b5806e0e
Opcode Fuzzy Hash: c3155240c091023a65be1a99834d6744995d74d7cb70207e40dac17f5f40e7a1
Instruction Fuzzy Hash: 33615272D00218AFDF019FA4DC49AAE7F79EF08720F158125F919A72A1D7719980EF91

Function 00F70FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F71128
GetDesktopWindow.USER32 ref: 00F7113D
GetWindowRect.USER32(00000000), ref: 00F71144
GetWindowLongW.USER32(?,000000F0), ref: 00F71199
DestroyWindow.USER32(?), ref: 00F711B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F711ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F7120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F7121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00F71232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00F71245
IsWindowVisible.USER32(00000000), ref: 00F712A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00F712BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00F712D0
GetWindowRect.USER32(00000000,?), ref: 00F712E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00F7130E
GetMonitorInfoW.USER32(00000000,?), ref: 00F71328
CopyRect.USER32(?,?), ref: 00F7133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00F713AA

Strings

0, xrefs: 00F710D3
tooltips_class32, xrefs: 00F711E6
(, xrefs: 00F7131B

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 0f5b5866bc8a0a4bafcab01b61a9eafd6445db9814d6de4820e62e804556075f
Instruction ID: 3a6cd0abcf9fd6118b0c9f1c2a21fcfa2bde7fe5b1679996b1bbad7667c92d4a
Opcode Fuzzy Hash: 0f5b5866bc8a0a4bafcab01b61a9eafd6445db9814d6de4820e62e804556075f
Instruction Fuzzy Hash: F2B17B71604341AFD714DF69C884B6ABBE5FF88350F00891DF99DAB2A1C771E848DB92

Function 00F70241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F702E5
_wcslen.LIBCMT ref: 00F7031F
_wcslen.LIBCMT ref: 00F70389
_wcslen.LIBCMT ref: 00F703F1
_wcslen.LIBCMT ref: 00F70475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00F704C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F70504

Part of subcall function 00EFF9F2: _wcslen.LIBCMT ref: 00EFF9FD

Part of subcall function 00F4223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F42258
Part of subcall function 00F4223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F4228A

Strings

SELECT, xrefs: 00F70548
DESELECT, xrefs: 00F7059C
SELECTALL, xrefs: 00F70515
FINDITEM, xrefs: 00F70627
GETSELECTED, xrefs: 00F705E1
GETSELECTEDCOUNT, xrefs: 00F70470, 00F7048B
GETSUBITEMCOUNT, xrefs: 00F70384, 00F7039F
GETITEMCOUNT, xrefs: 00F70316, 00F70337
GETTEXT, xrefs: 00F703EC, 00F70407
SELECTINVERT, xrefs: 00F7057E
VIEWCHANGE, xrefs: 00F70675
SELECTCLEAR, xrefs: 00F7052D
ISSELECTED, xrefs: 00F704DD

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: b2661f1def15ac102cfc72a075f5eeac7e582ab4d24c70ca7771fd463133c109
Instruction ID: ba916f69b5620d13c8bbf20bf44bf3838fba2c4737b77cbe044a8cfc9df0985f
Opcode Fuzzy Hash: b2661f1def15ac102cfc72a075f5eeac7e582ab4d24c70ca7771fd463133c109
Instruction Fuzzy Hash: 62E1A271608341DFC714DF24C95092AB7E6BFC8324F14856DF89AAB2A6DB30ED45EB42

Function 00EF8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00EF8968
GetSystemMetrics.USER32(00000007), ref: 00EF8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00EF899B
GetSystemMetrics.USER32(00000008), ref: 00EF89A3
GetSystemMetrics.USER32(00000004), ref: 00EF89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00EF89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00EF89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00EF8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00EF8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00EF8A5A
GetStockObject.GDI32(00000011), ref: 00EF8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00EF8A81

Part of subcall function 00EF912D: GetCursorPos.USER32(?), ref: 00EF9141
Part of subcall function 00EF912D: ScreenToClient.USER32(00000000,?), ref: 00EF915E
Part of subcall function 00EF912D: GetAsyncKeyState.USER32(00000001), ref: 00EF9183
Part of subcall function 00EF912D: GetAsyncKeyState.USER32(00000002), ref: 00EF919D

SetTimer.USER32(00000000,00000000,00000028,00EF90FC), ref: 00EF8AA8

Strings

AutoIt v3 GUI, xrefs: 00EF8A20

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 984e1cc42145215110734d75f521433632b404d624904e8027bab9d498907b3e
Instruction ID: eb0ff106b526400a52df8fbd94e960f2ddc5d24aa7f8302b49ab152c721f37d6
Opcode Fuzzy Hash: 984e1cc42145215110734d75f521433632b404d624904e8027bab9d498907b3e
Instruction Fuzzy Hash: DDB15B31A00209AFDB14DF68CD95BAE3BB5FB48324F508229FA19E7290DB74E940DF51

Function 00F40D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F41114
Part of subcall function 00F410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F40B9B,?,?,?), ref: 00F41120
Part of subcall function 00F410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F40B9B,?,?,?), ref: 00F4112F
Part of subcall function 00F410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F40B9B,?,?,?), ref: 00F41136
Part of subcall function 00F410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F4114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F40DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F40E29
GetLengthSid.ADVAPI32(?), ref: 00F40E40
GetAce.ADVAPI32(?,00000000,?), ref: 00F40E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F40E96
GetLengthSid.ADVAPI32(?), ref: 00F40EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F40EB5
HeapAlloc.KERNEL32(00000000), ref: 00F40EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F40EDD
CopySid.ADVAPI32(00000000), ref: 00F40EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F40F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F40F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F40F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F40F6E
HeapFree.KERNEL32(00000000), ref: 00F40F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F40F7E
HeapFree.KERNEL32(00000000), ref: 00F40F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F40F8E
HeapFree.KERNEL32(00000000), ref: 00F40F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00F40FA1
HeapFree.KERNEL32(00000000), ref: 00F40FA8

Part of subcall function 00F41193: GetProcessHeap.KERNEL32(00000008,00F40BB1,?,00000000,?,00F40BB1,?), ref: 00F411A1
Part of subcall function 00F41193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F40BB1,?), ref: 00F411A8
Part of subcall function 00F41193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F40BB1,?), ref: 00F411B7

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 3fd3f5003b56e9278788da15e32ab0f0cdf9a9565c1e1ff9b46b1366407f2a2a
Instruction ID: bc7380b5b401be49b60799e8982de096ba69e2f4b28ed9396a1cf601a1fed407
Opcode Fuzzy Hash: 3fd3f5003b56e9278788da15e32ab0f0cdf9a9565c1e1ff9b46b1366407f2a2a
Instruction Fuzzy Hash: 8271507190020AABDF209FA5DC44FAEBBB8FF09320F044129FA19E7151DB759945DBA1

Function 00F6C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F6C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00F7CC08,00000000,?,00000000,?,?), ref: 00F6C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00F6C5A4
_wcslen.LIBCMT ref: 00F6C5F4
_wcslen.LIBCMT ref: 00F6C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00F6C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00F6C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00F6C84D
RegCloseKey.ADVAPI32(?), ref: 00F6C881
RegCloseKey.ADVAPI32(00000000), ref: 00F6C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00F6C960

Strings

REG_QWORD, xrefs: 00F6C8C3
REG_MULTI_SZ, xrefs: 00F6C6F5
REG_EXPAND_SZ, xrefs: 00F6C5CD
REG_SZ, xrefs: 00F6C644
REG_DWORD, xrefs: 00F6C804
REG_BINARY, xrefs: 00F6C913

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: aa8f00ad8cda1446b2bce9d9fee5e77ad9b9901d2c5097cc496997faaeff6ff8
Instruction ID: 9d584fc0484faa4c878623b27bb4ed5b87afc81cb0b9d700fe06f3395a23833d
Opcode Fuzzy Hash: aa8f00ad8cda1446b2bce9d9fee5e77ad9b9901d2c5097cc496997faaeff6ff8
Instruction Fuzzy Hash: 10127A756042019FC714DF25D881A2AB7E5FF88724F18885CF88AAB3A2DB35FD45DB81

Function 00F7091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F709C6
_wcslen.LIBCMT ref: 00F70A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F70A54
_wcslen.LIBCMT ref: 00F70A8A
_wcslen.LIBCMT ref: 00F70B06
_wcslen.LIBCMT ref: 00F70B81

Part of subcall function 00EFF9F2: _wcslen.LIBCMT ref: 00EFF9FD

Part of subcall function 00F42BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F42BFA

Strings

COLLAPSE, xrefs: 00F70B01, 00F70B1C
SELECT, xrefs: 00F70D11
GETTEXT, xrefs: 00F70C97
GETTOTALCOUNT, xrefs: 00F709F2, 00F70A17
ISCHECKED, xrefs: 00F70CE1
EXISTS, xrefs: 00F70B7C, 00F70B97
UNCHECK, xrefs: 00F70D3E
EXPAND, xrefs: 00F70BF8
GETSELECTED, xrefs: 00F70C4E
CHECK, xrefs: 00F70A85, 00F70AA0
GETITEMCOUNT, xrefs: 00F70C1E

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 2346134a86f850898c6bba274b2d7e8ad5a8c9ebb1a0ca15ec1a05fa51e8762f
Instruction ID: d9b56414fbfb072c2057f649271a9d0b9e624d85608ce5a297d76c5296807bff
Opcode Fuzzy Hash: 2346134a86f850898c6bba274b2d7e8ad5a8c9ebb1a0ca15ec1a05fa51e8762f
Instruction Fuzzy Hash: 55E19F71608741DFC714DF25C45092AB7E2BF98314F14895EF89AAB3A2DB30ED45EB82

Function 00F6C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F6B6AE,?,?), ref: 00F6C9B5
_wcslen.LIBCMT ref: 00F6C9F1
_wcslen.LIBCMT ref: 00F6CA68
_wcslen.LIBCMT ref: 00F6CA9E
_wcslen.LIBCMT ref: 00F6CAF9
_wcslen.LIBCMT ref: 00F6CB2F
_wcslen.LIBCMT ref: 00F6CB7F

Strings

HKU, xrefs: 00F6CBF0
HKCR, xrefs: 00F6CB29, 00F6CB2E
HKEY_CLASSES_ROOT, xrefs: 00F6CAF3, 00F6CAF8
HKEY_LOCAL_MACHINE, xrefs: 00F6CA62, 00F6CA67
HKCC, xrefs: 00F6CBAC
HKLM, xrefs: 00F6CA98, 00F6CA9D
HKEY_USERS, xrefs: 00F6CBDF
HKCU, xrefs: 00F6CBCE
HKEY_CURRENT_USER, xrefs: 00F6CBBD
HKEY_CURRENT_CONFIG, xrefs: 00F6CB79, 00F6CB7E

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 89f8ed8e76eba7272f707dab4d56665c697d5a79be36d8f12fc942562ec33b9f
Instruction ID: ce960ec4dbac1d2847edb48cb6e2ac351fdb1e3aab832c00c8bc22ebdac638e8
Opcode Fuzzy Hash: 89f8ed8e76eba7272f707dab4d56665c697d5a79be36d8f12fc942562ec33b9f
Instruction Fuzzy Hash: FF71E873A0016A8BCB20EEBCCD516BB3391AFA1764F150528FCD5A7285E639DD44B3E0

Function 00F7833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F7835A
_wcslen.LIBCMT ref: 00F7836E
_wcslen.LIBCMT ref: 00F78391
_wcslen.LIBCMT ref: 00F783B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F783F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00F75BF2), ref: 00F7844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F78487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F784CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F78501
FreeLibrary.KERNEL32(?), ref: 00F7850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F7851D
DestroyIcon.USER32(?,?,?,?,?,00F75BF2), ref: 00F7852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F78549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F78555

Strings

.icl, xrefs: 00F78368
.exe, xrefs: 00F78388
.dll, xrefs: 00F783AB

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: ff9dfe5ab591dec6d59895aff5045fa6fb144c46755bf04073e8ad1286f6592d
Instruction ID: cd3b368b7f3ba498ac8f4a2a1ee932e3740487a0107bcbaca1c9ba851345bc32
Opcode Fuzzy Hash: ff9dfe5ab591dec6d59895aff5045fa6fb144c46755bf04073e8ad1286f6592d
Instruction Fuzzy Hash: 3E6103B1940209BEEB14DF64CC85FBE77A8BF04760F10810AF919D60D1DFB4A981E7A1

Function 00EE7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 00EE785F, 00EE78B1
#OnAutoItStartRegister, xrefs: 00EE7817
Cannot parse #include, xrefs: 00F25279
#comments-end, xrefs: 00EE78D9
#requireadmin, xrefs: 00EE77FF
", xrefs: 00F25153
', xrefs: 00F25169
Unterminated group of comments, xrefs: 00F2528C
#cs, xrefs: 00EE7873, 00EE78C5
#include, xrefs: 00EE7847
#notrayicon, xrefs: 00EE77E7
Bad directive syntax error, xrefs: 00F2519A
#ce, xrefs: 00EE78ED
#pragma compile, xrefs: 00EE77D3
#include-once, xrefs: 00EE782F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 71a68d9642991eb70379baae2567bf14c3106553e854bb3770403f300bdfd7cd
Instruction ID: 285431d9fadcc558fbcd66e73fd8f2b51fff8f342efec5b1fb819d5d6ab3066d
Opcode Fuzzy Hash: 71a68d9642991eb70379baae2567bf14c3106553e854bb3770403f300bdfd7cd
Instruction Fuzzy Hash: 4A813B71A04219BBDB20AF61DC42FBF37A8AF15710F044025F945BB1D2EB74D951E7A2

Function 00F53E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00F53EF8
_wcslen.LIBCMT ref: 00F53F03
_wcslen.LIBCMT ref: 00F53F5A
_wcslen.LIBCMT ref: 00F53F98
GetDriveTypeW.KERNEL32(?), ref: 00F53FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F5401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F54059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F54087

Strings

open , xrefs: 00F53FE5
closed, xrefs: 00F53F08, 00F53F2D, 00F53F46, 00F53F7E, 00F53F97
wait, xrefs: 00F54044
close cd wait, xrefs: 00F54072
close, xrefs: 00F53EFE, 00F53F18
open, xrefs: 00F53F54, 00F53F59
set cd door , xrefs: 00F54028
type cdaudio alias cd wait, xrefs: 00F54001

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: ab761394b3e8301561b0e3719ecc70f031df057e1d86d707ee35b4c824ea7f91
Instruction ID: b3dbcd89e4541197f5419fa7183e115f1ff76205ed87e395826a26ae10d1a24e
Opcode Fuzzy Hash: ab761394b3e8301561b0e3719ecc70f031df057e1d86d707ee35b4c824ea7f91
Instruction Fuzzy Hash: 24710472A042059FC310EF28C88086AB7F4EF957A9F14492DFA95D7291EB30ED49DB91

Function 00F45A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00F45A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F45A40
SetWindowTextW.USER32(?,?), ref: 00F45A57
GetDlgItem.USER32(?,000003EA), ref: 00F45A6C
SetWindowTextW.USER32(00000000,?), ref: 00F45A72
GetDlgItem.USER32(?,000003E9), ref: 00F45A82
SetWindowTextW.USER32(00000000,?), ref: 00F45A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F45AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F45AC3
GetWindowRect.USER32(?,?), ref: 00F45ACC
_wcslen.LIBCMT ref: 00F45B33
SetWindowTextW.USER32(?,?), ref: 00F45B6F
GetDesktopWindow.USER32 ref: 00F45B75
GetWindowRect.USER32(00000000), ref: 00F45B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00F45BD3
GetClientRect.USER32(?,?), ref: 00F45BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00F45C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F45C2F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: df89a26516549a41a5eeee59f30140a1e83cbcdeb1bb9a443801595cadb36f8f
Instruction ID: 38043ced244526b8ea0cf3ea7f7138a5e8b5c47db922a7857dbca523747b2e10
Opcode Fuzzy Hash: df89a26516549a41a5eeee59f30140a1e83cbcdeb1bb9a443801595cadb36f8f
Instruction Fuzzy Hash: 9B718D31900B09AFDB20EFA8CE85B6EBBF5FF48B14F10451CE946A25A1D774E940EB50

Function 00F5FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00F5FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00F5FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00F5FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00F5FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00F5FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00F5FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00F5FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00F5FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00F5FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00F5FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00F5FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00F5FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00F5FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00F5FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00F5FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00F5FECC
GetCursorInfo.USER32(?), ref: 00F5FEDC
GetLastError.KERNEL32 ref: 00F5FF1E

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: b81a774bd6a1c7bc72aa0dd1dc8003513179ffdde4fdf351a0cf7cdfd0d3c80e
Instruction ID: d5d7fe152d4913ac8cbcedc35704fbbe147fd54d732ff8c2fa0c44a41196a0bb
Opcode Fuzzy Hash: b81a774bd6a1c7bc72aa0dd1dc8003513179ffdde4fdf351a0cf7cdfd0d3c80e
Instruction Fuzzy Hash: 2F4174B0D043196ADB109FBA8C8985EBFE8FF04364B50456AE51DEB281DB789905CF91

Function 00F000C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00F000C6

Part of subcall function 00F000ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00FB070C,00000FA0,FE09C4DF,?,?,?,?,00F223B3,000000FF), ref: 00F0011C
Part of subcall function 00F000ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00F223B3,000000FF), ref: 00F00127
Part of subcall function 00F000ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00F223B3,000000FF), ref: 00F00138
Part of subcall function 00F000ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F0014E
Part of subcall function 00F000ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F0015C
Part of subcall function 00F000ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F0016A
Part of subcall function 00F000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F00195
Part of subcall function 00F000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F001A0

___scrt_fastfail.LIBCMT ref: 00F000E7

Part of subcall function 00F000A3: __onexit.LIBCMT ref: 00F000A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F00122
SleepConditionVariableCS, xrefs: 00F00154
InitializeConditionVariable, xrefs: 00F00148
WakeAllConditionVariable, xrefs: 00F00162
kernel32.dll, xrefs: 00F00133

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: e7b6aa868a81e90662b6b5e75e7954892470d12e6b65e50cf9adac3eaca2f10f
Instruction ID: ad13b225a39d42c1325521da9ed9cff9e08887aa9af05e14a2e2158f4f3bd2c4
Opcode Fuzzy Hash: e7b6aa868a81e90662b6b5e75e7954892470d12e6b65e50cf9adac3eaca2f10f
Instruction Fuzzy Hash: 1721A432A447196BE7206B64AC49B6A73D4EB05B61F10413BF909A72D1DEA4D840BA93

Function 00F430F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F4318D
_wcslen.LIBCMT ref: 00F431F8

Strings

TEXT, xrefs: 00F4347C
CLASS, xrefs: 00F43188, 00F431A5
REGEXPCLASS, xrefs: 00F43255, 00F43266
INSTANCE, xrefs: 00F43453
CLASSNN, xrefs: 00F431F3, 00F43204
NAME, xrefs: 00F43335, 00F43346

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 351255b4f3301e9548bd6c15aa010ef157fa759460d93f9bf74461916babc216
Instruction ID: 76355d1ec16fbe0e0a2f53cf16efa87cdeb559a9750408b326553358059aec21
Opcode Fuzzy Hash: 351255b4f3301e9548bd6c15aa010ef157fa759460d93f9bf74461916babc216
Instruction Fuzzy Hash: CDE1B332E00516ABCB18DFA4C8517EDBFB0BF54760F548129E856B7290DB70AF85A7A0

Function 00F544C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00F7CC08), ref: 00F54527
_wcslen.LIBCMT ref: 00F5453B
_wcslen.LIBCMT ref: 00F54599
_wcslen.LIBCMT ref: 00F545F4
_wcslen.LIBCMT ref: 00F5463F
_wcslen.LIBCMT ref: 00F546A7

Part of subcall function 00EFF9F2: _wcslen.LIBCMT ref: 00EFF9FD

GetDriveTypeW.KERNEL32(?,00FA6BF0,00000061), ref: 00F54743

Strings

network, xrefs: 00F5469D, 00F546A2
cdrom, xrefs: 00F5458F, 00F54594
all, xrefs: 00F54531, 00F54536
unknown, xrefs: 00F54708
fixed, xrefs: 00F54635, 00F5463A
removable, xrefs: 00F545EA, 00F545EF
ramdisk, xrefs: 00F546F1

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 053040e9b35ee16a5cc5c6e16e80be99063a5c7bb55175b7899737c49c5f917c
Instruction ID: 145609d1284170c19223cf6a7e440be49db2166c1fa184160422392672dc3696
Opcode Fuzzy Hash: 053040e9b35ee16a5cc5c6e16e80be99063a5c7bb55175b7899737c49c5f917c
Instruction Fuzzy Hash: 6EB13971A083019FC310DF28C890A6AF7E0BF95769F54491DFA96D3291E730EC88DB52

Function 00F63FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F7CC08), ref: 00F640BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F640CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00F7CC08), ref: 00F640F2
FreeLibrary.KERNEL32(00000000,?,00F7CC08), ref: 00F6413E
StringFromGUID2.OLE32(?,?,00000028,?,00F7CC08), ref: 00F641A8
SysFreeString.OLEAUT32(00000009), ref: 00F64262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F642C8
SysFreeString.OLEAUT32(?), ref: 00F642F2

Strings

kernel32.dll, xrefs: 00F640B6
GetModuleHandleExW, xrefs: 00F640C7

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: c66f306d3f5507cb70fc2e0231b24724e20fa93ccb6e3e7c2a365b81d4e0dc09
Instruction ID: 085732c41abdff4b509a9bcf0855f0cd6b43da1dcba72fc5f43cd50d9fc7ec07
Opcode Fuzzy Hash: c66f306d3f5507cb70fc2e0231b24724e20fa93ccb6e3e7c2a365b81d4e0dc09
Instruction Fuzzy Hash: C7124B75A00119EFDB14EF94C884EAEBBB5FF45314F248098E905AB251CB31FD86DBA1

Function 00EE326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00FB1990), ref: 00F22F8D
GetMenuItemCount.USER32(00FB1990), ref: 00F2303D
GetCursorPos.USER32(?), ref: 00F23081
SetForegroundWindow.USER32(00000000), ref: 00F2308A
TrackPopupMenuEx.USER32(00FB1990,00000000,?,00000000,00000000,00000000), ref: 00F2309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F230A9

Strings

0, xrefs: 00EE327D

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: d89b317961e7a0cb1df55cf855cca9c878d83f1e7013ecd1bc67e3f487d8d7a8
Instruction ID: bdc6303c6d0a1da9a17177a2a6f30d00e4cac8690ae30cbc52af7f7d48188865
Opcode Fuzzy Hash: d89b317961e7a0cb1df55cf855cca9c878d83f1e7013ecd1bc67e3f487d8d7a8
Instruction Fuzzy Hash: E4714970644259BFEB218F35DC89F9ABF68FF04324F200206F6186A1E0C7B5A950EB91

Function 00F76CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00F76DEB

Part of subcall function 00EE6B57: _wcslen.LIBCMT ref: 00EE6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F76E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F76E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F76E94
DestroyWindow.USER32(?), ref: 00F76EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00EE0000,00000000), ref: 00F76EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F76EFD
GetDesktopWindow.USER32 ref: 00F76F16
GetWindowRect.USER32(00000000), ref: 00F76F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F76F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F76F4D

Part of subcall function 00EF9944: GetWindowLongW.USER32(?,000000EB), ref: 00EF9952

Strings

0, xrefs: 00F76D98
tooltips_class32, xrefs: 00F76E58, 00F76EDD

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 520193d0ea2e16022eb374f7faad04920a706d12624e86d83fc951780c5d32fd
Instruction ID: 9363e71c9a6c5cc0893d801b2a40a897287d10983789b64a4d184e19ae5706b8
Opcode Fuzzy Hash: 520193d0ea2e16022eb374f7faad04920a706d12624e86d83fc951780c5d32fd
Instruction Fuzzy Hash: BB719770500648AFDB20DF18DC84EAABBE9FB88314F54451EF988D7261D730E94AEB52

Function 00F7911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00EF9BB2

DragQueryPoint.SHELL32(?,?), ref: 00F79147

Part of subcall function 00F77674: ClientToScreen.USER32(?,?), ref: 00F7769A
Part of subcall function 00F77674: GetWindowRect.USER32(?,?), ref: 00F77710
Part of subcall function 00F77674: PtInRect.USER32(?,?,00F78B89), ref: 00F77720

SendMessageW.USER32(?,000000B0,?,?), ref: 00F791B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F791BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F791DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F79225
SendMessageW.USER32(?,000000B0,?,?), ref: 00F7923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00F79255
SendMessageW.USER32(?,000000B1,?,?), ref: 00F79277
DragFinish.SHELL32(?), ref: 00F7927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F79371

Strings

@GUI_DRAGID, xrefs: 00F792E9
@GUI_DROPID, xrefs: 00F7929E
@GUI_DRAGFILE, xrefs: 00F79320

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 19db685be06c1a991892d1e2a7c685653f8ef86bd5a3f4b8faf6ecb84230a6ed
Instruction ID: 1495c275a081f933656e5472c165b7241b1d3b4e8be53862a880d6c545909ced
Opcode Fuzzy Hash: 19db685be06c1a991892d1e2a7c685653f8ef86bd5a3f4b8faf6ecb84230a6ed
Instruction Fuzzy Hash: BE619971108344AFD301EF65DC85DAFBBE8EF88350F50092EF599A31A1DB709A49DB92

Function 00F5C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F5C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00F5C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00F5C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F5C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00F5C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F5C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F5C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F5C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00F5C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00F5C5F0
InternetCloseHandle.WININET(00000000), ref: 00F5C5FB

Strings

, xrefs: 00F5C575

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 55c285194474cf1263ffaf020c1ce3ba40d3d71da19bbdda4035924924022b53
Instruction ID: 9dee1f2c0ebf1308b309fc988e7801e6263cd724261fcfe2825ed8ece8ebbf4e
Opcode Fuzzy Hash: 55c285194474cf1263ffaf020c1ce3ba40d3d71da19bbdda4035924924022b53
Instruction Fuzzy Hash: 89513EB1500709BFDB218FA4CD48AAB7BBCFB04755F04441DFA4A96151EB34EA48EBE1

Function 00F7856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00F78592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F785A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F785AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F785BA
GlobalLock.KERNEL32(00000000), ref: 00F785C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F785D7
GlobalUnlock.KERNEL32(00000000), ref: 00F785E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F785E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F785F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00F7FC38,?), ref: 00F78611
GlobalFree.KERNEL32(00000000), ref: 00F78621
GetObjectW.GDI32(?,00000018,?), ref: 00F78641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00F78671
DeleteObject.GDI32(?), ref: 00F78699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F786AF

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 4537b219998e2cb6fc8bc8471aa461f23ded7ba545b5f53c63e4b14a696a979f
Instruction ID: d2c76e5796556d75e76144062dd183788b23dbee0e5aaea107878f77811acd1e
Opcode Fuzzy Hash: 4537b219998e2cb6fc8bc8471aa461f23ded7ba545b5f53c63e4b14a696a979f
Instruction Fuzzy Hash: 2B414B71640208BFDB119FA5CC4CEAA7BB9FF89761F148059F909E7260DB309D41EB62

Function 00F514BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00F51502
VariantCopy.OLEAUT32(?,?), ref: 00F5150B
VariantClear.OLEAUT32(?), ref: 00F51517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00F515FB
VarR8FromDec.OLEAUT32(?,?), ref: 00F51657
VariantInit.OLEAUT32(?), ref: 00F51708
SysFreeString.OLEAUT32(?), ref: 00F5178C
VariantClear.OLEAUT32(?), ref: 00F517D8
VariantClear.OLEAUT32(?), ref: 00F517E7
VariantInit.OLEAUT32(00000000), ref: 00F51823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00F51625
Default, xrefs: 00F516AF

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: a5ae6537d5077190661b5a214dee42da78a716cd46417c760366cda5cbfc48e5
Instruction ID: 1f7b8bd0ed8b2547f6546bbfbd1d72589804a0861f8603a7c9ce0a7272909fb3
Opcode Fuzzy Hash: a5ae6537d5077190661b5a214dee42da78a716cd46417c760366cda5cbfc48e5
Instruction Fuzzy Hash: DCD10572A00109DBDB10AF65E885B7DB7F5BF44701F188059FA06AB181EB34FC49EB92

Function 00F6B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

Part of subcall function 00F6C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F6B6AE,?,?), ref: 00F6C9B5
Part of subcall function 00F6C998: _wcslen.LIBCMT ref: 00F6C9F1
Part of subcall function 00F6C998: _wcslen.LIBCMT ref: 00F6CA68
Part of subcall function 00F6C998: _wcslen.LIBCMT ref: 00F6CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F6B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F6B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00F6B80A
RegCloseKey.ADVAPI32(?), ref: 00F6B87E
RegCloseKey.ADVAPI32(?), ref: 00F6B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00F6B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F6B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00F6B922
FreeLibrary.KERNEL32(00000000), ref: 00F6B983
RegCloseKey.ADVAPI32(00000000), ref: 00F6B994

Strings

advapi32.dll, xrefs: 00F6B8ED
RegDeleteKeyExW, xrefs: 00F6B8FE

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: ae71059028c48a6cbb07da1d3dc47a17d28677848757e794b43b75b8a44fd7a1
Instruction ID: e2d185d907d9d705c15900844d60c20a0f9baba2435ec367339e481313a6c6cd
Opcode Fuzzy Hash: ae71059028c48a6cbb07da1d3dc47a17d28677848757e794b43b75b8a44fd7a1
Instruction Fuzzy Hash: E2C1A231604241AFD714DF24C494F2ABBE5FF84318F14855CF4999B2A2CB35EC86DB91

Function 00F6255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F625D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00F625E8
CreateCompatibleDC.GDI32(?), ref: 00F625F4
SelectObject.GDI32(00000000,?), ref: 00F62601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00F6266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00F626AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00F626D0
SelectObject.GDI32(?,?), ref: 00F626D8
DeleteObject.GDI32(?), ref: 00F626E1
DeleteDC.GDI32(?), ref: 00F626E8
ReleaseDC.USER32(00000000,?), ref: 00F626F3

Strings

(, xrefs: 00F6268D

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 25087addd6e341624d6a23d6806685935e9dcac760a0ea8341733f57817fa93e
Instruction ID: e8722b577c61636b12f58aea4d3dbca6b219684775c099a172e127a44ba64d64
Opcode Fuzzy Hash: 25087addd6e341624d6a23d6806685935e9dcac760a0ea8341733f57817fa93e
Instruction Fuzzy Hash: 3861D2B5D00219EFCF14CFA8DC84AAEBBB5FF48310F208529E95AA7250D775A941DF90

Function 00F1DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00F1DAA1

Part of subcall function 00F1D63C: _free.LIBCMT ref: 00F1D659
Part of subcall function 00F1D63C: _free.LIBCMT ref: 00F1D66B
Part of subcall function 00F1D63C: _free.LIBCMT ref: 00F1D67D
Part of subcall function 00F1D63C: _free.LIBCMT ref: 00F1D68F
Part of subcall function 00F1D63C: _free.LIBCMT ref: 00F1D6A1
Part of subcall function 00F1D63C: _free.LIBCMT ref: 00F1D6B3
Part of subcall function 00F1D63C: _free.LIBCMT ref: 00F1D6C5
Part of subcall function 00F1D63C: _free.LIBCMT ref: 00F1D6D7
Part of subcall function 00F1D63C: _free.LIBCMT ref: 00F1D6E9
Part of subcall function 00F1D63C: _free.LIBCMT ref: 00F1D6FB
Part of subcall function 00F1D63C: _free.LIBCMT ref: 00F1D70D
Part of subcall function 00F1D63C: _free.LIBCMT ref: 00F1D71F
Part of subcall function 00F1D63C: _free.LIBCMT ref: 00F1D731

_free.LIBCMT ref: 00F1DA96

Part of subcall function 00F129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F1D7D1,00000000,00000000,00000000,00000000,?,00F1D7F8,00000000,00000007,00000000,?,00F1DBF5,00000000), ref: 00F129DE
Part of subcall function 00F129C8: GetLastError.KERNEL32(00000000,?,00F1D7D1,00000000,00000000,00000000,00000000,?,00F1D7F8,00000000,00000007,00000000,?,00F1DBF5,00000000,00000000), ref: 00F129F0

_free.LIBCMT ref: 00F1DAB8
_free.LIBCMT ref: 00F1DACD
_free.LIBCMT ref: 00F1DAD8
_free.LIBCMT ref: 00F1DAFA
_free.LIBCMT ref: 00F1DB0D
_free.LIBCMT ref: 00F1DB1B
_free.LIBCMT ref: 00F1DB26
_free.LIBCMT ref: 00F1DB5E
_free.LIBCMT ref: 00F1DB65
_free.LIBCMT ref: 00F1DB82
_free.LIBCMT ref: 00F1DB9A

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 4dc845cd656ecd645d7be9a5365e945c057ea5542858b79a8c4250a4a2e3ec96
Instruction ID: b0c8f190e97d31890a14d1f3627323a9030e647c9518dde51bdc1696c034c047
Opcode Fuzzy Hash: 4dc845cd656ecd645d7be9a5365e945c057ea5542858b79a8c4250a4a2e3ec96
Instruction Fuzzy Hash: 40314832A086049FEB61AA7DEC45B9A77F8FF40330F514419E449DB192DB38ACE0B720

Function 00F4365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F4369C
_wcslen.LIBCMT ref: 00F436A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F43797
GetClassNameW.USER32(?,?,00000400), ref: 00F4380C
GetDlgCtrlID.USER32(?), ref: 00F4385D
GetWindowRect.USER32(?,?), ref: 00F43882
GetParent.USER32(?), ref: 00F438A0
ScreenToClient.USER32(00000000), ref: 00F438A7
GetClassNameW.USER32(?,?,00000100), ref: 00F43921
GetWindowTextW.USER32(?,?,00000400), ref: 00F4395D

Strings

%s%u, xrefs: 00F43734

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: aa3058a432f4ee0b02953a207d918eca6891ecc8bf4efb51a68dbc36a52d3c1c
Instruction ID: 5d63a260dfd511c75ba21e541bbf5d5fd2f987e3f568f48db1865eb959048857
Opcode Fuzzy Hash: aa3058a432f4ee0b02953a207d918eca6891ecc8bf4efb51a68dbc36a52d3c1c
Instruction Fuzzy Hash: 5E91E271604606AFD718DF24C885FAAFBE9FF44360F008529FD99C2190DB34EA45EB91

Function 00F44954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00F44994
GetWindowTextW.USER32(?,?,00000400), ref: 00F449DA
_wcslen.LIBCMT ref: 00F449EB
CharUpperBuffW.USER32(?,00000000), ref: 00F449F7
_wcsstr.LIBVCRUNTIME ref: 00F44A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00F44A64
GetWindowTextW.USER32(?,?,00000400), ref: 00F44A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00F44AE6
GetClassNameW.USER32(?,?,00000400), ref: 00F44B20
GetWindowRect.USER32(?,?), ref: 00F44B8B

Strings

ThumbnailClass, xrefs: 00F44A6F, 00F44AF1

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 64d03d88636c93102491e7e5ba04d1b91c6049b563c650a7027b16a11de453c4
Instruction ID: 681a2a82ececb4cbc5c5e344ba2f412dc51e22b77af6a1dc9577491524b7fb0e
Opcode Fuzzy Hash: 64d03d88636c93102491e7e5ba04d1b91c6049b563c650a7027b16a11de453c4
Instruction Fuzzy Hash: 9691F3715082099FDB04CF14C985FAA7BE8FF84724F048469FD89AA096DB34FD45EBA1

Function 00F78D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00EF9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F78D5A
GetFocus.USER32 ref: 00F78D6A
GetDlgCtrlID.USER32(00000000), ref: 00F78D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00F78E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00F78ECF
GetMenuItemCount.USER32(?), ref: 00F78EEC
GetMenuItemID.USER32(?,00000000), ref: 00F78EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00F78F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00F78F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F78FA1

Strings

0, xrefs: 00F78E9F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 73b7ff84d8b3dc982129784c4270c32b279f9a2854c237abb9a61f8d8f109e58
Instruction ID: 01ce3c8356762a94c5b6adef2947beab64c1bbcd44de593167a5dbb9a9c00672
Opcode Fuzzy Hash: 73b7ff84d8b3dc982129784c4270c32b279f9a2854c237abb9a61f8d8f109e58
Instruction Fuzzy Hash: 4981AF719443059FD710CF14C888AAB7BE9FB883A4F14851EF98D97291DB31D942EBA3

Function 00F4BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00FB1990,000000FF,00000000,00000030), ref: 00F4BFAC
SetMenuItemInfoW.USER32(00FB1990,00000004,00000000,00000030), ref: 00F4BFE1
Sleep.KERNEL32(000001F4), ref: 00F4BFF3
GetMenuItemCount.USER32(?), ref: 00F4C039
GetMenuItemID.USER32(?,00000000), ref: 00F4C056
GetMenuItemID.USER32(?,-00000001), ref: 00F4C082
GetMenuItemID.USER32(?,?), ref: 00F4C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F4C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F4C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F4C145

Strings

0, xrefs: 00F4BF3D

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 1a86ed3f090d9f6514fe25fc857078445475eeefaa081a0b30cfe2b0f82b7110
Instruction ID: e60186dd6421e999cf9c19568b89d4fd0b3795ad68b165f327e1a07f3c9f08ea
Opcode Fuzzy Hash: 1a86ed3f090d9f6514fe25fc857078445475eeefaa081a0b30cfe2b0f82b7110
Instruction Fuzzy Hash: 4061AFB090124AAFEF11CF68CC88AEE7FB8FB45354F040159EC05A3292D735AD44EBA1

Function 00F4DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00F4DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00F4DC46
_wcslen.LIBCMT ref: 00F4DC50
_wcsstr.LIBVCRUNTIME ref: 00F4DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00F4DCBC

Strings

%u.%u.%u.%u, xrefs: 00F4DD9A
04090000, xrefs: 00F4DCF2
DefaultLangCodepage, xrefs: 00F4DD1F
StringFileInfo\, xrefs: 00F4DC8F
\VarFileInfo\Translation, xrefs: 00F4DCB4

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: ad757a126810351dc1cb41bf58c2cbc6efe4a69dd5f9422b625416e2d1a0607d
Instruction ID: ea6124edab3162d26d512332c207116e3d0d3a1ab1c23b121a5736051f885558
Opcode Fuzzy Hash: ad757a126810351dc1cb41bf58c2cbc6efe4a69dd5f9422b625416e2d1a0607d
Instruction Fuzzy Hash: BA41F4729402057ADB14A7749C47EBF7BACDF42760F14406AFE04B61C2EA68D901B7A6

Function 00F6CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F6CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00F6CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F6CD48

Part of subcall function 00F6CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00F6CCAA
Part of subcall function 00F6CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00F6CCBD
Part of subcall function 00F6CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F6CCCF
Part of subcall function 00F6CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F6CD05
Part of subcall function 00F6CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F6CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00F6CCF3

Strings

advapi32.dll, xrefs: 00F6CCB8
RegDeleteKeyExW, xrefs: 00F6CCC9

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: ee989b6f6a77646008f026e0795f2aa10617a557d10d753d2df4d36010b65547
Instruction ID: 17d14add054156f779eaecde4cf881d67995ec8dca724ed47d4f92c71d2b8e6b
Opcode Fuzzy Hash: ee989b6f6a77646008f026e0795f2aa10617a557d10d753d2df4d36010b65547
Instruction Fuzzy Hash: 4A317E71D0112CBBD7209B50DC88EFFBB7CEF05750F000169E999E2140D6749A85ABE1

Function 00F53D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F53D40
_wcslen.LIBCMT ref: 00F53D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F53D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F53DBE
RemoveDirectoryW.KERNEL32(?), ref: 00F53DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F53E55
CloseHandle.KERNEL32(00000000), ref: 00F53E60
CloseHandle.KERNEL32(00000000), ref: 00F53E6B

Strings

\, xrefs: 00F53D77
:, xrefs: 00F53D82
\??\%s, xrefs: 00F53D5B

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 675952e7285c66b46d0aff38444e076ec8994ed2bd65ea1188d631312f8901da
Instruction ID: 851f7b2454a39f8d104356e8b0b518ea205cfc7f330df15ae82150de29e94fca
Opcode Fuzzy Hash: 675952e7285c66b46d0aff38444e076ec8994ed2bd65ea1188d631312f8901da
Instruction Fuzzy Hash: A431C37290010DABDB209BA4DC49FEB37BDEF89751F1040B9FA09D6060E7749788AB64

Function 00F4E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F4E6B4

Part of subcall function 00EFE551: timeGetTime.WINMM(?,?,00F4E6D4), ref: 00EFE555

Sleep.KERNEL32(0000000A), ref: 00F4E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00F4E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F4E727
SetActiveWindow.USER32 ref: 00F4E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F4E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00F4E773
Sleep.KERNEL32(000000FA), ref: 00F4E77E
IsWindow.USER32 ref: 00F4E78A
EndDialog.USER32(00000000), ref: 00F4E79B

Strings

BUTTON, xrefs: 00F4E719

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 49e1237ac18831ec497df555d014c6f3d090010ddf7913eaeb7acd38c29e0e7c
Instruction ID: 5a19054dd081a33bbe13a04b7bf4d18440d5ae5a38462192f1f794fbed424021
Opcode Fuzzy Hash: 49e1237ac18831ec497df555d014c6f3d090010ddf7913eaeb7acd38c29e0e7c
Instruction Fuzzy Hash: 9621967060020CAFEB005F20ECCAE253F6AF754769F141529F919C11B1DB75AC40BF55

Function 00F4E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F4EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F4EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F4EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F4EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F4EAA7

Strings

open , xrefs: 00F4EA0C
close PlayMe, xrefs: 00F4EA6E, 00F4EA9B
play PlayMe wait, xrefs: 00F4EA91
status PlayMe mode, xrefs: 00F4EA58
alias PlayMe, xrefs: 00F4EA36
play PlayMe, xrefs: 00F4EAA2

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 896ef7d796e0be0976b1fde2e33b0d94483e255f4792d91fe6c47930a8b97b71
Instruction ID: 01e6590f1f7166eb25f263992d2e7be5b2ee3818c26bcd9d7317469d7645182f
Opcode Fuzzy Hash: 896ef7d796e0be0976b1fde2e33b0d94483e255f4792d91fe6c47930a8b97b71
Instruction Fuzzy Hash: C5119E71A9025D79D720A7A2DC4AEFF6ABCFFD6B10F040429B811E20D1EEB08945D5B1

Function 00F49F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F4A012
SetKeyboardState.USER32(?), ref: 00F4A07D
GetAsyncKeyState.USER32(000000A0), ref: 00F4A09D
GetKeyState.USER32(000000A0), ref: 00F4A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00F4A0E3
GetKeyState.USER32(000000A1), ref: 00F4A0F4
GetAsyncKeyState.USER32(00000011), ref: 00F4A120
GetKeyState.USER32(00000011), ref: 00F4A12E
GetAsyncKeyState.USER32(00000012), ref: 00F4A157
GetKeyState.USER32(00000012), ref: 00F4A165
GetAsyncKeyState.USER32(0000005B), ref: 00F4A18E
GetKeyState.USER32(0000005B), ref: 00F4A19C

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 50c9316c7a64a3fc003ff8e16c469c4bd08ee8fa3e6e5fbecbf2f15891e5891f
Instruction ID: 07645d40165544146c73d4ab0a11663fb1560bc882c615451fc5ccb0955e9aee
Opcode Fuzzy Hash: 50c9316c7a64a3fc003ff8e16c469c4bd08ee8fa3e6e5fbecbf2f15891e5891f
Instruction Fuzzy Hash: 2451EA20E4878829FB35DBA088507EBBFB59F513A0F08459DDDC2571C3DA949A8CDB62

Function 00F45CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00F45CE2
GetWindowRect.USER32(00000000,?), ref: 00F45CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00F45D59
GetDlgItem.USER32(?,00000002), ref: 00F45D69
GetWindowRect.USER32(00000000,?), ref: 00F45D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00F45DCF
GetDlgItem.USER32(?,000003E9), ref: 00F45DDD
GetWindowRect.USER32(00000000,?), ref: 00F45DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00F45E31
GetDlgItem.USER32(?,000003EA), ref: 00F45E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F45E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00F45E67

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 79aebb92e1670bf1a0a90f85b8b349e1612cab11f3d5f5a426afdb7cddca6da5
Instruction ID: d1212dc40d3580f48284692664b2fee3de348d8d4a575a6a0603f725aebca57e
Opcode Fuzzy Hash: 79aebb92e1670bf1a0a90f85b8b349e1612cab11f3d5f5a426afdb7cddca6da5
Instruction Fuzzy Hash: A8512C71E00609AFDF18DF68CD89AAEBBB5EF48710F108129F919E7291D7709E40DB91

Function 00EF8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00EF8BE8,?,00000000,?,?,?,?,00EF8BBA,00000000,?), ref: 00EF8FC5

DestroyWindow.USER32(?), ref: 00EF8C81
KillTimer.USER32(00000000,?,?,?,?,00EF8BBA,00000000,?), ref: 00EF8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00F36973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00EF8BBA,00000000,?), ref: 00F369A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00EF8BBA,00000000,?), ref: 00F369B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00EF8BBA,00000000), ref: 00F369D4
DeleteObject.GDI32(00000000), ref: 00F369E6

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 30c4f4256202c1c1f9c337aca574c0c3fb61bc44aacb6868aea34bd521de509a
Instruction ID: e9924c9f1217af058e96f366c7dd6068ea6338b88770be4ef685fc82e7097cbe
Opcode Fuzzy Hash: 30c4f4256202c1c1f9c337aca574c0c3fb61bc44aacb6868aea34bd521de509a
Instruction Fuzzy Hash: E961BC3150260CEFDB258F14CA98B75B7F1FB40326F50A61DE246AA560CB35A990EF92

Function 00EF9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00EF9944: GetWindowLongW.USER32(?,000000EB), ref: 00EF9952

GetSysColor.USER32(0000000F), ref: 00EF9862

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 49d734db8f1a6e8c94c266ae0a8d94ca41b703641d8ff9ee78512c71ac433534
Instruction ID: 849e5054fb6c88d4edc26aed1104403226824ea518bc6ebec691091af5c12f53
Opcode Fuzzy Hash: 49d734db8f1a6e8c94c266ae0a8d94ca41b703641d8ff9ee78512c71ac433534
Instruction Fuzzy Hash: 7D410130100788AFDB345F389C88BB93BA5AB46370F184619FAE6971E2C3709C81EB51

Function 00F496E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00F2F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00F49717
LoadStringW.USER32(00000000,?,00F2F7F8,00000001), ref: 00F49720

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00F2F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00F49742
LoadStringW.USER32(00000000,?,00F2F7F8,00000001), ref: 00F49745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00F49866

Strings

Line %d (File "%s"):, xrefs: 00F4978F
^ ERROR, xrefs: 00F497FB
%s (%d) : ==> %s: %s %s, xrefs: 00F4984A
Line %d:, xrefs: 00F497A0
Error: , xrefs: 00F4981D

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 82ff4acd703e988777dafe3a87f08ff2ba6cb062eb2cd30f8fab8006d4b54304
Instruction ID: e3a9b517bf3771e5921ccc5a5c3e48a87e4bd932672dc69630911282ab9ef19c
Opcode Fuzzy Hash: 82ff4acd703e988777dafe3a87f08ff2ba6cb062eb2cd30f8fab8006d4b54304
Instruction Fuzzy Hash: B6418E7290424DAACF04FBE1DD86EEEB7B8AF55340F601025F605B2092EB756F48DB61

Function 00F406DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE6B57: _wcslen.LIBCMT ref: 00EE6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F407A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F407BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F407DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F40804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00F4082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F40837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F4083C

Strings

\CLSID, xrefs: 00F40724
SOFTWARE\Classes\, xrefs: 00F4070E
\IPC$, xrefs: 00F40784

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: f0d30254ea84e9a3289f76eb29931396d89509d0afc8e101bd9a92dc75ff6d84
Instruction ID: 4126df1a41cee0bfc97b793f7d40cd2d90ea96f48854af5db8db084d533008e7
Opcode Fuzzy Hash: f0d30254ea84e9a3289f76eb29931396d89509d0afc8e101bd9a92dc75ff6d84
Instruction Fuzzy Hash: 1D411872C1022DABCF15EBA4DC85CEEB7B8BF44750B144129E915B7161EB30AE44DBA1

Function 00F73F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F7403B
CreateCompatibleDC.GDI32(00000000), ref: 00F74042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F74055
SelectObject.GDI32(00000000,00000000), ref: 00F7405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F74068
DeleteDC.GDI32(00000000), ref: 00F74072
GetWindowLongW.USER32(?,000000EC), ref: 00F7407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00F74092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00F7409E

Strings

static, xrefs: 00F73FD3

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: c024a044fde792deea2e9a4c3429587aec22876653c946931cc3fe2db45dc909
Instruction ID: 2b2a0ffa5cef09a2d3f86061667ad500801dd54ebf840acabedec01bf571bcd9
Opcode Fuzzy Hash: c024a044fde792deea2e9a4c3429587aec22876653c946931cc3fe2db45dc909
Instruction Fuzzy Hash: 07317A32501219ABDF219FA4DC48FDA3BA9FF0D760F114216FA1CE60A0C775D851EBA2

Function 00F63C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F63C5C
CoInitialize.OLE32(00000000), ref: 00F63C8A
CoUninitialize.OLE32 ref: 00F63C94
_wcslen.LIBCMT ref: 00F63D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00F63DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00F63ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00F63F0E
CoGetObject.OLE32(?,00000000,00F7FB98,?), ref: 00F63F2D
SetErrorMode.KERNEL32(00000000), ref: 00F63F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F63FC4
VariantClear.OLEAUT32(?), ref: 00F63FD8

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: d023b67c63faa51955f93c2b4f2e668f3925c30a39fee73a09749c86c610346f
Instruction ID: e58032f3b652e871de32922e4d9bbb0e7fa34a33c07729917fb692f662fb0a69
Opcode Fuzzy Hash: d023b67c63faa51955f93c2b4f2e668f3925c30a39fee73a09749c86c610346f
Instruction Fuzzy Hash: 52C16671A08305AFC700DF68C88492BBBE9FF89754F10491DF98A9B251DB31EE45DB92

Function 00F57A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F57AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F57B8F
SHGetDesktopFolder.SHELL32(?), ref: 00F57BA3
CoCreateInstance.OLE32(00F7FD08,00000000,00000001,00FA6E6C,?), ref: 00F57BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F57C74
CoTaskMemFree.OLE32(?,?), ref: 00F57CCC
SHBrowseForFolderW.SHELL32(?), ref: 00F57D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F57D7A
CoTaskMemFree.OLE32(00000000), ref: 00F57D81
CoTaskMemFree.OLE32(00000000), ref: 00F57DD6
CoUninitialize.OLE32 ref: 00F57DDC

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 78ed10a225af0bb558077b1606b2001dc6dd4da4d438b957b33cc3a99ea91f9a
Instruction ID: 5147f03a4fe82ed3b3f7a7198940357dde95eaa8f362790c9ab37bfa6d94ede5
Opcode Fuzzy Hash: 78ed10a225af0bb558077b1606b2001dc6dd4da4d438b957b33cc3a99ea91f9a
Instruction Fuzzy Hash: D3C15D75A04209AFCB14DFA4D888DAEBBF9FF48315B148098E919EB361D730ED45DB90

Function 00F7541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F75504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F75515
CharNextW.USER32(00000158), ref: 00F75544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F75585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F7559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F755AC

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: cf4866e25f511e8baf39f3709bd3d34c28cfa3f18d780c5012a94c656e679961
Instruction ID: ecd74588f2eb29acfcc049d1931140858ae983c23b0304608599912124033dac
Opcode Fuzzy Hash: cf4866e25f511e8baf39f3709bd3d34c28cfa3f18d780c5012a94c656e679961
Instruction Fuzzy Hash: 49619231900608AFDF10DF54CC94AFE7B79FB05B74F14814AF62DA6290D7B49A80EB62

Function 00F3FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F3FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00F3FB08
VariantInit.OLEAUT32(?), ref: 00F3FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F3FB3A
VariantCopy.OLEAUT32(?,?), ref: 00F3FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F3FBA1
VariantClear.OLEAUT32(?), ref: 00F3FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00F3FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F3FBCC
VariantClear.OLEAUT32(?), ref: 00F3FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F3FBE9

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e88fd1bb92fcc31c5d015e0288ee7aece5e34a0b30013710adad2b8d43310650
Instruction ID: dd60cefc5c7f293f7567f428b1bcb0baef0dcfe93f21f866c118599b2df8c308
Opcode Fuzzy Hash: e88fd1bb92fcc31c5d015e0288ee7aece5e34a0b30013710adad2b8d43310650
Instruction Fuzzy Hash: F7417F75E0021DDFCF00DF64DC589AEBBB9FF48354F008069E90AA7261CB34A949DB91

Function 00F49C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F49CA1
GetAsyncKeyState.USER32(000000A0), ref: 00F49D22
GetKeyState.USER32(000000A0), ref: 00F49D3D
GetAsyncKeyState.USER32(000000A1), ref: 00F49D57
GetKeyState.USER32(000000A1), ref: 00F49D6C
GetAsyncKeyState.USER32(00000011), ref: 00F49D84
GetKeyState.USER32(00000011), ref: 00F49D96
GetAsyncKeyState.USER32(00000012), ref: 00F49DAE
GetKeyState.USER32(00000012), ref: 00F49DC0
GetAsyncKeyState.USER32(0000005B), ref: 00F49DD8
GetKeyState.USER32(0000005B), ref: 00F49DEA

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 536166e6316a837de27ed27065475ffbb3dfa3dbc45c27560a0e80920e82e246
Instruction ID: f2d63533d81528b84ea510403d489f12c9e185095e5f71d19691bcaa1e36afa5
Opcode Fuzzy Hash: 536166e6316a837de27ed27065475ffbb3dfa3dbc45c27560a0e80920e82e246
Instruction Fuzzy Hash: E241A934F0C7CA69FF319B6088447A7BEB06B11364F08405EDEC6565C1DBE559C4E7A2

Function 00F6055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F605BC
inet_addr.WSOCK32(?), ref: 00F6061C
gethostbyname.WSOCK32(?), ref: 00F60628
IcmpCreateFile.IPHLPAPI ref: 00F60636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F606C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F606E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00F607B9
WSACleanup.WSOCK32 ref: 00F607BF

Strings

Ping, xrefs: 00F60676

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 7051278b916f97c34f0d6af8c782845a5179ae7e930f385a15234c17b66846ce
Instruction ID: 2cd253aa74afeb6e9a3aee735ef13869a39bf6c11db857b62b9f8fb241e6a269
Opcode Fuzzy Hash: 7051278b916f97c34f0d6af8c782845a5179ae7e930f385a15234c17b66846ce
Instruction Fuzzy Hash: C9919075A042419FD720CF15D488F1BBBE0AF44328F2485A9F46A9B6A2CB70ED45DF91

Function 00F68CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00F68CF3

Part of subcall function 00F48E54: _wcslen.LIBCMT ref: 00F48E77

_wcslen.LIBCMT ref: 00F68D4E
_wcslen.LIBCMT ref: 00F68D9C
_wcslen.LIBCMT ref: 00F68DDC
_wcslen.LIBCMT ref: 00F68E6E

Strings

stdcall, xrefs: 00F68DD6, 00F68DDB
cdecl, xrefs: 00F68D48, 00F68D4D
none, xrefs: 00F68E65, 00F68E6A
winapi, xrefs: 00F68D96, 00F68D9B

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 2fa5c0854fab3185246bc7f5fc9daf35722793e5121c9cde74b62968fb18ab71
Instruction ID: 610561191cf9baf9c97a067c77f693588015248e6df24c080126a7a78fe85b89
Opcode Fuzzy Hash: 2fa5c0854fab3185246bc7f5fc9daf35722793e5121c9cde74b62968fb18ab71
Instruction Fuzzy Hash: 9C51C372A001169BCF24DFA8C9509BEB7A1BF643A0B24432DE926E72C1DB35DD41E790

Function 00F6372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00F63774
CoUninitialize.OLE32 ref: 00F6377F
CoCreateInstance.OLE32(?,00000000,00000017,00F7FB78,?), ref: 00F637D9
IIDFromString.OLE32(?,?), ref: 00F6384C
VariantInit.OLEAUT32(?), ref: 00F638E4
VariantClear.OLEAUT32(?), ref: 00F63936

Strings

Failed to create object, xrefs: 00F637E4, 00F6389A
Invalid parameter, xrefs: 00F63865
NULL Pointer assignment, xrefs: 00F6381E

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 8e310d698ddbf6c764f3e861895a47dce4772fe8506bdedb764d6d77cc50592e
Instruction ID: 380fcb561f01c295e70a9e5d072fcd4506cb078102dca51a43d2dad2277f65dd
Opcode Fuzzy Hash: 8e310d698ddbf6c764f3e861895a47dce4772fe8506bdedb764d6d77cc50592e
Instruction Fuzzy Hash: 7061A172608301AFD310DF64C849FAABBE8EF49710F10491DF9859B291D770EE48EB92

Function 00F53388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00F533CF

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00F533F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00F53522
Line %d (File "%s"):, xrefs: 00F53443, 00F5345C
Incorrect parameters to object property !, xrefs: 00F534AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00F53504
^ ERROR , xrefs: 00F5349E
Error: , xrefs: 00F534D1

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 42cd04780c54f2a941133206a281e38622ebd7ba6acfb563f747a88b2e1acf0d
Instruction ID: 26e31065301a228a484b573d5727454f5e77b3c0c10da8950f2c7783275f41dd
Opcode Fuzzy Hash: 42cd04780c54f2a941133206a281e38622ebd7ba6acfb563f747a88b2e1acf0d
Instruction Fuzzy Hash: B751BF72D0024DAADF15EBA0CD46EEEB7F8AF04340F245165F905B2062EB356F58EB61

Function 00F4B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F4B5FC
_wcslen.LIBCMT ref: 00F4B608
_wcslen.LIBCMT ref: 00F4B64D
_wcslen.LIBCMT ref: 00F4B68C
_wcslen.LIBCMT ref: 00F4B6C7

Strings

EXISTS, xrefs: 00F4B686, 00F4B68B
APPEND, xrefs: 00F4B6C1, 00F4B6C6
REMOVE, xrefs: 00F4B602, 00F4B607
KEYS, xrefs: 00F4B647, 00F4B64C

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 95fc90b01dd64380d79e147854aab7628b870885e680e74f79fbc31fdb26de11
Instruction ID: 7c5f6ef6f1fc381da0682a3a670c0c7f74a1c6f0a183c1e743c026e54afc3c58
Opcode Fuzzy Hash: 95fc90b01dd64380d79e147854aab7628b870885e680e74f79fbc31fdb26de11
Instruction Fuzzy Hash: 7741E632E000269ACB209F7DCC905BE7FA5AFA1764B264169ED21D7286F735CD81E790

Function 00F55393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F553A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F55416
GetLastError.KERNEL32 ref: 00F55420
SetErrorMode.KERNEL32(00000000,READY), ref: 00F554A7

Strings

INVALID, xrefs: 00F55459
NOTREADY, xrefs: 00F5544B
READONLY, xrefs: 00F55452
READY, xrefs: 00F55460, 00F55468
UNKNOWN, xrefs: 00F55444

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 7839ee811ff4d5786da26b08b5bd3aca02e334e6c51ea13b8ca7eb376a749d11
Instruction ID: 08470086fea80ecf0ee0022a8bcfa34500d60d202e327d0350dbc3b203bc91fe
Opcode Fuzzy Hash: 7839ee811ff4d5786da26b08b5bd3aca02e334e6c51ea13b8ca7eb376a749d11
Instruction Fuzzy Hash: C7311675E005089FD710DF68C4A4FA9BBF4EF05716F188069E905DB292D731DD8AEB90

Function 00F73C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00F73C79
SetMenu.USER32(?,00000000), ref: 00F73C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F73D10
IsMenu.USER32(?), ref: 00F73D24
CreatePopupMenu.USER32 ref: 00F73D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F73D5B
DrawMenuBar.USER32 ref: 00F73D63

Strings

F, xrefs: 00F73D4E
0, xrefs: 00F73C54

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 9900d494b5298e35869bb621889c13ddef02fdfd257f4a67b8ffdb94bd4128be
Instruction ID: 5602835432d99460cbd90f96dad590097b1f88ace8f7115b37ce397d285c3efb
Opcode Fuzzy Hash: 9900d494b5298e35869bb621889c13ddef02fdfd257f4a67b8ffdb94bd4128be
Instruction Fuzzy Hash: DF416975A01209EFDB24CF64D884AEA7BB5FF49350F18402DF94AA7360D771AA10EF91

Function 00F41EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

Part of subcall function 00F43CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F43CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00F41F64
GetDlgCtrlID.USER32 ref: 00F41F6F
GetParent.USER32 ref: 00F41F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F41F8E
GetDlgCtrlID.USER32(?), ref: 00F41F97
GetParent.USER32(?), ref: 00F41FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F41FAE

Strings

ListBox, xrefs: 00F41F21
ComboBox, xrefs: 00F41EEC

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 248ed1d62f478364dc6969d88dcc91d3a7aca9c0eb92ddef153dc5a647f69639
Instruction ID: 2a0bb7854edff2695b5e9d3079c405a1e41ccdfb113e1ec0bb46b00af50c329d
Opcode Fuzzy Hash: 248ed1d62f478364dc6969d88dcc91d3a7aca9c0eb92ddef153dc5a647f69639
Instruction Fuzzy Hash: D421B371900218BBCF14AFA0DC85AEEBBB4AF05350B100119B959672A1DB395959AB61

Function 00F41FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

Part of subcall function 00F43CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F43CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00F42043
GetDlgCtrlID.USER32 ref: 00F4204E
GetParent.USER32 ref: 00F4206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F4206D
GetDlgCtrlID.USER32(?), ref: 00F42076
GetParent.USER32(?), ref: 00F4208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F4208D

Strings

ListBox, xrefs: 00F42002
ComboBox, xrefs: 00F41FCD

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 5d782c1fd11224d90217b77af2f163095990b13d73a9839b24b60bb4b4b6ef97
Instruction ID: 5821e701e654032be2d8ffe88634dc787ebb75de9e90f81e002f302975e1db32
Opcode Fuzzy Hash: 5d782c1fd11224d90217b77af2f163095990b13d73a9839b24b60bb4b4b6ef97
Instruction Fuzzy Hash: 9521D1B1D00218BBCF14AFA4DC85EEEBFF8EF05340F100459B959A71A2DA798954EB61

Function 00F73A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F73A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F73AA0
GetWindowLongW.USER32(?,000000F0), ref: 00F73AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F73AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F73B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00F73BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00F73BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00F73BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00F73BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00F73C13

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 11f8ad7c1147f7e9efacb5eca62bd6fccf1b552dcbfa80b8540e52b0e2fd0cd3
Instruction ID: a6353806f513f320fed04c36b30feac712f478a678e88bd14a42c75ecdb6b645
Opcode Fuzzy Hash: 11f8ad7c1147f7e9efacb5eca62bd6fccf1b552dcbfa80b8540e52b0e2fd0cd3
Instruction Fuzzy Hash: 73617B75900248AFDB11DFA8CC81EEE77F8EB49710F10419AFA19A72A1C774AE41EF51

Function 00F12C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F12C94

Part of subcall function 00F129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F1D7D1,00000000,00000000,00000000,00000000,?,00F1D7F8,00000000,00000007,00000000,?,00F1DBF5,00000000), ref: 00F129DE
Part of subcall function 00F129C8: GetLastError.KERNEL32(00000000,?,00F1D7D1,00000000,00000000,00000000,00000000,?,00F1D7F8,00000000,00000007,00000000,?,00F1DBF5,00000000,00000000), ref: 00F129F0

_free.LIBCMT ref: 00F12CA0
_free.LIBCMT ref: 00F12CAB
_free.LIBCMT ref: 00F12CB6
_free.LIBCMT ref: 00F12CC1
_free.LIBCMT ref: 00F12CCC
_free.LIBCMT ref: 00F12CD7
_free.LIBCMT ref: 00F12CE2
_free.LIBCMT ref: 00F12CED
_free.LIBCMT ref: 00F12CFB

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a1eeda1f2c8f7a18585678792894bf7643cc7b3d84d7c5650ac8177c7c0010e9
Instruction ID: a2e788d22c00b383658ac79d5fb4c3d9bbf4ef0144ffa326f27f6b69e647bfe5
Opcode Fuzzy Hash: a1eeda1f2c8f7a18585678792894bf7643cc7b3d84d7c5650ac8177c7c0010e9
Instruction Fuzzy Hash: 69114676510108AFCB42EF98DD42CDD3BB5FF05360F9145A5FA485F222D635EAA0BB90

Function 00F57DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F57FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00F57FC1
GetFileAttributesW.KERNEL32(?), ref: 00F57FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00F58005
SetCurrentDirectoryW.KERNEL32(?), ref: 00F58017
SetCurrentDirectoryW.KERNEL32(?), ref: 00F58060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F580B0

Strings

*.*, xrefs: 00F58066

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 2ec575249a3bfc676c853eee350344cf6574233a743b74193b3c78dc8c5ab76f
Instruction ID: bbfed399b628f44fbdc0cf9476a3a95615a1609ab55b4cf1f8d0c4629f9213a3
Opcode Fuzzy Hash: 2ec575249a3bfc676c853eee350344cf6574233a743b74193b3c78dc8c5ab76f
Instruction Fuzzy Hash: FA81C0729083459BCB20EF14D841AAAB3E8BF84321F14485EFE85D7250EB74DD49EB92

Function 00EE5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00EE5C7A

Part of subcall function 00EE5D0A: GetClientRect.USER32(?,?), ref: 00EE5D30
Part of subcall function 00EE5D0A: GetWindowRect.USER32(?,?), ref: 00EE5D71
Part of subcall function 00EE5D0A: ScreenToClient.USER32(?,?), ref: 00EE5D99

GetDC.USER32 ref: 00F246F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F24708
SelectObject.GDI32(00000000,00000000), ref: 00F24716
SelectObject.GDI32(00000000,00000000), ref: 00F2472B
ReleaseDC.USER32(?,00000000), ref: 00F24733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F247C4

Strings

U, xrefs: 00F24693

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: e24da9897ce6d02185b95f99bcc140403c930556ed6d90241eb0a37739ef4ae3
Instruction ID: 789906f1c833622861af9b1797ae71b89528b6d33800f577dc5440db1d690aad
Opcode Fuzzy Hash: e24da9897ce6d02185b95f99bcc140403c930556ed6d90241eb0a37739ef4ae3
Instruction Fuzzy Hash: 5B710431900209DFCF218F64DD94AFA7BB1FF46324F244269ED656A1A6C371AC81EF51

Function 00F5359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00F535E4

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

LoadStringW.USER32(00FB2390,?,00000FFF,?), ref: 00F5360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00F53742
Line %d (File "%s"):, xrefs: 00F5366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00F53724
^ ERROR, xrefs: 00F536C9
Error: , xrefs: 00F536EF

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: ae6ca4cbd821823cfe4bf841123f01842fc9d5cfdb4150985726eb6196b70060
Instruction ID: 70ce89881a667fbde0172ce48a80f9668fbff7d2b955ef4b293213e85237c5af
Opcode Fuzzy Hash: ae6ca4cbd821823cfe4bf841123f01842fc9d5cfdb4150985726eb6196b70060
Instruction Fuzzy Hash: 4351AF71C0024DAACF15EBA1DC42EEEBBB8AF04340F145125F505720A2EB305A99EFA1

Function 00F78B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00EF9BB2

Part of subcall function 00EF912D: GetCursorPos.USER32(?), ref: 00EF9141
Part of subcall function 00EF912D: ScreenToClient.USER32(00000000,?), ref: 00EF915E
Part of subcall function 00EF912D: GetAsyncKeyState.USER32(00000001), ref: 00EF9183
Part of subcall function 00EF912D: GetAsyncKeyState.USER32(00000002), ref: 00EF919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00F78B6B
ImageList_EndDrag.COMCTL32 ref: 00F78B71
ReleaseCapture.USER32 ref: 00F78B77
SetWindowTextW.USER32(?,00000000), ref: 00F78C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00F78C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00F78CFF

Strings

@GUI_DROPID, xrefs: 00F78C51
@GUI_DRAGFILE, xrefs: 00F78C9A

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 511256a343fb82c782021e35d0489636c5efe5b004f0960d53de4373736e218e
Instruction ID: 1e9c35156ead799cf568eca18e5f9810543e54fc0c056aa473f518adfc7bdedd
Opcode Fuzzy Hash: 511256a343fb82c782021e35d0489636c5efe5b004f0960d53de4373736e218e
Instruction Fuzzy Hash: 5751B071504348AFD700EF14DC99FAA77E4FB88750F40062DF959672E2CB319944DBA2

Function 00F5C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F5C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F5C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F5C2CA
GetLastError.KERNEL32 ref: 00F5C322
SetEvent.KERNEL32(?), ref: 00F5C336
InternetCloseHandle.WININET(00000000), ref: 00F5C341

Strings

, xrefs: 00F5C2BB

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 4113acea94c3767bbc3aaadf060b66e8292928e1dfafd154e703d8ed2a6bb2fa
Instruction ID: eaf45b67db1a0f7c21d550f73435160889e7e0397394d431edfebd359230bc8b
Opcode Fuzzy Hash: 4113acea94c3767bbc3aaadf060b66e8292928e1dfafd154e703d8ed2a6bb2fa
Instruction Fuzzy Hash: 60318DB1600708AFD7219F648C88AAB7BFCEB49751F10851DF94BD2200DB34DD49ABE1

Function 00F4989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F23AAF,?,?,Bad directive syntax error,00F7CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F498BC
LoadStringW.USER32(00000000,?,00F23AAF,?), ref: 00F498C3

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F49987

Strings

Line %d (File "%s"):, xrefs: 00F4992D
%s (%d) : ==> %s.: %s %s, xrefs: 00F498F1
Error: , xrefs: 00F49955
., xrefs: 00F4996D
Line %d:, xrefs: 00F49912

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 55e0caf5c1ef0952e12ad7f768cb569da6d76aebe609f497a977343621f90047
Instruction ID: c38d356113cd1aae5b6d1253caa8854f7601dfaa96eceaeafa21b8e4b82855eb
Opcode Fuzzy Hash: 55e0caf5c1ef0952e12ad7f768cb569da6d76aebe609f497a977343621f90047
Instruction Fuzzy Hash: 1521713190025DABCF15AF90CC0AEEE7BB5FF18300F045429F915760A2EB759A58EB61

Function 00F4209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00F420AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00F420C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F4214D

Strings

list, xrefs: 00F4212F
details, xrefs: 00F420FB
largeicons, xrefs: 00F420E1
smallicons, xrefs: 00F42115
SHELLDLL_DefView, xrefs: 00F420CC

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: dbf9c9a3964af09cbd11c2b7bbc9bd49b6aa9dcc5ad9357a3726805c25930af0
Instruction ID: ef0dec41b07e5b269f5f7dddd1d14b9c20580d2651242bf42f4618d57199d945
Opcode Fuzzy Hash: dbf9c9a3964af09cbd11c2b7bbc9bd49b6aa9dcc5ad9357a3726805c25930af0
Instruction Fuzzy Hash: 7E1120B7684706B5F6013624DC07DE63B9CCF45775B600076FF04A50E1FE69A8817555

Function 00F18D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5dd02e53e89a5b6d350c441deecec4229fbf7d63e028ded75609c0be08bd90
Instruction ID: eb18226261a3478292056f5bfea4c3e84cd7c82b79c98f3773f2b17b7da8fc46
Opcode Fuzzy Hash: 8d5dd02e53e89a5b6d350c441deecec4229fbf7d63e028ded75609c0be08bd90
Instruction Fuzzy Hash: 34C1F575E082499FDB21DFA8CC51BEDBBB0BF0D320F044159E414A7392C7759982EBA1

Function 00F1CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00F1CEB7
_free.LIBCMT ref: 00F1CF22
_free.LIBCMT ref: 00F1CF48
_free.LIBCMT ref: 00F1CF71
_free.LIBCMT ref: 00F1CFA9
_free.LIBCMT ref: 00F1CFDA
_free.LIBCMT ref: 00F1D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00F1D09C
_free.LIBCMT ref: 00F1D0B5

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 5f7d9f43d3b5f2e3a6f9a99bb76d925d7b02fceb6e0f279059fb7f787ea8aecf
Instruction ID: c13933f01c050683e1cb5f8331cf6c350b805a52fa96456f12eba71e86efa7fb
Opcode Fuzzy Hash: 5f7d9f43d3b5f2e3a6f9a99bb76d925d7b02fceb6e0f279059fb7f787ea8aecf
Instruction Fuzzy Hash: AB611771D44304AFDB21AFF89C81AEA7BA5AF09730F04416DF94497281DB359982F7A0

Function 00F750D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00F75186
ShowWindow.USER32(?,00000000), ref: 00F751C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00F751CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00F751D1

Part of subcall function 00F76FBA: DeleteObject.GDI32(00000000), ref: 00F76FE6

GetWindowLongW.USER32(?,000000F0), ref: 00F7520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F7521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F7524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00F75287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00F75296

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 93cad066a1adc0d71a6ab571aa11460922f7fb03259b6c588da4f7321c964cb3
Instruction ID: c82665be0d86d52a074a221faccd09d57d345bfeb6884dda9dba5f83962f8c27
Opcode Fuzzy Hash: 93cad066a1adc0d71a6ab571aa11460922f7fb03259b6c588da4f7321c964cb3
Instruction Fuzzy Hash: C3519331A40A08BEEF209F64CC45BD83B65EB05B21F54C117F61D962E1C7F5A990FB42

Function 00EF8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00F36890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00F368A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F368B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00F368D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F368F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00EF8874,00000000,00000000,00000000,000000FF,00000000), ref: 00F36901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F3691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00EF8874,00000000,00000000,00000000,000000FF,00000000), ref: 00F3692D

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: b528592adcbbcfbaac1424da2eef7aaa5da0d89076d547c8075f1af719ffa7a9
Instruction ID: 03366b1dcebe767a7ecced9ab3c1645e0f428edf1ef0f297408d4bbe9ba40fc9
Opcode Fuzzy Hash: b528592adcbbcfbaac1424da2eef7aaa5da0d89076d547c8075f1af719ffa7a9
Instruction Fuzzy Hash: 01516B74A00209AFDB20CF25CC95FAA7BB5FF48760F105518FA56E72A0DB70E990EB50

Function 00F5C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F5C182
GetLastError.KERNEL32 ref: 00F5C195
SetEvent.KERNEL32(?), ref: 00F5C1A9

Part of subcall function 00F5C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F5C272
Part of subcall function 00F5C253: GetLastError.KERNEL32 ref: 00F5C322
Part of subcall function 00F5C253: SetEvent.KERNEL32(?), ref: 00F5C336
Part of subcall function 00F5C253: InternetCloseHandle.WININET(00000000), ref: 00F5C341

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 6a768f09a05bcc29eb227a878cc1d3a4f2d5627e94f0424c9b8eafee942a0fe4
Instruction ID: c4de6b1c93950c43a4c9cb3014cefaece0754339029796169d2c520a17533f82
Opcode Fuzzy Hash: 6a768f09a05bcc29eb227a878cc1d3a4f2d5627e94f0424c9b8eafee942a0fe4
Instruction Fuzzy Hash: A2317A71600B05AFDB219FA5DC44A66BBE9FF18312F00442DFA5B86611DB30E858FBE1

Function 00F425A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F43A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F43A57
Part of subcall function 00F43A3D: GetCurrentThreadId.KERNEL32 ref: 00F43A5E
Part of subcall function 00F43A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F425B3), ref: 00F43A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00F425BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F425DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00F425DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F425E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F42601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00F42605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F4260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F42623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00F42627

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: eee6dd6fa2ec5a6527efe6c0effbcb64e496701ac96acd89a341d9304f80e434
Instruction ID: 8240592f0b2e7048eb8f549df9eddc3a5fcffc22acd403259b8edd2d936d286c
Opcode Fuzzy Hash: eee6dd6fa2ec5a6527efe6c0effbcb64e496701ac96acd89a341d9304f80e434
Instruction Fuzzy Hash: 2601D431390214BBFB1067699C8AF593F59DF4EB22F500019F71CAE0D1C9F22484EAAA

Function 00F41803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00F41449,?,?,00000000), ref: 00F4180C
HeapAlloc.KERNEL32(00000000,?,00F41449,?,?,00000000), ref: 00F41813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F41449,?,?,00000000), ref: 00F41828
GetCurrentProcess.KERNEL32(?,00000000,?,00F41449,?,?,00000000), ref: 00F41830
DuplicateHandle.KERNEL32(00000000,?,00F41449,?,?,00000000), ref: 00F41833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F41449,?,?,00000000), ref: 00F41843
GetCurrentProcess.KERNEL32(00F41449,00000000,?,00F41449,?,?,00000000), ref: 00F4184B
DuplicateHandle.KERNEL32(00000000,?,00F41449,?,?,00000000), ref: 00F4184E
CreateThread.KERNEL32(00000000,00000000,00F41874,00000000,00000000,00000000), ref: 00F41868

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: fb3ea3b686da4e1068d3d5c6228fc12ea8454a407e21b8da93d5fdde5dbfbfd6
Instruction ID: 364ebce219700f74c72797fc47eec6ea71092bbb2e02eb8f80a5fe7b4357fd9b
Opcode Fuzzy Hash: fb3ea3b686da4e1068d3d5c6228fc12ea8454a407e21b8da93d5fdde5dbfbfd6
Instruction Fuzzy Hash: 8401BF75240308BFE710AB65DC4DF573B6DEB89B11F404425FA05DB192CAB09840DB61

Function 00F6A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00F4D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00F4D501
Part of subcall function 00F4D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00F4D50F
Part of subcall function 00F4D4DC: CloseHandle.KERNELBASE(00000000), ref: 00F4D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F6A16D
GetLastError.KERNEL32 ref: 00F6A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F6A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F6A268
GetLastError.KERNEL32(00000000), ref: 00F6A273
CloseHandle.KERNEL32(00000000), ref: 00F6A2C4

Strings

SeDebugPrivilege, xrefs: 00F6A18F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 3215a8b8d420d231887b4ce7497294efd20d9e04356759938bce848d43d39d04
Instruction ID: c07282ebe0cb86441d0eaa2df3fedf1abb1aa76091390f3c0213dbebcea8c5e6
Opcode Fuzzy Hash: 3215a8b8d420d231887b4ce7497294efd20d9e04356759938bce848d43d39d04
Instruction Fuzzy Hash: 0B61C0316042429FD720DF19C894F16BBE1AF44318F18849CE46A9B7A3C776EC85DF92

Function 00F73886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F73925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00F7393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F73954
_wcslen.LIBCMT ref: 00F73999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00F739C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F739F4

Strings

SysListView32, xrefs: 00F738F7

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 4f08b2a49910b43d0a34232ca3755bdfb55f47f4359e96056753751a1d928806
Instruction ID: ccee3434dee3fdafa3d05e8d847f81e12378e2d813cf48383acb257bcaacc4a7
Opcode Fuzzy Hash: 4f08b2a49910b43d0a34232ca3755bdfb55f47f4359e96056753751a1d928806
Instruction Fuzzy Hash: 69418271A00219BBEB219F64CC45FEA77A9FF08360F10452AF95CE7281D775DA80EB91

Function 00F4BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F4BCFD
IsMenu.USER32(00000000), ref: 00F4BD1D
CreatePopupMenu.USER32 ref: 00F4BD53
GetMenuItemCount.USER32(010F6158), ref: 00F4BDA4
InsertMenuItemW.USER32(010F6158,?,00000001,00000030), ref: 00F4BDCC

Strings

0, xrefs: 00F4BCA8
2, xrefs: 00F4BD37

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 37496831e0c1e61554009bb5dae12e62906e40d6d4975428e6d552aab9fcf0cd
Instruction ID: b7e0516df37b1557c3c2655036c42da9fbef3846fb71aaabb624f5a175d71c5a
Opcode Fuzzy Hash: 37496831e0c1e61554009bb5dae12e62906e40d6d4975428e6d552aab9fcf0cd
Instruction Fuzzy Hash: B7519C70E002099BDF20CFA8D888BAEBFF4AF45324F1441A9ED1597292E774D945EB61

Function 00F4C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00F4C913

Strings

blank, xrefs: 00F4C895
stop, xrefs: 00F4C8E4
question, xrefs: 00F4C8CC
warning, xrefs: 00F4C8FC
info, xrefs: 00F4C8B4

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e840f80c5f79e9234b73f6d78b05ca201af51f3aa1c9c81e7cdd950f76c44c50
Instruction ID: 599cfd2a75720b594827eeca5d92003da083765d6ebb6bd7265158a5967a55c1
Opcode Fuzzy Hash: e840f80c5f79e9234b73f6d78b05ca201af51f3aa1c9c81e7cdd950f76c44c50
Instruction Fuzzy Hash: 11110072B9A306BAE7056B54DC83DAA7F9CDF15764B10102EFD00E61C1EB78AD4072E5

Function 00F4DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F4DE42
gethostname.WSOCK32(?,00000100), ref: 00F4DE5C
gethostbyname.WSOCK32(?), ref: 00F4DE69
inet_ntoa.WSOCK32(?), ref: 00F4DEAB
_strcat.LIBCMT ref: 00F4DEB9
WSACleanup.WSOCK32 ref: 00F4DEDE

Strings

0.0.0.0, xrefs: 00F4DE87

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 0e8776baa77b211f36ac3ff81ea059726f5a90b3247a1cd6fecc013c6d4b2f83
Instruction ID: 628480d48caee43a0a5a14cb4b0882b08deb3b5b9b65015c035f290abce6387c
Opcode Fuzzy Hash: 0e8776baa77b211f36ac3ff81ea059726f5a90b3247a1cd6fecc013c6d4b2f83
Instruction Fuzzy Hash: BD110671904109AFCB24AB60DC4AEEE7BACDF11720F00017DF909A60D1EF74DA81BB92

Function 00F79F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00EF9BB2

GetSystemMetrics.USER32(0000000F), ref: 00F79FC7
GetSystemMetrics.USER32(0000000F), ref: 00F79FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F7A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F7A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F7A263
ShowWindow.USER32(00000003,00000000), ref: 00F7A282
InvalidateRect.USER32(?,00000000,00000001), ref: 00F7A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00F7A2CA

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 9a60bc167883f0e8d86489dfa86eca6b514f2187f0c160f022b236b71e083731
Instruction ID: fe8040529f6d8164f6db6a54a64ac736f13c2463bd30300e7ae135a92159ac8f
Opcode Fuzzy Hash: 9a60bc167883f0e8d86489dfa86eca6b514f2187f0c160f022b236b71e083731
Instruction Fuzzy Hash: 6EB1AE31A00219DFDF14CF68C9857AE7BB2BF84711F09C06AEC499B295D771A940EB52

Function 00F4ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00F4ED2A
_wcslen.LIBCMT ref: 00F4ED3B
_wcslen.LIBCMT ref: 00F4ED79
_wcslen.LIBCMT ref: 00F4EDAF
_wcslen.LIBCMT ref: 00F4EDDF
_wcslen.LIBCMT ref: 00F4EDEF
_wcslen.LIBCMT ref: 00F4EE2B
_wcslen.LIBCMT ref: 00F4EE5A

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 4c7a0493f36f82385bebfc22ceba219d21ccb0e939d2066da1fe9eb0a7583619
Instruction ID: 7e1b7fda5252e44fd19d5762e3da7a1c6c55ce5715952ac6656c9c676b2a7442
Opcode Fuzzy Hash: 4c7a0493f36f82385bebfc22ceba219d21ccb0e939d2066da1fe9eb0a7583619
Instruction Fuzzy Hash: 5741A365C1021875CB11EBF4CC8A9CFB7B9AF45710F508466E918E3162FB38E255E3E6

Function 00EFF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F3682C,00000004,00000000,00000000), ref: 00EFF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00F3682C,00000004,00000000,00000000), ref: 00F3F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F3682C,00000004,00000000,00000000), ref: 00F3F454

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: af36bef1508089bdbe54cc6d3e52c1b0fc1c1d830e3f509a66f3970ead99af07
Instruction ID: 1084bd828f6159fd30aa5b66c8df55599e8c3301fc7a90ec0fc8e673a605eca6
Opcode Fuzzy Hash: af36bef1508089bdbe54cc6d3e52c1b0fc1c1d830e3f509a66f3970ead99af07
Instruction Fuzzy Hash: 3541523190468CBBC7388B69C88877A7BA17FD5324F54603DE28B73570C6B2D984EB51

Function 00F72D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F72D1B
GetDC.USER32(00000000), ref: 00F72D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F72D2E
ReleaseDC.USER32(00000000,00000000), ref: 00F72D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F72D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F72D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F75A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00F72DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F72DE1

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6fc2976e06b14981e5b74a9991e3ce4fc4a13e93de257a065c0d17e57549b111
Instruction ID: d0d443c55517473a92674d2df81c99c65a476220fc98690bced4772ceb314478
Opcode Fuzzy Hash: 6fc2976e06b14981e5b74a9991e3ce4fc4a13e93de257a065c0d17e57549b111
Instruction Fuzzy Hash: D7319F72201214BFEB214F50CC89FEB3BA9EF09721F044059FE0CDA291C6759C81D7A1

Function 00F45622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00F45637
_memcmp.LIBVCRUNTIME ref: 00F45659
_memcmp.LIBVCRUNTIME ref: 00F45671
_memcmp.LIBVCRUNTIME ref: 00F45684
_memcmp.LIBVCRUNTIME ref: 00F4569E
_memcmp.LIBVCRUNTIME ref: 00F456B1
_memcmp.LIBVCRUNTIME ref: 00F456C9
_memcmp.LIBVCRUNTIME ref: 00F456E4

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: dedf44503e7a53af03dcdb6a506b76d01953f7d0c28325e196df580f5e1b631f
Instruction ID: 2e7c86d5be017ba6abc7165530b199f845565238079159e7e2c453113a520f13
Opcode Fuzzy Hash: dedf44503e7a53af03dcdb6a506b76d01953f7d0c28325e196df580f5e1b631f
Instruction Fuzzy Hash: 6321F662A40A097BD21576208E82FFA375CBF21B94F454031FD099A683F724EE15F5A6

Function 00F64FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00F65007
NULL Pointer assignment, xrefs: 00F6502E, 00F65383

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 1c4dea7b7a25a2e42558968fef935b78133e692ef262553a2cdd4a4fa89e869c
Instruction ID: 9c94ebf50660a6ce0cf66ddb6b4a7aefb5415a8cb4ca99b04092203702b0367f
Opcode Fuzzy Hash: 1c4dea7b7a25a2e42558968fef935b78133e692ef262553a2cdd4a4fa89e869c
Instruction Fuzzy Hash: FAD1AE71E0060AAFDF10CFA8C881BAEB7B5BF48B54F148069E915BB281E771DD45DB90

Function 00F21522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00F217FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00F215CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F21651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00F217FB,?,00F217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F216E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F216FB

Part of subcall function 00F13820: RtlAllocateHeap.NTDLL(00000000,?,00FB1444,?,00EFFDF5,?,?,00EEA976,00000010,00FB1440,00EE13FC,?,00EE13C6,?,00EE1129), ref: 00F13852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00F217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F21777
__freea.LIBCMT ref: 00F217A2
__freea.LIBCMT ref: 00F217AE

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: a49ae2996c3076ba27d6455a0675a5f84e124134930df1b160acde69afb8b302
Instruction ID: 83d37270c7e7ab043bfb437e3f934755d953d6284074d2300920f7f7f519aa38
Opcode Fuzzy Hash: a49ae2996c3076ba27d6455a0675a5f84e124134930df1b160acde69afb8b302
Instruction Fuzzy Hash: 5891D772E002269FDF208E74EC52AEE7BB5BFA5320F184669E805E7141D735CD40E7A4

Function 00F64523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F64648
VariantInit.OLEAUT32(?), ref: 00F64749
VariantClear.OLEAUT32(?), ref: 00F64753
VariantClear.OLEAUT32(?), ref: 00F647B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00F645D8, 00F64706, 00F647BE
Incorrect Object type in FOR..IN loop, xrefs: 00F6472C

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 68a695c305d1a92cbc4ae58535ef46d479a190387dbfb4ff0812617cf5f9b432
Instruction ID: f77a851b01ab0732e285004055a5235653d9e6eadbfdf73de25669adcaead189
Opcode Fuzzy Hash: 68a695c305d1a92cbc4ae58535ef46d479a190387dbfb4ff0812617cf5f9b432
Instruction Fuzzy Hash: F4917F71E00219ABDF20EFA5CC44FAEBBB8EF46720F108559F505AB281D770A945DBA0

Function 00F51187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00F5125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00F51284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00F512A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F512D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F5135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F513C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F51430

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: b0d03cadb7fb77e53ac7bbc1d2ac6f56371f2980f3b05b186cc12eddd1cc7143
Instruction ID: a82b74bccfeb3398bbe5da2e09ce5bfd2c088f5a39dcd253ad983e271ad47aa7
Opcode Fuzzy Hash: b0d03cadb7fb77e53ac7bbc1d2ac6f56371f2980f3b05b186cc12eddd1cc7143
Instruction Fuzzy Hash: 6D91D372E00209AFDB00DF94C885BBE77B5FF45326F104129EA10E7291D779B949EB90

Function 00EF948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: de910b4ee4393903b1c24b7fc0c8ca85a0d08f66e59cc1ab68596fe73cf87522
Instruction ID: 97e46e7a6e64e77f05baf3c1f8484868602ea0811a960c3e03fda1dc70672e20
Opcode Fuzzy Hash: de910b4ee4393903b1c24b7fc0c8ca85a0d08f66e59cc1ab68596fe73cf87522
Instruction Fuzzy Hash: 14913771D00219EFCB14DFA9CC84AEEBBB8FF49320F148059E655B7252D374A941DBA0

Function 00F63947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F6396B
CharUpperBuffW.USER32(?,?), ref: 00F63A7A
_wcslen.LIBCMT ref: 00F63A8A
VariantClear.OLEAUT32(?), ref: 00F63C1F

Part of subcall function 00F50CDF: VariantInit.OLEAUT32(00000000), ref: 00F50D1F
Part of subcall function 00F50CDF: VariantCopy.OLEAUT32(?,?), ref: 00F50D28
Part of subcall function 00F50CDF: VariantClear.OLEAUT32(?), ref: 00F50D34

Strings

AUTOIT.ERROR, xrefs: 00F63A80, 00F63A85
Incorrect Parameter format, xrefs: 00F639A6, 00F63BA1

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: e85e27466884eb7d176ad22ab1ce0b066ceae639080f71012e167558b1385234
Instruction ID: e1a9e0cc8d37eeb45c98fe009e7d28bba526593ccc7a8bdc018a6eae8c3260f9
Opcode Fuzzy Hash: e85e27466884eb7d176ad22ab1ce0b066ceae639080f71012e167558b1385234
Instruction Fuzzy Hash: D4918975A083459FC704EF64C48092AB7E5FF89314F14892DF88A9B352DB35EE45EB82

Function 00F64BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00F4000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F3FF41,80070057,?,?,?,00F4035E), ref: 00F4002B
Part of subcall function 00F4000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F3FF41,80070057,?,?), ref: 00F40046
Part of subcall function 00F4000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F3FF41,80070057,?,?), ref: 00F40054
Part of subcall function 00F4000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F3FF41,80070057,?), ref: 00F40064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00F64C51
_wcslen.LIBCMT ref: 00F64D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00F64DCF
CoTaskMemFree.OLE32(?), ref: 00F64DDA

Strings

NULL Pointer assignment, xrefs: 00F64E23, 00F64E52

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 6e6d407a18e0dd206f2c262b46f17143996a45787b7fca7aa3ca53d52bef2f09
Instruction ID: d05bad9d65a97891527dc3fb801c4244de5111784b227a2c69a9c261b430ef41
Opcode Fuzzy Hash: 6e6d407a18e0dd206f2c262b46f17143996a45787b7fca7aa3ca53d52bef2f09
Instruction Fuzzy Hash: 01912671D0021DAFDF14EFA4D890AEEB7B9BF08310F108169E915B7291DB34AA449FA1

Function 00F720FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00F72183
GetMenuItemCount.USER32(00000000), ref: 00F721B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F721DD
_wcslen.LIBCMT ref: 00F72213
GetMenuItemID.USER32(?,?), ref: 00F7224D
GetSubMenu.USER32(?,?), ref: 00F7225B

Part of subcall function 00F43A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F43A57
Part of subcall function 00F43A3D: GetCurrentThreadId.KERNEL32 ref: 00F43A5E
Part of subcall function 00F43A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F425B3), ref: 00F43A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F722E3

Part of subcall function 00F4E97B: Sleep.KERNEL32 ref: 00F4E9F3

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: f7f0be74b89198037679c8f8d3b1dceae59f903a850b41fccb15cad985c7ca28
Instruction ID: b6105c937cb4d0b66ac4983cb0c7c284541afba20f4d2401b039d5c42ff93d28
Opcode Fuzzy Hash: f7f0be74b89198037679c8f8d3b1dceae59f903a850b41fccb15cad985c7ca28
Instruction Fuzzy Hash: 94717E75E00209AFCB50DF65C885AAEB7F1FF48320F14845AE91AEB352D734EA41DB91

Function 00F77E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(010F61F8), ref: 00F77F37
IsWindowEnabled.USER32(010F61F8), ref: 00F77F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00F7801E
SendMessageW.USER32(010F61F8,000000B0,?,?), ref: 00F78051
IsDlgButtonChecked.USER32(?,?), ref: 00F78089
GetWindowLongW.USER32(010F61F8,000000EC), ref: 00F780AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F780C3

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 626fa01b668e3e2375a942e0e7871fd9237d5ac79878988f352cd3b0dc5ccadf
Instruction ID: 79ad8db7d13d5624768ad22e6353e6d3e9f2492508d5eeaad734acb22bef6005
Opcode Fuzzy Hash: 626fa01b668e3e2375a942e0e7871fd9237d5ac79878988f352cd3b0dc5ccadf
Instruction Fuzzy Hash: 4F71C134A08344AFEB20AF64CDD4FEA7BB5FF09350F14845AE95D53261CB31A845EB92

Function 00F4AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00F4AEF9
GetKeyboardState.USER32(?), ref: 00F4AF0E
SetKeyboardState.USER32(?), ref: 00F4AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00F4AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00F4AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00F4AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F4B020

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d4ed12ca2fd8663c297a4fc0e81b17b44c8331cb4727db79cd2672f2d7668f53
Instruction ID: 0d71dba6623631103c223410244720b1cd50b63076cbe0986e510dadff9769a7
Opcode Fuzzy Hash: d4ed12ca2fd8663c297a4fc0e81b17b44c8331cb4727db79cd2672f2d7668f53
Instruction Fuzzy Hash: E751D3A0A447D53DFB3682388C45BBB7EE95B06324F088489E9E9454C3D3D8EDC8E751

Function 00F4ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00F4AD19
GetKeyboardState.USER32(?), ref: 00F4AD2E
SetKeyboardState.USER32(?), ref: 00F4AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F4ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F4ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F4AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F4AE38

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 586c89406917aec8b7cd9bbb235fdba6cbd641a36e1a8dbdc144efb96a6bd25b
Instruction ID: 952d6c3db46805fb6133851a632e3afb6cc30635bbd143c83fba9194b7d09e0c
Opcode Fuzzy Hash: 586c89406917aec8b7cd9bbb235fdba6cbd641a36e1a8dbdc144efb96a6bd25b
Instruction Fuzzy Hash: 065107A1D887D53DFB3783358C85B7A7EA85F45310F088488E9E9468C3D298ED94F752

Function 00F1542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00F23CD6,?,?,?,?,?,?,?,?,00F15BA3,?,?,00F23CD6,?,?), ref: 00F15470
__fassign.LIBCMT ref: 00F154EB
__fassign.LIBCMT ref: 00F15506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00F23CD6,00000005,00000000,00000000), ref: 00F1552C
WriteFile.KERNEL32(?,00F23CD6,00000000,00F15BA3,00000000,?,?,?,?,?,?,?,?,?,00F15BA3,?), ref: 00F1554B
WriteFile.KERNEL32(?,?,00000001,00F15BA3,00000000,?,?,?,?,?,?,?,?,?,00F15BA3,?), ref: 00F15584

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6c032b6b01e7808d9e41ab6f453cebdd4eadc9be59a9c89d339847ff3441fd36
Instruction ID: 6949d192532409c76cd4829e731aa1eaf9ea5301744b208c2c8f4e818962d50b
Opcode Fuzzy Hash: 6c032b6b01e7808d9e41ab6f453cebdd4eadc9be59a9c89d339847ff3441fd36
Instruction Fuzzy Hash: 9C51C1B1A00608DFDB10CFA8D881AEEBBFAEF49710F18411AE555E7291D7309A81DB60

Function 00F02D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F02D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00F02D53
_ValidateLocalCookies.LIBCMT ref: 00F02DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00F02E0C
_ValidateLocalCookies.LIBCMT ref: 00F02E61

Strings

csm, xrefs: 00F02DF6

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 4abca7b9bbafe2f599d5cf59432af13454a391487be1b1ece7362df01411466a
Instruction ID: 39af78fa1831fb024f7e2e3bb6bb786555fb1df19da7d8c4a652a955047d4ec6
Opcode Fuzzy Hash: 4abca7b9bbafe2f599d5cf59432af13454a391487be1b1ece7362df01411466a
Instruction Fuzzy Hash: 2541B035E01209ABCF50DF68CC49A9EBBA5BF44324F148155E814AB3D2DB35AE05FBE1

Function 00F610B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F6304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F6307A
Part of subcall function 00F6304E: _wcslen.LIBCMT ref: 00F6309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F61112
WSAGetLastError.WSOCK32 ref: 00F61121
WSAGetLastError.WSOCK32 ref: 00F611C9
closesocket.WSOCK32(00000000), ref: 00F611F9

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: d458596d51f9caa5e4545ffeaf92a9aaf8240d599d661de22be78801df63469b
Instruction ID: ab7bb6b88aaeacc475e5b14a243d0bec5141a65943933397dcb01a150d286e8b
Opcode Fuzzy Hash: d458596d51f9caa5e4545ffeaf92a9aaf8240d599d661de22be78801df63469b
Instruction Fuzzy Hash: 8241E531600208AFDB109F14C885BAAB7E9FF46324F188059FD19AB292C774ED81DBE1

Function 00F4CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F4CF22,?), ref: 00F4DDFD

Part of subcall function 00F4DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F4CF22,?), ref: 00F4DE16

lstrcmpiW.KERNEL32(?,?), ref: 00F4CF45
MoveFileW.KERNEL32(?,?), ref: 00F4CF7F
_wcslen.LIBCMT ref: 00F4D005
_wcslen.LIBCMT ref: 00F4D01B
SHFileOperationW.SHELL32(?), ref: 00F4D061

Strings

\*.*, xrefs: 00F4CFF3

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 192c1bd665a13e7372bf17aab3d258d8258ee6787b804039506e4dbba2afeb1d
Instruction ID: 2d1f7f9e46b0f8089392ac88a70112ed5fae5396cb40f32187607338f813921d
Opcode Fuzzy Hash: 192c1bd665a13e7372bf17aab3d258d8258ee6787b804039506e4dbba2afeb1d
Instruction Fuzzy Hash: 15415771D451185EDF52EBA4CD81ADDBBB8AF44350F1000E6E905E7142EA39A688EB50

Function 00F72DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00F72E1C
GetWindowLongW.USER32(?,000000F0), ref: 00F72E4F
GetWindowLongW.USER32(?,000000F0), ref: 00F72E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00F72EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00F72EE0
GetWindowLongW.USER32(?,000000F0), ref: 00F72EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F72F0B

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: ef9884c0cd37d09484528429dd5436d051c5c34177f2afe55b94ea5f67d32113
Instruction ID: 2b06352d76df9bff3c3244063704e3629958d46fc212c8aad5dc8b2b36001aff
Opcode Fuzzy Hash: ef9884c0cd37d09484528429dd5436d051c5c34177f2afe55b94ea5f67d32113
Instruction Fuzzy Hash: 7D310531A041589FEB61DF58DCD4F6537E1FB4A720F15416AF9489B2B1CB71A880EF82

Function 00F47726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F47769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F4778F
SysAllocString.OLEAUT32(00000000), ref: 00F47792
SysAllocString.OLEAUT32(?), ref: 00F477B0
SysFreeString.OLEAUT32(?), ref: 00F477B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00F477DE
SysAllocString.OLEAUT32(?), ref: 00F477EC

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 67c44741540b41db18693f62bd1aea7d694f3fe85e6d1aa4e6502c52ec349417
Instruction ID: 3f81737964b3bc64bf614a3ad3328d64854dcea2cd84f4de34d260270ff38795
Opcode Fuzzy Hash: 67c44741540b41db18693f62bd1aea7d694f3fe85e6d1aa4e6502c52ec349417
Instruction Fuzzy Hash: 3D21A176604219AFDB10EFA8CC88DBB7BACEB093647408029FE15DB150D770DC8197A0

Function 00F477FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F47842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F47868
SysAllocString.OLEAUT32(00000000), ref: 00F4786B
SysAllocString.OLEAUT32 ref: 00F4788C
SysFreeString.OLEAUT32 ref: 00F47895
StringFromGUID2.OLE32(?,?,00000028), ref: 00F478AF
SysAllocString.OLEAUT32(?), ref: 00F478BD

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1e69616561ba7d0997a9948b5bd845f404b39ac8a04cccd53c3812ace97f2d82
Instruction ID: b5259e2c115aa9909575cb3cc832714b61037f67b6948145581633a1d5606bd0
Opcode Fuzzy Hash: 1e69616561ba7d0997a9948b5bd845f404b39ac8a04cccd53c3812ace97f2d82
Instruction Fuzzy Hash: B5217731604208AFDB10AFA8DC8CDBA77ECEB097607108125F915DB1A1D774DC41DB65

Function 00F504D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00F504F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F5052E

Strings

nul, xrefs: 00F50567

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 2bb3d921f558640b12f193450dbffc9121944d93ddf22045fd1caad7b3daaff7
Instruction ID: 1420b279a8123ac2cb3dca57f646fdcf15867fe261b64e910652cc2eb8686a8a
Opcode Fuzzy Hash: 2bb3d921f558640b12f193450dbffc9121944d93ddf22045fd1caad7b3daaff7
Instruction Fuzzy Hash: A72194759003059FDB208F29DC04A9A77B4AF45735F284A29FDA1E71E0EB70D948EF60

Function 00F505A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00F505C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F50601

Strings

nul, xrefs: 00F50639

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b9f9462590144dde0107183e7dcee25d91b6604ef8917e5940ac3454e5c36cf4
Instruction ID: 16359c4365d78af97dd9a4e95ff2884037e0a4ab7700590f9fb3f87ab886f754
Opcode Fuzzy Hash: b9f9462590144dde0107183e7dcee25d91b6604ef8917e5940ac3454e5c36cf4
Instruction Fuzzy Hash: CF21B5759003069BDB208F68CC04A5A77E4BF85731F240A19FEA1E32E0DF709964EB50

Function 00F740AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00EE604C
Part of subcall function 00EE600E: GetStockObject.GDI32(00000011), ref: 00EE6060
Part of subcall function 00EE600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EE606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F74112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F7411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F7412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F74139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F74145

Strings

Msctls_Progress32, xrefs: 00F740E3

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 6d1dd5e916dc7f650d30340d5b64e3bda41e8203f0e5bb36458e6eb2d93f3db3
Instruction ID: 0ebcb5e741a225a99a63f2af11168ef7709e17093059444a5db5713ca97df1b8
Opcode Fuzzy Hash: 6d1dd5e916dc7f650d30340d5b64e3bda41e8203f0e5bb36458e6eb2d93f3db3
Instruction Fuzzy Hash: 5711B6B215021D7EEF119F64CC85EE77F9DEF08798F008111B618A2050C772DC61EBA4

Function 00F1D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F1D7A3: _free.LIBCMT ref: 00F1D7CC

_free.LIBCMT ref: 00F1D82D

Part of subcall function 00F129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F1D7D1,00000000,00000000,00000000,00000000,?,00F1D7F8,00000000,00000007,00000000,?,00F1DBF5,00000000), ref: 00F129DE
Part of subcall function 00F129C8: GetLastError.KERNEL32(00000000,?,00F1D7D1,00000000,00000000,00000000,00000000,?,00F1D7F8,00000000,00000007,00000000,?,00F1DBF5,00000000,00000000), ref: 00F129F0

_free.LIBCMT ref: 00F1D838
_free.LIBCMT ref: 00F1D843
_free.LIBCMT ref: 00F1D897
_free.LIBCMT ref: 00F1D8A2
_free.LIBCMT ref: 00F1D8AD
_free.LIBCMT ref: 00F1D8B8

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 3ef8c0af57392d4898a6fbc926baa356466bd6119823f23bc416d51207141a23
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 55115171540B04AAD521BFF4CC47FCB7BFC6F00710F840825B299AA0D2DAA9B5A57650

Function 00F4DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F4DA74
LoadStringW.USER32(00000000), ref: 00F4DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F4DA91
LoadStringW.USER32(00000000), ref: 00F4DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F4DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F4DAB9

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 5a3583b2b7c77a925bc00324e4d036c135b230ba1286f159f231f25e1008b54b
Instruction ID: 83cd05ef6771eae5744300875dfb507d0ab4c8522f666d2bfc7dea84d497c090
Opcode Fuzzy Hash: 5a3583b2b7c77a925bc00324e4d036c135b230ba1286f159f231f25e1008b54b
Instruction Fuzzy Hash: 64018BF250020C7FE711EBA09D89EE7376CD708701F404459B709E2041E6749EC45F75

Function 00F5096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(010EE880,010EE880), ref: 00F5097B
EnterCriticalSection.KERNEL32(010EE860,00000000), ref: 00F5098D
TerminateThread.KERNEL32(?,000001F6), ref: 00F5099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00F509A9
CloseHandle.KERNEL32(?), ref: 00F509B8
InterlockedExchange.KERNEL32(010EE880,000001F6), ref: 00F509C8
LeaveCriticalSection.KERNEL32(010EE860), ref: 00F509CF

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 8cb163dc9b8f26ed3462351bd67b700498c07887fe378a3abb71fa9f92aae67e
Instruction ID: b6e36b32d9043b0b7ac12b07b0069ceb92541ba1e7586d54357f93b25a74a207
Opcode Fuzzy Hash: 8cb163dc9b8f26ed3462351bd67b700498c07887fe378a3abb71fa9f92aae67e
Instruction Fuzzy Hash: 98F03132442506BBD7415F94EE8CBD6BB35FF05712F401029F205608A5CB7494A5EFD1

Function 00F61C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F61DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F61DE1
WSAGetLastError.WSOCK32 ref: 00F61DF2
htons.WSOCK32(?,?,?,?,?), ref: 00F61EDB
inet_ntoa.WSOCK32(?), ref: 00F61E8C

Part of subcall function 00F439E8: _strlen.LIBCMT ref: 00F439F2

Part of subcall function 00F63224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00F5EC0C), ref: 00F63240

_strlen.LIBCMT ref: 00F61F35

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 3ac8606060f7a4c3b6dd5a2c28e68fd956e6769444067577ab3605ff11cf1927
Instruction ID: e1ff9bbab92785bc9bca3feb8d9a7fc8116232b075306900578f55fe3e971920
Opcode Fuzzy Hash: 3ac8606060f7a4c3b6dd5a2c28e68fd956e6769444067577ab3605ff11cf1927
Instruction Fuzzy Hash: DCB1E031604344AFC324DF24C885E2A7BE5BF84328F58894CF55A5B2E2DB71ED46DB92

Function 00EE5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00EE5D30
GetWindowRect.USER32(?,?), ref: 00EE5D71
ScreenToClient.USER32(?,?), ref: 00EE5D99
GetClientRect.USER32(?,?), ref: 00EE5ED7
GetWindowRect.USER32(?,?), ref: 00EE5EF8

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: c6ab6c7fa1354cf5cd80ed3ab34fec17e087655200b6f2fff0ae7c5b77e75fbb
Instruction ID: eefb79c549c8a7f65b454e051c3bcd50420994fdcec78eeb29440c373c387360
Opcode Fuzzy Hash: c6ab6c7fa1354cf5cd80ed3ab34fec17e087655200b6f2fff0ae7c5b77e75fbb
Instruction Fuzzy Hash: 09B18B35A10B8ADBDB10CFA9C4807EEB7F1FF48314F14941AE8A9E7250DB34AA51DB54

Function 00F101B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00F100BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F100D6
__allrem.LIBCMT ref: 00F100ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F1010B
__allrem.LIBCMT ref: 00F10122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F10140

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: a5c38d23821166c4d4a087b2eadd5e73efa5931c2d0fb63e2cee5f6826405477
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: A6810A72A00706ABD7249E68CC41BAB73E8AF45334F14463AF551D66C1EBB8D9C4B750

Function 00F161FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F082D9,00F082D9,?,?,?,00F1644F,00000001,00000001,8BE85006), ref: 00F16258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F1644F,00000001,00000001,8BE85006,?,?,?), ref: 00F162DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F163D8
__freea.LIBCMT ref: 00F163E5

Part of subcall function 00F13820: RtlAllocateHeap.NTDLL(00000000,?,00FB1444,?,00EFFDF5,?,?,00EEA976,00000010,00FB1440,00EE13FC,?,00EE13C6,?,00EE1129), ref: 00F13852

__freea.LIBCMT ref: 00F163EE
__freea.LIBCMT ref: 00F16413

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: ef85fac904a162d0a7a7f19ff172f6d86d4695a013c0f9bff1c88c6523e01ecc
Instruction ID: e4f6c6536c3ecad4fd4956d97ba5dfd3976ea462340587e5bfca02ad0d12f482
Opcode Fuzzy Hash: ef85fac904a162d0a7a7f19ff172f6d86d4695a013c0f9bff1c88c6523e01ecc
Instruction Fuzzy Hash: 8B51A172A10216ABDF258F64DC81EEF77AAEB44760F154629FD15D6240EB34DCC0F6A0

Function 00F6BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

Part of subcall function 00F6C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F6B6AE,?,?), ref: 00F6C9B5
Part of subcall function 00F6C998: _wcslen.LIBCMT ref: 00F6C9F1
Part of subcall function 00F6C998: _wcslen.LIBCMT ref: 00F6CA68
Part of subcall function 00F6C998: _wcslen.LIBCMT ref: 00F6CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F6BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F6BD25
RegCloseKey.ADVAPI32(00000000), ref: 00F6BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F6BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F6BDF3
RegCloseKey.ADVAPI32(?), ref: 00F6BDFF

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 2f1c2d4da30d6e78d5e012fbc3c260a30b3987a6a59e8a01969328950a679dbe
Instruction ID: 6f608cf01ca22eab65425eba583af06ea14af1762df267a823d942ee25b0042a
Opcode Fuzzy Hash: 2f1c2d4da30d6e78d5e012fbc3c260a30b3987a6a59e8a01969328950a679dbe
Instruction Fuzzy Hash: 0481C231608245EFC714DF24C885E2ABBE5FF84318F14895CF5598B2A2DB32ED85DB92

Function 00F3F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00F3F7B9
SysAllocString.OLEAUT32(00000001), ref: 00F3F860
VariantCopy.OLEAUT32(00F3FA64,00000000), ref: 00F3F889
VariantClear.OLEAUT32(00F3FA64), ref: 00F3F8AD
VariantCopy.OLEAUT32(00F3FA64,00000000), ref: 00F3F8B1
VariantClear.OLEAUT32(?), ref: 00F3F8BB

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 641652e26a44770f2fc6765a5c917248aeb68579644dd662586663060549e2f5
Instruction ID: 1e2c14642ac0c6e51f62e385d8856ea54edcf0b478fc81801f5721b548c8d348
Opcode Fuzzy Hash: 641652e26a44770f2fc6765a5c917248aeb68579644dd662586663060549e2f5
Instruction Fuzzy Hash: 7751E731E01314BACF24AF65DC95B29B3E9EF45330F205466E906EF292DB748C48E796

Function 00F5910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00EE7620: _wcslen.LIBCMT ref: 00EE7625

Part of subcall function 00EE6B57: _wcslen.LIBCMT ref: 00EE6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00F594E5
_wcslen.LIBCMT ref: 00F59506
_wcslen.LIBCMT ref: 00F5952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00F59585

Strings

X, xrefs: 00F59412

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: d6bca410dbf5b7ed41dad91e7ae378d6fbadb6b195400043a1294f3d5e8b1b83
Instruction ID: 324e8f0f0ae3b5d90f710f6e8a989c917a6e1aaed5dbcfd486a9a135fb992a78
Opcode Fuzzy Hash: d6bca410dbf5b7ed41dad91e7ae378d6fbadb6b195400043a1294f3d5e8b1b83
Instruction Fuzzy Hash: 43E1C531908340CFC728DF25C881A6AB7E5FF85314F14896DF9899B2A2DB71DD09DB92

Function 00EF920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00EF9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00EF9BB2

BeginPaint.USER32(?,?,?), ref: 00EF9241
GetWindowRect.USER32(?,?), ref: 00EF92A5
ScreenToClient.USER32(?,?), ref: 00EF92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00EF92D3
EndPaint.USER32(?,?,?,?,?), ref: 00EF9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F371EA

Part of subcall function 00EF9339: BeginPath.GDI32(00000000), ref: 00EF9357

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 065e19395b1529f75a0def48606072421112d9afd8639bbb3978fc9590fb983a
Instruction ID: a83c16c50ecb418419a4f465d8d38419e95acdd394399e90f1bfe0e71775b7e2
Opcode Fuzzy Hash: 065e19395b1529f75a0def48606072421112d9afd8639bbb3978fc9590fb983a
Instruction Fuzzy Hash: C041AF71105309AFD721EF24DCD4FBA7BA8FB45724F140229FA98972E2C7319845EB62

Function 00F507EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00F5080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00F50847
EnterCriticalSection.KERNEL32(?), ref: 00F50863
LeaveCriticalSection.KERNEL32(?), ref: 00F508DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00F508F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00F50921

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: a95b16687e763d8a37239b32a6a9468c07649caff4c0ad73ecd9c2a8591d65f1
Instruction ID: 5bdf2a9a0e49607b9534ea53756b1b86c2c65055e103dce1d228214d29bc8f3a
Opcode Fuzzy Hash: a95b16687e763d8a37239b32a6a9468c07649caff4c0ad73ecd9c2a8591d65f1
Instruction Fuzzy Hash: 63419A71900209EBDF04AF54DC85A6A77B8FF04311F1440A9EE04AE29BDB30DE65EBA0

Function 00F781DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00F3F3AB,00000000,?,?,00000000,?,00F3682C,00000004,00000000,00000000), ref: 00F7824C
EnableWindow.USER32(?,00000000), ref: 00F78272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00F782D1
ShowWindow.USER32(?,00000004), ref: 00F782E5
EnableWindow.USER32(?,00000001), ref: 00F7830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00F7832F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1d012020c6186c442c8d63767d026289ccee3fd69cdfaa9716fe90d2b2521faa
Instruction ID: 440a2931ae6c4cfb17807f5b44da1346140296905bed3b7e94a9d4181f1d3d5a
Opcode Fuzzy Hash: 1d012020c6186c442c8d63767d026289ccee3fd69cdfaa9716fe90d2b2521faa
Instruction Fuzzy Hash: B641B730A41644AFDB15CF14DCDDBE47BE1BB0A765F18826AE50C4B263CB315842EF52

Function 00F44C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00F44C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F44CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F44CEA
_wcslen.LIBCMT ref: 00F44D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F44D10
_wcsstr.LIBVCRUNTIME ref: 00F44D1A

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: df37d4d4328e8b4e38ab9512159140e735aaff30c8dda9beccf8e58f2811b640
Instruction ID: b8d2add7cc55d7c8540bade4abfbfe96b6cdcb786539ec99b83a65165f10ec79
Opcode Fuzzy Hash: df37d4d4328e8b4e38ab9512159140e735aaff30c8dda9beccf8e58f2811b640
Instruction Fuzzy Hash: F0210732A042047BEB155B25AC89F7B7FA8DF45760F10402DFD09EA192DA61EC40A6A1

Function 00F5581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE3A97,?,?,00EE2E7F,?,?,?,00000000), ref: 00EE3AC2

_wcslen.LIBCMT ref: 00F5587B
CoInitialize.OLE32(00000000), ref: 00F55995
CoCreateInstance.OLE32(00F7FCF8,00000000,00000001,00F7FB68,?), ref: 00F559AE
CoUninitialize.OLE32 ref: 00F559CC

Strings

.lnk, xrefs: 00F55876, 00F558C1, 00F55985

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 9b37aedc3034c1e8f35a9541566249d608f9c58e959425df62157be24198b802
Instruction ID: 049bddf8776bd711336c6b70cc9f2231c9ba5cb417d9f91ccdbb73ebee1d6d03
Opcode Fuzzy Hash: 9b37aedc3034c1e8f35a9541566249d608f9c58e959425df62157be24198b802
Instruction Fuzzy Hash: 8BD18571A047019FC704DF25C494A2ABBE2FF89B21F14885DF989AB361D731EC49DB92

Function 00F4175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F40FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F40FCA
Part of subcall function 00F40FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F40FD6
Part of subcall function 00F40FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F40FE5
Part of subcall function 00F40FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F40FEC
Part of subcall function 00F40FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F41002

GetLengthSid.ADVAPI32(?,00000000,00F41335), ref: 00F417AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F417BA
HeapAlloc.KERNEL32(00000000), ref: 00F417C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00F417DA
GetProcessHeap.KERNEL32(00000000,00000000,00F41335), ref: 00F417EE
HeapFree.KERNEL32(00000000), ref: 00F417F5

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 7b147d7c86ac9ba35add3cc7b03d48bf589544e60b07762442d420e79f372b25
Instruction ID: 6fd6080adf82efcaec5069cd8c485401b099f3e0843ddab5760b4bc7576402f1
Opcode Fuzzy Hash: 7b147d7c86ac9ba35add3cc7b03d48bf589544e60b07762442d420e79f372b25
Instruction Fuzzy Hash: 84118E32910209FFDB109FA4CC49BAF7BB9FB45365F104128F84597211D779A984EBA0

Function 00F414CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F414FF
OpenProcessToken.ADVAPI32(00000000), ref: 00F41506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F41515
CloseHandle.KERNEL32(00000004), ref: 00F41520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F4154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00F41563

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 5ea24a0f2c4a87e2fd526e2a2feb0556a4bb915bd4b697ecc37dbf1e531f337b
Instruction ID: f076fb202029678141962e514481a050fb2f1ea0e840b528e419eaac1a635d38
Opcode Fuzzy Hash: 5ea24a0f2c4a87e2fd526e2a2feb0556a4bb915bd4b697ecc37dbf1e531f337b
Instruction Fuzzy Hash: 8B11297250120DABDF11CF98DD49BDE7BAAFF49754F044019FE09A2160C3758EA1EBA1

Function 00F03382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F03379,00F02FE5), ref: 00F03390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F0339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F033B7
SetLastError.KERNEL32(00000000,?,00F03379,00F02FE5), ref: 00F03409

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 08175f493489fbb8bbbc2a31934530104ce43f0fe2d4fe9cfb461a8483f47bbb
Instruction ID: d33cc378d7609c108e193aca16debf2563299d36e858a0da57a3dfdc698fe731
Opcode Fuzzy Hash: 08175f493489fbb8bbbc2a31934530104ce43f0fe2d4fe9cfb461a8483f47bbb
Instruction Fuzzy Hash: 8901F773A09315BEE62527B47CC5A673E9CEB16379720422DF610C51F0FF224D417684

Function 00F12D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F15686,00F23CD6,?,00000000,?,00F15B6A,?,?,?,?,?,00F0E6D1,?,00FA8A48), ref: 00F12D78
_free.LIBCMT ref: 00F12DAB
_free.LIBCMT ref: 00F12DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00F0E6D1,?,00FA8A48,00000010,00EE4F4A,?,?,00000000,00F23CD6), ref: 00F12DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00F0E6D1,?,00FA8A48,00000010,00EE4F4A,?,?,00000000,00F23CD6), ref: 00F12DEC
_abort.LIBCMT ref: 00F12DF2

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 9de4babfa9b2587a88859673f85b7ec35b46d3dbd3cf8657a54d3568aca92dee
Instruction ID: b922ae23b040278fcfa4c50b5765bbafd3ab8fa61f24e26ce6d870907aa23d7c
Opcode Fuzzy Hash: 9de4babfa9b2587a88859673f85b7ec35b46d3dbd3cf8657a54d3568aca92dee
Instruction Fuzzy Hash: 03F0CD329455042BC6D237B9FC06FDF35556FC2771F24041CF828921D1EE3898E271A1

Function 00F78A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00EF9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00EF9693
Part of subcall function 00EF9639: SelectObject.GDI32(?,00000000), ref: 00EF96A2
Part of subcall function 00EF9639: BeginPath.GDI32(?), ref: 00EF96B9
Part of subcall function 00EF9639: SelectObject.GDI32(?,00000000), ref: 00EF96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00F78A4E
LineTo.GDI32(?,00000003,00000000), ref: 00F78A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00F78A70
LineTo.GDI32(?,00000000,00000003), ref: 00F78A80
EndPath.GDI32(?), ref: 00F78A90
StrokePath.GDI32(?), ref: 00F78AA0

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 6fabdcc7d361eb2f986ace17e648ed8352068e94f42fa403e7a356be64769124
Instruction ID: 1f11ed345ab2acedce179356ed32d93bee2f77c5363b8bf5a9fdf499a7424664
Opcode Fuzzy Hash: 6fabdcc7d361eb2f986ace17e648ed8352068e94f42fa403e7a356be64769124
Instruction Fuzzy Hash: F4110C7604014CFFEB119F90DC88EAA7F6DEB04350F008016BA1995161C7719D95EFA1

Function 00F451FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F45218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00F45229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F45230
ReleaseDC.USER32(00000000,00000000), ref: 00F45238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F4524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00F45261

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 1486a793ef045dc5101162d80f7857fb75e28499c0968aabca56b69348fd8002
Instruction ID: 3d7b0688da11e0f410709dcac8ad8c148ed77adfc66bd6cbd810faf3da97b284
Opcode Fuzzy Hash: 1486a793ef045dc5101162d80f7857fb75e28499c0968aabca56b69348fd8002
Instruction Fuzzy Hash: 57014475E00718BBEB106BA59C49A5EBFB8EF44761F044069FA09A7381D6709900DBA1

Function 00EE1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EE1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00EE1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EE1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EE1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00EE1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EE1C22

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 40a7c55c9a22010fe579cf9c9d7575f4d526c1d38d4da392883e385e331d4d35
Instruction ID: 134dca50306608271aaff5d4ae0c1f51613b342acd93013348ed7b9f4386c747
Opcode Fuzzy Hash: 40a7c55c9a22010fe579cf9c9d7575f4d526c1d38d4da392883e385e331d4d35
Instruction Fuzzy Hash: C0016CB09027597DE3008F5A8C85B52FFA8FF19754F00411F915C47941C7F5A864CBE5

Function 00F4EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F4EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F4EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00F4EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F4EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F4EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F4EB75

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: ada9b05f169f0aa6472e11f496a30a7d0c1ae6e7d708b16e30c5f2c43f590bdc
Instruction ID: 4aea8913d6da9f516fff4b85ac6cc07020c7a0dfbbbfeb3628fc3e1e7b0edf9d
Opcode Fuzzy Hash: ada9b05f169f0aa6472e11f496a30a7d0c1ae6e7d708b16e30c5f2c43f590bdc
Instruction Fuzzy Hash: 00F01D72540158BBE72157529C4DEAB3A7CEBCAB11F00016CF609E109196A05A41EAF6

Function 00F37439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00F37452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00F37469
GetWindowDC.USER32(?), ref: 00F37475
GetPixel.GDI32(00000000,?,?), ref: 00F37484
ReleaseDC.USER32(?,00000000), ref: 00F37496
GetSysColor.USER32(00000005), ref: 00F374B0

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: efdb6d778574ca033026903c83f7dfe9afb9d87a8ec0e488303fb3da5f3e7fda
Instruction ID: b68ec8dbbe11097c7aa7f6877f592e2a58c846ea5282c4c04913521b715d60ab
Opcode Fuzzy Hash: efdb6d778574ca033026903c83f7dfe9afb9d87a8ec0e488303fb3da5f3e7fda
Instruction Fuzzy Hash: E8014F31404219EFDB51AF64DC48BA97BB5FB04321F550168F919A21A1CB312E91BB91

Function 00F41874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F4187F
UnloadUserProfile.USERENV(?,?), ref: 00F4188B
CloseHandle.KERNEL32(?), ref: 00F41894
CloseHandle.KERNEL32(?), ref: 00F4189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00F418A5
HeapFree.KERNEL32(00000000), ref: 00F418AC

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: c7ca6206a9ccb979fff941923436a6f7570c9c4025d312c361b6e5bcf3cbeb73
Instruction ID: 74788ff5b721401809341785d427e6822081da35170c68a1ee05df37844671e4
Opcode Fuzzy Hash: c7ca6206a9ccb979fff941923436a6f7570c9c4025d312c361b6e5bcf3cbeb73
Instruction Fuzzy Hash: 1DE0ED36004109BBEB015FA2ED0C905BF3AFF497217508228F22991471CB7254A1EF91

Function 00F4C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7620: _wcslen.LIBCMT ref: 00EE7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F4C6EE
_wcslen.LIBCMT ref: 00F4C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F4C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F4C7CA

Strings

0, xrefs: 00F4C6AF

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 6055072a73b4349620d58d912d1ce90e14147390d5abc5ebd1f268dbbf2d9f5b
Instruction ID: 4b0d62f5e17f95f83e7311ce636c77f8059c734ac1e870c8bdb5b6366608ef94
Opcode Fuzzy Hash: 6055072a73b4349620d58d912d1ce90e14147390d5abc5ebd1f268dbbf2d9f5b
Instruction Fuzzy Hash: 0A51E071A063009BD7949F28C884B6B7BE4AF45324F042A2DFD95E31E1DB60D804AF92

Function 00F6AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00F6AEA3

Part of subcall function 00EE7620: _wcslen.LIBCMT ref: 00EE7625

GetProcessId.KERNEL32(00000000), ref: 00F6AF38
CloseHandle.KERNEL32(00000000), ref: 00F6AF67

Strings

<, xrefs: 00F6AE6B
@, xrefs: 00F6AE72

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 57314a7e1bdd0b148f53bc7c7fa482e9fdf93c077be4f969cea6fdef8291e02c
Instruction ID: 5b633d3a23e2f8f7650f04a29886165d8b5124c3faecff608b5504ec956233f7
Opcode Fuzzy Hash: 57314a7e1bdd0b148f53bc7c7fa482e9fdf93c077be4f969cea6fdef8291e02c
Instruction Fuzzy Hash: F8718670A00658CFCB14EF65D484A9EBBF0AF08310F048499E85ABB3A2CB35ED45DF91

Function 00F4719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F47206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F4723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F4724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F472CF

Strings

DllGetClassObject, xrefs: 00F47242

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 0e204353b931ccc2276036bf21a562ab4a0143e413123a258e4bd93ea5bb2812
Instruction ID: 030ff7976f98e51b9f78da1d03736aa390d25e7f5ae75809e1ee4d765869b114
Opcode Fuzzy Hash: 0e204353b931ccc2276036bf21a562ab4a0143e413123a258e4bd93ea5bb2812
Instruction Fuzzy Hash: C9413C71A04304EFDB15DF64C884A9A7FA9EF44310B1480ADBD099F24AD7B5DA44EBA1

Function 00F73D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F73E35
IsMenu.USER32(?), ref: 00F73E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F73E92
DrawMenuBar.USER32 ref: 00F73EA5

Strings

0, xrefs: 00F73D89

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 399a7060c6346a290bd4353e03a437d722be716ead5dea9105da843b4583b511
Instruction ID: 295683bcf93e77129239dd17c066255527debd57944884fb61fdb5a3f8030eaa
Opcode Fuzzy Hash: 399a7060c6346a290bd4353e03a437d722be716ead5dea9105da843b4583b511
Instruction Fuzzy Hash: 95414A75A01209FFDB10DF50D884EAABBB5FF48364F04812AF909A7250D730AE48EF91

Function 00F41DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

Part of subcall function 00F43CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F43CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F41E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F41E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00F41EA9

Part of subcall function 00EE6B57: _wcslen.LIBCMT ref: 00EE6B6A

Strings

ListBox, xrefs: 00F41E25
ComboBox, xrefs: 00F41DF0

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: b6e5c34e2c0dda7d95978c39ff3091116983b81d7db67f352e47ec7595f6308b
Instruction ID: f20e80a38c5d054d1595afabb87fb2e59c02d254b211b7e606cd5c69600e42e0
Opcode Fuzzy Hash: b6e5c34e2c0dda7d95978c39ff3091116983b81d7db67f352e47ec7595f6308b
Instruction Fuzzy Hash: 64210775A00108BADB14AB65DC85DFFBBF9EF45360B104119FC15A71E1EB38598AA620

Function 00F72F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F72F8D
LoadLibraryW.KERNEL32(?), ref: 00F72F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F72FA9
DestroyWindow.USER32(?), ref: 00F72FB1

Strings

SysAnimate32, xrefs: 00F72F68

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 1c7839a569d80bab5c4e91c562a32ddd6094264e8c4416d958ffb755b7dbdbdb
Instruction ID: b10ddf5cf943091a1eb0e5657183ebd2c96d7f8695dba8ae8565b38ed0d3ce2f
Opcode Fuzzy Hash: 1c7839a569d80bab5c4e91c562a32ddd6094264e8c4416d958ffb755b7dbdbdb
Instruction Fuzzy Hash: FB219D72600209ABEB504F68DC80EFB37B9EB59374F10861AF958D6190D771DC91A762

Function 00F04D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F04D1E,00F128E9,?,00F04CBE,00F128E9,00FA88B8,0000000C,00F04E15,00F128E9,00000002), ref: 00F04D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F04DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00F04D1E,00F128E9,?,00F04CBE,00F128E9,00FA88B8,0000000C,00F04E15,00F128E9,00000002,00000000), ref: 00F04DC3

Strings

mscoree.dll, xrefs: 00F04D86
CorExitProcess, xrefs: 00F04D98

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3c9f53a3949a0be41a724eb09e43aa759bb13438ec0c33d6aaf5a3edcb65c753
Instruction ID: b64e192b4b0841d2cd0c0f09a3905ddb6784c3f1b110572f9c5ac1fcf959072e
Opcode Fuzzy Hash: 3c9f53a3949a0be41a724eb09e43aa759bb13438ec0c33d6aaf5a3edcb65c753
Instruction Fuzzy Hash: F4F03174A4120CEBDB119B90DC49B9DBBA5EF44751F440168A909A2590CF749980FBD2

Function 00EE4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EE4EDD,?,00FB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EE4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00EE4EAE
FreeLibrary.KERNEL32(00000000,?,?,00EE4EDD,?,00FB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EE4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00EE4EA8
kernel32.dll, xrefs: 00EE4E94

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 1756d3f4de54c956de311f032638a3c5fca9c287b1c83c9ed2d2ebced01b2fd2
Instruction ID: 96bb88dd99e388b4da44fec308475c1cb010d8a5e13257eb4f85a5c636ac44df
Opcode Fuzzy Hash: 1756d3f4de54c956de311f032638a3c5fca9c287b1c83c9ed2d2ebced01b2fd2
Instruction Fuzzy Hash: 6CE0CD75E015665BD2311B2AAC18F5F7654AFC1F66B05012AFC08F7150DBA0CD4195E3

Function 00EE4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F23CDE,?,00FB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EE4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00EE4E74
FreeLibrary.KERNEL32(00000000,?,?,00F23CDE,?,00FB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00EE4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00EE4E6E
kernel32.dll, xrefs: 00EE4E5B

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: a7191f2fe9e00c845e1a28e4340d17c193b5da5b95252e0b2dbaf6691010dfcf
Instruction ID: d42835cac10909d9d1b66f41f247057e3fd3a13b5ba1922cc94ddf218fe6f217
Opcode Fuzzy Hash: a7191f2fe9e00c845e1a28e4340d17c193b5da5b95252e0b2dbaf6691010dfcf
Instruction Fuzzy Hash: 3ED0C2759026665787221B2A6C08D8F7A18AF89B193490129B808B6164CFA0CD41E5D2

Function 00F52947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F52C05
DeleteFileW.KERNEL32(?), ref: 00F52C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F52C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F52CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F52CC0

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 46fdb31cd4213e0cda339f75e4f076714d3b4cbdcd90eaac7436f708d7e3e9c9
Instruction ID: 69829234af76e7331df69e62bb6146adaa45a04ead1826a41470131591c8607a
Opcode Fuzzy Hash: 46fdb31cd4213e0cda339f75e4f076714d3b4cbdcd90eaac7436f708d7e3e9c9
Instruction Fuzzy Hash: 6EB15E72D0011DABDF11DBA4CC85EDEB7BDEF49350F1041A6FA09E6142EA349A489FA1

Function 00F6A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00F6A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F6A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F6A468
CloseHandle.KERNEL32(?), ref: 00F6A63D

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 94ac3eb8e98efad3b8a3c57719dfe6fbc22fd751c790ccea2d5c437233887c89
Instruction ID: 6c6cb9d0320644271402aeaa5daeaa980994f017d01a69563e87dda5e08ec3e0
Opcode Fuzzy Hash: 94ac3eb8e98efad3b8a3c57719dfe6fbc22fd751c790ccea2d5c437233887c89
Instruction Fuzzy Hash: B0A1A1716047009FD720DF24D886F2AB7E5AF84714F14981DF5AAAB392DBB1EC41CB92

Function 00F1BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00F83700), ref: 00F1BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00FB121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00F1BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00FB1270,000000FF,?,0000003F,00000000,?), ref: 00F1BC36
_free.LIBCMT ref: 00F1BB7F

Part of subcall function 00F129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F1D7D1,00000000,00000000,00000000,00000000,?,00F1D7F8,00000000,00000007,00000000,?,00F1DBF5,00000000), ref: 00F129DE
Part of subcall function 00F129C8: GetLastError.KERNEL32(00000000,?,00F1D7D1,00000000,00000000,00000000,00000000,?,00F1D7F8,00000000,00000007,00000000,?,00F1DBF5,00000000,00000000), ref: 00F129F0

_free.LIBCMT ref: 00F1BD4B

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 9d29e34ce27fc69f5341244f1df070c06d288eadbf0d9b5b077cfc5b18a65377
Instruction ID: 9a588d1100cad6e038b104511f7cf8178febb46881d757fa791834c508b0e81f
Opcode Fuzzy Hash: 9d29e34ce27fc69f5341244f1df070c06d288eadbf0d9b5b077cfc5b18a65377
Instruction Fuzzy Hash: 7251C471D04209EFDB14EF69DC819EEB7B8BF41320F50426AE464D7291EB309E91BB90

Function 00F4E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F4CF22,?), ref: 00F4DDFD

Part of subcall function 00F4DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F4CF22,?), ref: 00F4DE16

Part of subcall function 00F4E199: GetFileAttributesW.KERNEL32(?,00F4CF95), ref: 00F4E19A

lstrcmpiW.KERNEL32(?,?), ref: 00F4E473
MoveFileW.KERNEL32(?,?), ref: 00F4E4AC
_wcslen.LIBCMT ref: 00F4E5EB
_wcslen.LIBCMT ref: 00F4E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00F4E650

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 3425dbb24d4ee082f5cfa8d8c14012cee5a6ded821927a0aa95051d29840bc1d
Instruction ID: f1ec140f08b2cd9940fe7b300a8dbcc2744d91e7441ef72c1d7e6c77faf4e587
Opcode Fuzzy Hash: 3425dbb24d4ee082f5cfa8d8c14012cee5a6ded821927a0aa95051d29840bc1d
Instruction Fuzzy Hash: 5C5176B24083859BC724EB90DC819DFB7ECAF84350F10491EF989D3191EF78A588D766

Function 00F6B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

Part of subcall function 00F6C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F6B6AE,?,?), ref: 00F6C9B5
Part of subcall function 00F6C998: _wcslen.LIBCMT ref: 00F6C9F1
Part of subcall function 00F6C998: _wcslen.LIBCMT ref: 00F6CA68
Part of subcall function 00F6C998: _wcslen.LIBCMT ref: 00F6CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F6BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F6BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F6BB63
RegCloseKey.ADVAPI32(?,?), ref: 00F6BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00F6BBB3

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 0b04f9f0577f3cdfc7a4e988a5efab49abf8884d26d9c6e1b435d17631a9446c
Instruction ID: dd5d822ffed205d19987af68e2aa0aba14ca54e633c8f7fbc9ae3d2db962638f
Opcode Fuzzy Hash: 0b04f9f0577f3cdfc7a4e988a5efab49abf8884d26d9c6e1b435d17631a9446c
Instruction Fuzzy Hash: 4B61D231608245EFC314DF14C890E2ABBE5FF84318F54896CF4998B2A2DB31ED85DB92

Function 00F48BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F48BCD
VariantClear.OLEAUT32 ref: 00F48C3E
VariantClear.OLEAUT32 ref: 00F48C9D
VariantClear.OLEAUT32(?), ref: 00F48D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F48D3B

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 0e29cb5f5d1fc0605fb88a8304b616a3d20794bc7e726798e1e8471f2315e566
Instruction ID: 4e0f90734afe72d07788cf97ed73ea61592f6035b0fc908e57e3ebbb155e3e2f
Opcode Fuzzy Hash: 0e29cb5f5d1fc0605fb88a8304b616a3d20794bc7e726798e1e8471f2315e566
Instruction Fuzzy Hash: 47516BB5A01219EFCB10CF58C884AAABBF4FF89354B158559ED09DB350E730E912CB90

Function 00F58AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F58BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00F58BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F58C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F58C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F58C5F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 3abe51e820065509803e60be7d05bb5058eab620dd380b197388ceb8bc5fc980
Instruction ID: 873a7a3a6e4257e44ff3cbb872431b6487fb1a431d63bedb42718fdc6e5d3cce
Opcode Fuzzy Hash: 3abe51e820065509803e60be7d05bb5058eab620dd380b197388ceb8bc5fc980
Instruction Fuzzy Hash: 10516A35A00618AFCB04DF65C885E6EBBF5FF48314F088458E949AB362DB31ED56DB90

Function 00F68EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00F68F40
GetProcAddress.KERNEL32(00000000,?), ref: 00F68FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00F68FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00F69032
FreeLibrary.KERNEL32(00000000), ref: 00F69052

Part of subcall function 00EFF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00F51043,?,7644E610), ref: 00EFF6E6
Part of subcall function 00EFF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00F3FA64,00000000,00000000,?,?,00F51043,?,7644E610,?,00F3FA64), ref: 00EFF70D

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 88290280b096d4b0d4c8836e7665b01a1f0e0c4a1736e23499db392298fdf7ff
Instruction ID: d22da7184c98757f3c8703ba0ef3bf5e06b52c5e6875c2bc5c5b87cf4056e8ea
Opcode Fuzzy Hash: 88290280b096d4b0d4c8836e7665b01a1f0e0c4a1736e23499db392298fdf7ff
Instruction Fuzzy Hash: 56516135A04249DFC714DF64C484CADBBF1FF49324B0481A9E80AAB362DB31ED86DB91

Function 00F76B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00F76C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00F76C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00F76C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00F5AB79,00000000,00000000), ref: 00F76C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00F76CC7

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 6c42aade6f1fc65bb2f0192a06167ecf2ea2ff3d2fa43f40d3923c1209ad96a0
Instruction ID: 8f4945b4d3f539493046865204d1e7bd31e8f09315044ceba1d82d743be27596
Opcode Fuzzy Hash: 6c42aade6f1fc65bb2f0192a06167ecf2ea2ff3d2fa43f40d3923c1209ad96a0
Instruction Fuzzy Hash: 4441E635A00504AFD725CF38CC94FA57BA4EB09360F15826AF89DE73E0C371AD41EA81

Function 00F12051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F120C3
_free.LIBCMT ref: 00F120E3

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9a2b8743e4ad916f94a867d80d47981c4ec63f9b0bf0b17fb80d89f35328fa04
Instruction ID: 84827f7b1194a465b5892e7d8acf6de3326b81aa339b87a154e7fd525f6d371f
Opcode Fuzzy Hash: 9a2b8743e4ad916f94a867d80d47981c4ec63f9b0bf0b17fb80d89f35328fa04
Instruction Fuzzy Hash: 93410472E00204AFCB24DFB8C880A9DB3F5EF89720F154569E615EB391DB31AD51EB80

Function 00EF912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00EF9141
ScreenToClient.USER32(00000000,?), ref: 00EF915E
GetAsyncKeyState.USER32(00000001), ref: 00EF9183
GetAsyncKeyState.USER32(00000002), ref: 00EF919D

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: bf2a6717e388e4daabe651606da7c863057a4817da7d8d777be409b4d4f6226f
Instruction ID: bd7d51c373dae7b30750e55cf5000ac08ffe6d5aab092d52bb35bf84f4d2b226
Opcode Fuzzy Hash: bf2a6717e388e4daabe651606da7c863057a4817da7d8d777be409b4d4f6226f
Instruction Fuzzy Hash: 3C41607290861AFBDF15AF64C844BFEB774FB05334F20822AE569A3291C7346950DB91

Function 00F53874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00F538CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00F53922
TranslateMessage.USER32(?), ref: 00F5394B
DispatchMessageW.USER32(?), ref: 00F53955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F53966

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: bde5b9eb067108131bac270d22c92c86304843e51667b465975d9dba3cf2507e
Instruction ID: 5cf9816bb8d0635cb3f5b56c37a9ab75ae42f02e0e39757645d92d1e83b8bd0b
Opcode Fuzzy Hash: bde5b9eb067108131bac270d22c92c86304843e51667b465975d9dba3cf2507e
Instruction Fuzzy Hash: 5C311BB1D043499EEB35CB389C58BB637E5BB01392F08051DEA52C2090E3B0968CFF11

Function 00F5CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00F5C21E,00000000), ref: 00F5CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00F5CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00F5C21E,00000000), ref: 00F5CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00F5C21E,00000000), ref: 00F5CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00F5C21E,00000000), ref: 00F5CFF2

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 5edc1057a4b7275f9c30b5bd03366251cfed28a1cc9bf3c63c9a691f4eae5f4f
Instruction ID: b49f9900062253cf0fbde27cd2d907d2b50bfa3e6b61f5c3319033b9a285a1ab
Opcode Fuzzy Hash: 5edc1057a4b7275f9c30b5bd03366251cfed28a1cc9bf3c63c9a691f4eae5f4f
Instruction Fuzzy Hash: 5A317171900309AFDB24DFA5C884AABBBF9EF04312B10442EFA17D2101DB30AD45EBB0

Function 00F41901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F41915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00F419C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00F419C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00F419DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00F419E2

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 44941c0cd165cb4b92bf236684ee49859c3e28a85813ad001c0acb13370debd9
Instruction ID: 99380560d8762b719bce53087407cbc604232ec20dd07333411de5760985a160
Opcode Fuzzy Hash: 44941c0cd165cb4b92bf236684ee49859c3e28a85813ad001c0acb13370debd9
Instruction Fuzzy Hash: 46319E72A00219EFCB14CFA8CD99A9E3BB5FB04325F104229FD25A72D1C7709994EB91

Function 00F75706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F75745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00F7579D
_wcslen.LIBCMT ref: 00F757AF
_wcslen.LIBCMT ref: 00F757BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F75816

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: fb025271d482aa9904d2e9aec508f7f5e9c8a92817956e762050ef6081bd51ae
Instruction ID: eaddcfd5422b560f69e539ba9e8211f5fc3f8e24bf21f35cbab99972de9fd1ba
Opcode Fuzzy Hash: fb025271d482aa9904d2e9aec508f7f5e9c8a92817956e762050ef6081bd51ae
Instruction Fuzzy Hash: 4F214471D046189ADB209FA4DC85AEE7778FF04B24F108217E91DDA180D7B49985EF52

Function 00F60930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00F60951
GetForegroundWindow.USER32 ref: 00F60968
GetDC.USER32(00000000), ref: 00F609A4
GetPixel.GDI32(00000000,?,00000003), ref: 00F609B0
ReleaseDC.USER32(00000000,00000003), ref: 00F609E8

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 9e39f57670b9112c887e81b6ce5082d84f55436a9576eb7c8f6a46b727cb16fa
Instruction ID: 314c85486f59dbc759591bd93db0d6297d632271d153e0297890d7ba1f8445a4
Opcode Fuzzy Hash: 9e39f57670b9112c887e81b6ce5082d84f55436a9576eb7c8f6a46b727cb16fa
Instruction Fuzzy Hash: 0D218135600208AFD714EF65DC85AAFBBE9EF44701F14846CF94AA7352DB70AD44EB90

Function 00F1CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00F1CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F1CDE9

Part of subcall function 00F13820: RtlAllocateHeap.NTDLL(00000000,?,00FB1444,?,00EFFDF5,?,?,00EEA976,00000010,00FB1440,00EE13FC,?,00EE13C6,?,00EE1129), ref: 00F13852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F1CE0F
_free.LIBCMT ref: 00F1CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F1CE31

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 21e4f38567cd35e139d6f05c3dbf0bfef983766e1fcc84503000985244c3b2d7
Instruction ID: c8db8193d6c61e91c732fbe49b71d33ff6fe84da7d88081ead793d982a0859eb
Opcode Fuzzy Hash: 21e4f38567cd35e139d6f05c3dbf0bfef983766e1fcc84503000985244c3b2d7
Instruction Fuzzy Hash: 9D01D472A412157F232116BA6C88DBF796DDFC6BB1315012DF909C7200EA608D81B2F1

Function 00EF9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00EF9693
SelectObject.GDI32(?,00000000), ref: 00EF96A2
BeginPath.GDI32(?), ref: 00EF96B9
SelectObject.GDI32(?,00000000), ref: 00EF96E2

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 30e06725f963e3703ab213e0c9bf298f039edbddea965a918e19a36f1f2e605b
Instruction ID: 66103f3848ba4f371c33d2db65a80353a8a2a3c35b745572331d0cbf9c1f1efb
Opcode Fuzzy Hash: 30e06725f963e3703ab213e0c9bf298f039edbddea965a918e19a36f1f2e605b
Instruction Fuzzy Hash: DA219F7080234DEFDB119F24ECA87B93BA8BB40366F51032AF554E61B2D3709895EF95

Function 00F45711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00F45726
_memcmp.LIBVCRUNTIME ref: 00F45744
_memcmp.LIBVCRUNTIME ref: 00F45757
_memcmp.LIBVCRUNTIME ref: 00F4576F
_memcmp.LIBVCRUNTIME ref: 00F45787

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 345f440ad7d91b2928dd665a39c7b3e6c3622dbc98de6a282e9a9d2474ca7b77
Instruction ID: 7043d7d2e89ab95340d363f46311545113f39f255672f94d0445e380e3322b31
Opcode Fuzzy Hash: 345f440ad7d91b2928dd665a39c7b3e6c3622dbc98de6a282e9a9d2474ca7b77
Instruction Fuzzy Hash: 1901BEA264160DBBD20866109D41FBB775CAB61764F004031FD089E282F764ED15F2B2

Function 00F12DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00F0F2DE,00F13863,00FB1444,?,00EFFDF5,?,?,00EEA976,00000010,00FB1440,00EE13FC,?,00EE13C6), ref: 00F12DFD
_free.LIBCMT ref: 00F12E32
_free.LIBCMT ref: 00F12E59
SetLastError.KERNEL32(00000000,00EE1129), ref: 00F12E66
SetLastError.KERNEL32(00000000,00EE1129), ref: 00F12E6F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c54c7db548ab5d081b670ed919df14996840a101294497a6726bb857ebb35886
Instruction ID: 397c37c6169314ee7f408063a38f023879882a16b553b619077dd62e9d642784
Opcode Fuzzy Hash: c54c7db548ab5d081b670ed919df14996840a101294497a6726bb857ebb35886
Instruction Fuzzy Hash: 8B01F97264560467C65267F96C85EEB3569AFD5771B20002CF419A21D2EE388CE17261

Function 00F4000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F3FF41,80070057,?,?,?,00F4035E), ref: 00F4002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F3FF41,80070057,?,?), ref: 00F40046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F3FF41,80070057,?,?), ref: 00F40054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F3FF41,80070057,?), ref: 00F40064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F3FF41,80070057,?,?), ref: 00F40070

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 290ae28c1cf1ce16c7dd57c5d602d251059d1ac0801e742bf0a37fb914cc7de7
Instruction ID: 85f92a49f2a91db0b7560bae980dc085e49914b97ce8866836fa49d8cb7b4f16
Opcode Fuzzy Hash: 290ae28c1cf1ce16c7dd57c5d602d251059d1ac0801e742bf0a37fb914cc7de7
Instruction Fuzzy Hash: 5E016276600218BFDB214F69DC44BAA7EEDEF44761F144128FE09D7210DB75DE80ABA1

Function 00F4E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00F4E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00F4E9A5
Sleep.KERNEL32(00000000), ref: 00F4E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00F4E9B7
Sleep.KERNEL32 ref: 00F4E9F3

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 9a67de13c3c475021cb281a409b77ea5dcb3fe2e4ad7cf236ac8a569187434b5
Instruction ID: b048a67ed955f07075d98c1c2114ebc5573cc95b3c6e758586a6bea20b9f540d
Opcode Fuzzy Hash: 9a67de13c3c475021cb281a409b77ea5dcb3fe2e4ad7cf236ac8a569187434b5
Instruction Fuzzy Hash: 01016931C0162DDBCF00AFE5DC59AEDBB78FF08310F40055AE902B2281DB709590EBA2

Function 00F410F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F41114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00F40B9B,?,?,?), ref: 00F41120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F40B9B,?,?,?), ref: 00F4112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F40B9B,?,?,?), ref: 00F41136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F4114D

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1e54cd0b64e7e5c7f63e8c9d04bd095b18f527eb5d6a433c9f431d27a1685629
Instruction ID: 0af2cc51dba68724c5f712439d1c9a35a936996e0683c1805afd94276e639ea3
Opcode Fuzzy Hash: 1e54cd0b64e7e5c7f63e8c9d04bd095b18f527eb5d6a433c9f431d27a1685629
Instruction Fuzzy Hash: 84018175500209BFEB114F65DC49E6A3F6EFF89361B110428FE49C3360DB71DC80AAA0

Function 00F40FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F40FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F40FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F40FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F40FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F41002

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 434b83d1a5b05f565a5f77759aaefac232e66b7d8561f9f1473229822f27f93a
Instruction ID: 482d587b374e3c11a69e1b18c3bd09c00bdc68794fb8cce4fb83c48112e3e500
Opcode Fuzzy Hash: 434b83d1a5b05f565a5f77759aaefac232e66b7d8561f9f1473229822f27f93a
Instruction Fuzzy Hash: 14F04F35500305ABD7214FA9AC49F563FAEFF89761F504428F949D6251CA70DC809AA1

Function 00F41014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F4102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F41036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F41045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F4104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F41062

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3eb5c2ae9be493d4965f4613b731665a1fd50fa731f904899e9b1762322b7f6f
Instruction ID: b5a7630c393a6e88cd058e6682d00851a6f1a3a43ea10d78efed53697f2edc44
Opcode Fuzzy Hash: 3eb5c2ae9be493d4965f4613b731665a1fd50fa731f904899e9b1762322b7f6f
Instruction Fuzzy Hash: 3BF06D35200309EBDB215FA9EC49F563FAEFF89761F100428FE49D7251CA70D890AAA1

Function 00F5030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00F5017D,?,00F532FC,?,00000001,00F22592,?), ref: 00F50324
CloseHandle.KERNEL32(?,?,?,?,00F5017D,?,00F532FC,?,00000001,00F22592,?), ref: 00F50331
CloseHandle.KERNEL32(?,?,?,?,00F5017D,?,00F532FC,?,00000001,00F22592,?), ref: 00F5033E
CloseHandle.KERNEL32(?,?,?,?,00F5017D,?,00F532FC,?,00000001,00F22592,?), ref: 00F5034B
CloseHandle.KERNEL32(?,?,?,?,00F5017D,?,00F532FC,?,00000001,00F22592,?), ref: 00F50358
CloseHandle.KERNEL32(?,?,?,?,00F5017D,?,00F532FC,?,00000001,00F22592,?), ref: 00F50365

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ea81184da1554b774ce5505f332cf764c88e76b41184828a9bf751f9bee1554a
Instruction ID: 7b84498ace4c89cc90676aae801de357e332cd52f873fa4f5d61ec6d3bdfb436
Opcode Fuzzy Hash: ea81184da1554b774ce5505f332cf764c88e76b41184828a9bf751f9bee1554a
Instruction Fuzzy Hash: A301A272800B159FC7309F66D880412F7F5BF503263158A3FD29652931C771A958EF80

Function 00F1D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F1D752

Part of subcall function 00F129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F1D7D1,00000000,00000000,00000000,00000000,?,00F1D7F8,00000000,00000007,00000000,?,00F1DBF5,00000000), ref: 00F129DE
Part of subcall function 00F129C8: GetLastError.KERNEL32(00000000,?,00F1D7D1,00000000,00000000,00000000,00000000,?,00F1D7F8,00000000,00000007,00000000,?,00F1DBF5,00000000,00000000), ref: 00F129F0

_free.LIBCMT ref: 00F1D764
_free.LIBCMT ref: 00F1D776
_free.LIBCMT ref: 00F1D788
_free.LIBCMT ref: 00F1D79A

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ea0bd859dcdb1d75666c455067ebe8f3e54945563f2e74c1a22b79b5d0bd1a92
Instruction ID: 65f8415d088a485aa231ab7f321c52ae02d0a1f3e2885125735903e03a19bd3a
Opcode Fuzzy Hash: ea0bd859dcdb1d75666c455067ebe8f3e54945563f2e74c1a22b79b5d0bd1a92
Instruction Fuzzy Hash: F9F0FF72944218AB8665EBACF9C5C967BFDBB45730BD40805F048DB541CB28FCD0BAB4

Function 00F45C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00F45C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00F45C6F
MessageBeep.USER32(00000000), ref: 00F45C87
KillTimer.USER32(?,0000040A), ref: 00F45CA3
EndDialog.USER32(?,00000001), ref: 00F45CBD

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: d3f76b313b0d966e9d11e422ac8e2a1b2069da943c8e2d2ea0757ed8fc85d975
Instruction ID: a6bd88a286a8d1439c04ddf4cf0d8e3d4ec513eb8e2e423c68c826b0a8517478
Opcode Fuzzy Hash: d3f76b313b0d966e9d11e422ac8e2a1b2069da943c8e2d2ea0757ed8fc85d975
Instruction Fuzzy Hash: E6018B70500B089BEB316B60EDCEF957BB8BB04F05F00155DA647610E1DBF059849BD1

Function 00F122A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F122BE

Part of subcall function 00F129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F1D7D1,00000000,00000000,00000000,00000000,?,00F1D7F8,00000000,00000007,00000000,?,00F1DBF5,00000000), ref: 00F129DE
Part of subcall function 00F129C8: GetLastError.KERNEL32(00000000,?,00F1D7D1,00000000,00000000,00000000,00000000,?,00F1D7F8,00000000,00000007,00000000,?,00F1DBF5,00000000,00000000), ref: 00F129F0

_free.LIBCMT ref: 00F122D0
_free.LIBCMT ref: 00F122E3
_free.LIBCMT ref: 00F122F4
_free.LIBCMT ref: 00F12305

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ac4b8f1afad1ecf268aa09bb9bd0685270ad5e5cf8460cac200cc96e24da01e1
Instruction ID: 948a10b8eb43b545c437765f988bdc9c64eb330bf089ddea051e9a9b6387f631
Opcode Fuzzy Hash: ac4b8f1afad1ecf268aa09bb9bd0685270ad5e5cf8460cac200cc96e24da01e1
Instruction Fuzzy Hash: 6BF05EB19001288B8652AF9CBC818AE3B74F719770780070AF410DA3B1CB3848B1BFE4

Function 00EF95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00EF95D4
StrokeAndFillPath.GDI32(?,?,00F371F7,00000000,?,?,?), ref: 00EF95F0
SelectObject.GDI32(?,00000000), ref: 00EF9603
DeleteObject.GDI32 ref: 00EF9616
StrokePath.GDI32(?), ref: 00EF9631

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 9000faf4da29bdb75b1ac75cd41adf6554b577eb3eb8f3084d7679255f20ab00
Instruction ID: 3c423ef4472a21815d23e9aa09bf2373a7ad6df27a4b859ef3e090c6cb2886d4
Opcode Fuzzy Hash: 9000faf4da29bdb75b1ac75cd41adf6554b577eb3eb8f3084d7679255f20ab00
Instruction Fuzzy Hash: 28F03C3000524CEBDB225F65ED6C7B43B65BB00326F548328F669A50F1C7708995EFA1

Function 00F10F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00F110F9
__freea.LIBCMT ref: 00F11117

Part of subcall function 00F11537: _free.LIBCMT ref: 00F1154F

Strings

am/pm, xrefs: 00F1117A
a/p, xrefs: 00F111DE

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: fa8fc2edfc0b406c0e9032681959fe62f26c6527a247a9766dd7e446429b78b1
Instruction ID: c6eb7b83410c8f437cb63ac8c7617599b39acc580e43ea0ced45b54697e6c5b8
Opcode Fuzzy Hash: fa8fc2edfc0b406c0e9032681959fe62f26c6527a247a9766dd7e446429b78b1
Instruction Fuzzy Hash: 5CD10232D00246DADB289F68C855BFEB7B5FF05320F280219EB11AB658D3759DC0EB91

Function 00F67B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00F00242: EnterCriticalSection.KERNEL32(00FB070C,00FB1884,?,?,00EF198B,00FB2518,?,?,?,00EE12F9,00000000), ref: 00F0024D
Part of subcall function 00F00242: LeaveCriticalSection.KERNEL32(00FB070C,?,00EF198B,00FB2518,?,?,?,00EE12F9,00000000), ref: 00F0028A

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

Part of subcall function 00F000A3: __onexit.LIBCMT ref: 00F000A9

__Init_thread_footer.LIBCMT ref: 00F67BFB

Part of subcall function 00F001F8: EnterCriticalSection.KERNEL32(00FB070C,?,?,00EF8747,00FB2514), ref: 00F00202
Part of subcall function 00F001F8: LeaveCriticalSection.KERNEL32(00FB070C,?,00EF8747,00FB2514), ref: 00F00235

Strings

5, xrefs: 00F67C78
G, xrefs: 00F67C7F
Variable must be of type 'Object'., xrefs: 00F67C3A

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 0422c5d22d479077c5eefca890915d64f770fa19148f788466ecdb3a5bcf8193
Instruction ID: 6b8f65a4d9e826e6f67e9b95ed7050669431edd01cca9e535445f076885599c9
Opcode Fuzzy Hash: 0422c5d22d479077c5eefca890915d64f770fa19148f788466ecdb3a5bcf8193
Instruction Fuzzy Hash: F4919A70A04249EFCB14EF94D891DBDB7B1FF48318F148459F806AB2A2DB31AE45EB51

Function 00F15AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO, xrefs: 00F15BA8, 00F15C6C

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-1663374661
Opcode ID: 53e1558f949f984d8c3110c8ebe4a2a98401c45e6ad9e4afb29cde5808f5e8e0
Instruction ID: 48f5bc8f6c3dd5a90ea68599d6ae24fa05ae83acaa5429fae073f68ab774f153
Opcode Fuzzy Hash: 53e1558f949f984d8c3110c8ebe4a2a98401c45e6ad9e4afb29cde5808f5e8e0
Instruction Fuzzy Hash: A2519D71E04609DFCB21DFB4CC45FEEBBB8AF85B20F14005AE405A7291D7799981BBA1

Function 00F42716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F421D0,?,?,00000034,00000800,?,00000034), ref: 00F4B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F42760

Part of subcall function 00F4B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F421FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00F4B3F8

Part of subcall function 00F4B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00F4B355
Part of subcall function 00F4B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F42194,00000034,?,?,00001004,00000000,00000000), ref: 00F4B365
Part of subcall function 00F4B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F42194,00000034,?,?,00001004,00000000,00000000), ref: 00F4B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F427CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F4281A

Strings

@, xrefs: 00F42832

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 978a56f0ccdd9ca090be777cced06c69e1165725ce737bf12b18d8ae505775ef
Instruction ID: 8382a83ad6275fda25b8a79c09f285bc4fccd1b9d1254e0657e21fbe7e85f346
Opcode Fuzzy Hash: 978a56f0ccdd9ca090be777cced06c69e1165725ce737bf12b18d8ae505775ef
Instruction Fuzzy Hash: 6D414172D00218AFDB10DFA4CD85AEEBBB8EF05310F004099FA55B7191DB70AE85DB91

Function 00F1172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00F11769
_free.LIBCMT ref: 00F11834
_free.LIBCMT ref: 00F1183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00F11760, 00F11767, 00F11796, 00F117CE

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: e701db33b7a80a85c1d7f70280e4d3717918211aa25eaec72f07a38a87a125c8
Instruction ID: 421cf91f268ea4deced180dede88ba74356626aedf49b176fec2968429f412b9
Opcode Fuzzy Hash: e701db33b7a80a85c1d7f70280e4d3717918211aa25eaec72f07a38a87a125c8
Instruction Fuzzy Hash: 7E316E71E04218AFDB21DF999C85DDEBBFCFB95320B54416AF904D7251D6708E80EBA0

Function 00F4C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F4C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00F4C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00FB1990,010F6158), ref: 00F4C395

Strings

0, xrefs: 00F4C2DF

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: dc7c5d6b0ec2738cdea0a3174fe3f1b4d08b186817a8ffb4aa14ed703e53a07c
Instruction ID: d5a0f8e5526af4580c0cd973be2444292474ff23c7b15d851c7def363a62b25f
Opcode Fuzzy Hash: dc7c5d6b0ec2738cdea0a3174fe3f1b4d08b186817a8ffb4aa14ed703e53a07c
Instruction Fuzzy Hash: 42419F326053019FD760DF25D844B2ABBE4AF85320F04961DFEA597291D774E904EBA2

Function 00F74416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F7CC08,00000000,?,?,?,?), ref: 00F744AA
GetWindowLongW.USER32 ref: 00F744C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F744D7

Strings

SysTreeView32, xrefs: 00F7447C

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 8ea093eef873d705204fe57eb20446eba3dbeb9dde42b0d43944a6a7dbf5d9c9
Instruction ID: 017be33072338d83f41f3d80984f85bce32fece293f95a553b0e799c715ebec4
Opcode Fuzzy Hash: 8ea093eef873d705204fe57eb20446eba3dbeb9dde42b0d43944a6a7dbf5d9c9
Instruction Fuzzy Hash: 8C319231610209AFDF219E38DC45BE677A9EB08334F24871AF979A31D0D770EC50AB51

Function 00F6304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F6335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00F63077,?,?), ref: 00F63378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F6307A
_wcslen.LIBCMT ref: 00F6309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00F63106

Strings

255.255.255.255, xrefs: 00F63095, 00F6309A

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 164d1e0019850d7ab33167c9a01a545e6990405c3487b5ed606e38c91b5e9155
Instruction ID: 0042c791f89577a2467c37ea608fd41e8f2b41989b2a4b7a1e09c37d22eec3e5
Opcode Fuzzy Hash: 164d1e0019850d7ab33167c9a01a545e6990405c3487b5ed606e38c91b5e9155
Instruction Fuzzy Hash: CF31E735A042059FC710CF28C585E6977F0EF15328F248059E9158B392D732EF85E761

Function 00F73EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F73F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F73F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F73F78

Strings

SysMonthCal32, xrefs: 00F73F0B

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 47b41ed5e88d752d54e9e727c66b8f7fe888241f73807a329978019437603f0c
Instruction ID: 358a8d595f7e0a5948a750821c32c0530fb57bc062094f7b22780cb7e37b6be4
Opcode Fuzzy Hash: 47b41ed5e88d752d54e9e727c66b8f7fe888241f73807a329978019437603f0c
Instruction Fuzzy Hash: 1821BF32A00219BFDF259F50CC86FEA3B75EB48764F114219FA196B1D0D6B5A850AB90

Function 00F74653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F74705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F74713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F7471A

Strings

msctls_updown32, xrefs: 00F74684

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: e634b6abbc5d6d8f5ef642e917b9f31d8cae566e3e1fbcb7f753c5807df2b243
Instruction ID: 09edc1a66788e64bf2d13482c9914e63ad8742511e846b9a0d04cff89ead2c0a
Opcode Fuzzy Hash: e634b6abbc5d6d8f5ef642e917b9f31d8cae566e3e1fbcb7f753c5807df2b243
Instruction Fuzzy Hash: 702162B5600209AFEB10DF64DCD1DA737ADEB5A3A4B04415AF50497251C770FC52EAA1

Function 00F495AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F4961D

Strings

#OnAutoItStartRegister, xrefs: 00F495F3
#notrayicon, xrefs: 00F495B7
#requireadmin, xrefs: 00F495D9

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: ba7c9b28f2345c846eb736aefd0e2d75da04dafde811c55aeb7c78eed2f8b4eb
Instruction ID: a16edb3d47f78bb5cdbf9a615c0766200c6bf9a8a5740fb2ddf4b1c808322731
Opcode Fuzzy Hash: ba7c9b28f2345c846eb736aefd0e2d75da04dafde811c55aeb7c78eed2f8b4eb
Instruction Fuzzy Hash: B421387270851166D331AA29EC02FB77BD89F91330F148026FD8997181EBD5AD45F296

Function 00F737B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F73840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F73850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F73876

Strings

Listbox, xrefs: 00F7380F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 2f397b591b8b6c60053f5871672ef3d6b862f74bbe3f218c84f0238f34739e18
Instruction ID: 57c96593e1342a75c3cdcfdf3dc4f15a222e4c727067833afe6553e9b88566fc
Opcode Fuzzy Hash: 2f397b591b8b6c60053f5871672ef3d6b862f74bbe3f218c84f0238f34739e18
Instruction Fuzzy Hash: 7C21C272A00218BBEF218F54CC85FBB376EEF89760F108115F9089B190C671DC52A7A1

Function 00F549F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F54A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F54A5C
SetErrorMode.KERNEL32(00000000,?,?,00F7CC08), ref: 00F54AD0

Strings

%lu, xrefs: 00F54A6F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: b799d5a2364657d3f15c6fffab14c218a03f92244e1946a69efa465c878b638d
Instruction ID: 5f3432f1b6b5fe46ec085affa6265ee1cb980aa5adc51c4dc12e446260d3d824
Opcode Fuzzy Hash: b799d5a2364657d3f15c6fffab14c218a03f92244e1946a69efa465c878b638d
Instruction Fuzzy Hash: 03316171A00109AFDB10DF54C985EAA7BF8EF04308F1480A9F909EB252D775ED85DBA1

Function 00F741EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F7424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F74264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F74271

Strings

msctls_trackbar32, xrefs: 00F74226

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: e66a2b8f2500ab7c7900ff76a6635843137b3fc972064489227fe02b0eb26b00
Instruction ID: 9ffb6d675a6b0c8d6d170ec79ef284abd57763ca5a8650dcb1f4e646c3bf8d1c
Opcode Fuzzy Hash: e66a2b8f2500ab7c7900ff76a6635843137b3fc972064489227fe02b0eb26b00
Instruction Fuzzy Hash: D7112331240248BEEF205E28CC46FAB3BACEF85B64F114115FA58E2090C2B1EC21EB10

Function 00F42F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE6B57: _wcslen.LIBCMT ref: 00EE6B6A

Part of subcall function 00F42DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F42DC5
Part of subcall function 00F42DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F42DD6
Part of subcall function 00F42DA7: GetCurrentThreadId.KERNEL32 ref: 00F42DDD
Part of subcall function 00F42DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F42DE4

GetFocus.USER32 ref: 00F42F78

Part of subcall function 00F42DEE: GetParent.USER32(00000000), ref: 00F42DF9

GetClassNameW.USER32(?,?,00000100), ref: 00F42FC3
EnumChildWindows.USER32(?,00F4303B), ref: 00F42FEB

Strings

%s%d, xrefs: 00F42FFF

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: afdac4c7970a2c4f0ba3413b0890b505377c2a6b70a7663f835d0639cc7f11a2
Instruction ID: b97946665e66de8dcb4a1cc75dbd9efb551d2e44b007fc07efc689af14fdca7c
Opcode Fuzzy Hash: afdac4c7970a2c4f0ba3413b0890b505377c2a6b70a7663f835d0639cc7f11a2
Instruction Fuzzy Hash: BE11B4716002096BCF557F748CC5EED3BAAAF94318F044079FD0DAB252DE349945AB61

Function 00F75882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00F758C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00F758EE
DrawMenuBar.USER32(?), ref: 00F758FD

Strings

0, xrefs: 00F7588F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: f87c2b6703e1ebd597ae6f4a75d25afe06d2686fa4bd412208f761623ab5e5f0
Instruction ID: 1d6f5fcdddfa80f584db017a3fdea10c739dfb27e5ba51d98b25eded31665b99
Opcode Fuzzy Hash: f87c2b6703e1ebd597ae6f4a75d25afe06d2686fa4bd412208f761623ab5e5f0
Instruction Fuzzy Hash: D2015B32900218EEDB219F11DC44BAEBBB4FF45760F14C0AAE94DE6151DB718A84EF62

Function 00F3D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00F3D3BF
FreeLibrary.KERNEL32 ref: 00F3D3E5

Strings

X64, xrefs: 00F3D2A8
GetSystemWow64DirectoryW, xrefs: 00F3D3B9

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 6305cc851ca9989a7695375a7d834297fb619c95fb950bb8a98dfb365a91bfb9
Instruction ID: 9e49043cf1aad1f44934e4bf7d776641eb87db38fa65b99d4c0d95935d7c8c54
Opcode Fuzzy Hash: 6305cc851ca9989a7695375a7d834297fb619c95fb950bb8a98dfb365a91bfb9
Instruction Fuzzy Hash: 5FF055B1905304CED7A41A009C08A6F3320AF11730F99806AF40AE2010DB70CE80BBA3

Function 00F4007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fb2929383aca06121982bca38cc0311fe22689f64a635b787a15c8c418f5c9
Instruction ID: 0a5779a8dbe7a14272e467a7ef6bc6f0ff1df693040b6c39e7c0ee2ca451f6cd
Opcode Fuzzy Hash: b2fb2929383aca06121982bca38cc0311fe22689f64a635b787a15c8c418f5c9
Instruction Fuzzy Hash: 95C14E75A00206EFDB14CF94C894BAEBBB5FF48714F108598E905DB291DB71DE41EB90

Function 00F13E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F13F0B
__alldvrm.LIBCMT ref: 00F1410C
__alldvrm.LIBCMT ref: 00F1412E

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: b0ed9943edc8aa314a771988dc160e6087b92ca1a4d4e249cfbb6af5fd802e1e
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 93A14972D00386AFDB16CF19C8917EEBBE4EFA5360F14416DE5959B281C238A9C2E750

Function 00F6342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F63459
CoUninitialize.OLE32 ref: 00F63463
VariantInit.OLEAUT32(?), ref: 00F6346E
VariantClear.OLEAUT32(?), ref: 00F6371B

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: a2a69c3ccedce4941d35d8519581a8ad555ffe876e09f631d936abf783047f04
Instruction ID: 49941f56f682dcb7a5a2132ed792b557b12841c3a28c0c666c13aa20e61a1a8c
Opcode Fuzzy Hash: a2a69c3ccedce4941d35d8519581a8ad555ffe876e09f631d936abf783047f04
Instruction Fuzzy Hash: BDA15D756047049FC700DF25C885A2AB7E5FF88724F04885DF98AAB362DB31EE05DB91

Function 00F40436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F7FC08,?), ref: 00F405F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F7FC08,?), ref: 00F40608
CLSIDFromProgID.OLE32(?,?,00000000,00F7CC40,000000FF,?,00000000,00000800,00000000,?,00F7FC08,?), ref: 00F4062D
_memcmp.LIBVCRUNTIME ref: 00F4064E

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 5de5d9221b5b912b2ddc2314ff59f32562d7c08ee3fca87a53bb231f49c68a03
Instruction ID: 59169184fb9a97c85247ddd8c8c32590d7a2c033a2dc6e8a1f316e2f5e368f02
Opcode Fuzzy Hash: 5de5d9221b5b912b2ddc2314ff59f32562d7c08ee3fca87a53bb231f49c68a03
Instruction Fuzzy Hash: 0C813D71A00109EFCB04DF94C984DEEBBB9FF89315F204558EA06AB250DB71AE06DF61

Function 00F6A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F6A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00F6A6BA

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

Process32NextW.KERNEL32(00000000,?), ref: 00F6A79C
CloseHandle.KERNEL32(00000000), ref: 00F6A7AB

Part of subcall function 00EFCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00F23303,?), ref: 00EFCE8A

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 3d4bccca41436e0dc5fde28d79a4de64a0f1e4806c9461fbf56816f449ad2e5a
Instruction ID: 60b09ff5dd6fd138aadb4201d41bea191fba85bc7417a5f0f42b89b04ff2f471
Opcode Fuzzy Hash: 3d4bccca41436e0dc5fde28d79a4de64a0f1e4806c9461fbf56816f449ad2e5a
Instruction Fuzzy Hash: B1516E71508344AFD710EF25C886E6BBBE8FF89754F40592DF589A7262EB30D904CB92

Function 00F21391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F214C0

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2f03d50770a38476190e5bc8fbbc9fcbec1ade0c9df8102214f7f58b2c7eb22e
Instruction ID: e06a414888a049fd80ba422bcf1b79c2317d8aa125a6ddf5f0a04a56dfe241ac
Opcode Fuzzy Hash: 2f03d50770a38476190e5bc8fbbc9fcbec1ade0c9df8102214f7f58b2c7eb22e
Instruction Fuzzy Hash: 31412B31900524ABDB31FBFCAC466AE3BA5FF62730F144225F41CD61D1E678488172A5

Function 00F76278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F762E2
ScreenToClient.USER32(?,?), ref: 00F76315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00F76382

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5bdc684725e9d449422b0e621f1d22bbcabe1d28b2ef230b3dd1b6763980b9d0
Instruction ID: f5651c947a748c1f38338d87b8f58ecee9853eb697f9b4c5dc9c2dfcb879e252
Opcode Fuzzy Hash: 5bdc684725e9d449422b0e621f1d22bbcabe1d28b2ef230b3dd1b6763980b9d0
Instruction Fuzzy Hash: 66512C74A00649AFDF10DF64D8809AE7BB5FB45360F10826AF819D7290D730ED81EB91

Function 00F61AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00F61AFD
WSAGetLastError.WSOCK32 ref: 00F61B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F61B8A
WSAGetLastError.WSOCK32 ref: 00F61B94

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 87475531191eb22f35b4e411c91d68b2302212945cee19cf778f8ced8cee05b7
Instruction ID: 89b1fc3f613d20f0a848c8c713f79ffdd90a4281e9b7bb54fffabdf96370df2a
Opcode Fuzzy Hash: 87475531191eb22f35b4e411c91d68b2302212945cee19cf778f8ced8cee05b7
Instruction Fuzzy Hash: 3D41A1346002046FE720AF24C886F2977E5AB84718F589458FA1AAF3D3D772DD42CB91

Function 00F1B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17b95292a506bea2248c66a08b8265942056b8afd608ddfb7de3c6bb692c510
Instruction ID: c680df90fc57ff208d4a3fa77c6b42dbcb163d24984d086d3d9c6a5d0da17ad6
Opcode Fuzzy Hash: d17b95292a506bea2248c66a08b8265942056b8afd608ddfb7de3c6bb692c510
Instruction Fuzzy Hash: AD410A71A00714EFD724DF78CC41BEA7BA9EB88720F10852EF141DB682D775A981A790

Function 00F556D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F55783
GetLastError.KERNEL32(?,00000000), ref: 00F557A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F557CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F557FA

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 5ab1bc16de9889b04fe3173a87339473a28716ae925955807a859b03ee5f85e8
Instruction ID: ce2955795c005c51df9930f285ae27d36d0145da3d536647fb472aa2f2b4f66b
Opcode Fuzzy Hash: 5ab1bc16de9889b04fe3173a87339473a28716ae925955807a859b03ee5f85e8
Instruction Fuzzy Hash: 0C414E35600A54DFCB11DF15D444A1EBBF2EF89721B188488ED4AAB362CB34FD49DB91

Function 00F1D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00F06D71,00000000,00000000,00F082D9,?,00F082D9,?,00000001,00F06D71,8BE85006,00000001,00F082D9,00F082D9), ref: 00F1D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F1D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00F1D9AB
__freea.LIBCMT ref: 00F1D9B4

Part of subcall function 00F13820: RtlAllocateHeap.NTDLL(00000000,?,00FB1444,?,00EFFDF5,?,?,00EEA976,00000010,00FB1440,00EE13FC,?,00EE13C6,?,00EE1129), ref: 00F13852

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: b66bbcd49fb57702abce0bbd97c2578892c0cc20626fee89fd51248613133fe1
Instruction ID: 83da981520e52572abd76a30e344d1a5bd56778efb440ae3166b5ec2cf5eafba
Opcode Fuzzy Hash: b66bbcd49fb57702abce0bbd97c2578892c0cc20626fee89fd51248613133fe1
Instruction Fuzzy Hash: D231AD72A0020AABDB249F64DC45EEE7BB5EB40720B454168FC04D6290EB39DD90EBA0

Function 00F752C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00F75352
GetWindowLongW.USER32(?,000000F0), ref: 00F75375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F75382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F753A8

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 7bbb2727e4eb00480b7c83402eee19e501e1be85ef7a396869571fafe3cb32b8
Instruction ID: 8f850cc3602c011cd62c6f6aca336e5544128d745e57fadc60af8fca3f83f201
Opcode Fuzzy Hash: 7bbb2727e4eb00480b7c83402eee19e501e1be85ef7a396869571fafe3cb32b8
Instruction Fuzzy Hash: 3231C531E55A0CAFEB609A54CC55BE83763AB04BA0F588107F618961F1C7F15D80BB83

Function 00F4AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00F4ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00F4AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00F4AC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00F4ACC6

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b8ab233bf355086a584f5b4040d6b02364b7cf568353571b2e8394561cbdc2e3
Instruction ID: 1ccb339683a6c5e27d10c267780dc83ede61199e0ead32e786185d5f44319f44
Opcode Fuzzy Hash: b8ab233bf355086a584f5b4040d6b02364b7cf568353571b2e8394561cbdc2e3
Instruction Fuzzy Hash: E8312830E846186FEF35CB648C84BFA7FA5AB49320F04421AE985521D1C379C981A793

Function 00F77674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00F7769A
GetWindowRect.USER32(?,?), ref: 00F77710
PtInRect.USER32(?,?,00F78B89), ref: 00F77720
MessageBeep.USER32(00000000), ref: 00F7778C

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: c3dfd0572f589d7cfa8494245a295b4d8fa30777b376d61761aafa6369e31c3b
Instruction ID: 506aa3a597f9fea59e44a41379bb27287e72f7c26f0c695846cf35a01c8badb8
Opcode Fuzzy Hash: c3dfd0572f589d7cfa8494245a295b4d8fa30777b376d61761aafa6369e31c3b
Instruction Fuzzy Hash: BB41AF34A15358DFDB05EF58C894EA9BBF5FB48314F1481AAE4189B261C330A942EF91

Function 00F716DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00F716EB

Part of subcall function 00F43A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F43A57
Part of subcall function 00F43A3D: GetCurrentThreadId.KERNEL32 ref: 00F43A5E
Part of subcall function 00F43A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F425B3), ref: 00F43A65

GetCaretPos.USER32(?), ref: 00F716FF
ClientToScreen.USER32(00000000,?), ref: 00F7174C
GetForegroundWindow.USER32 ref: 00F71752

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 77f749e8c35c9d3315aa30c9adcc19fe07336420161fcf207766720bfec76705
Instruction ID: 2d30b7c04d7b9da8416491392314bc73ffceded2abff8c81160d9a7c9b4f2f7e
Opcode Fuzzy Hash: 77f749e8c35c9d3315aa30c9adcc19fe07336420161fcf207766720bfec76705
Instruction Fuzzy Hash: 26315275D00149AFC704DFAAC881CAEBBF9FF48304B54806AE455E7211E7359E46DBA1

Function 00F4DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00EE7620: _wcslen.LIBCMT ref: 00EE7625

_wcslen.LIBCMT ref: 00F4DFCB
_wcslen.LIBCMT ref: 00F4DFE2
_wcslen.LIBCMT ref: 00F4E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00F4E018

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: fd330cc56778615f814b762724c11fd39068e61ba8d677dfaba497c73d79719b
Instruction ID: 26b4893a9cea62f16bbd359554547b3112aa2e59a6c55368ea9705f9588dc8a2
Opcode Fuzzy Hash: fd330cc56778615f814b762724c11fd39068e61ba8d677dfaba497c73d79719b
Instruction Fuzzy Hash: 4021B571D00214AFCB20EFA8DD81BAEBBF8EF45760F144065ED05BB285D6749E40EBA1

Function 00F78FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00EF9BB2

GetCursorPos.USER32(?), ref: 00F79001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F37711,?,?,?,?,?), ref: 00F79016
GetCursorPos.USER32(?), ref: 00F7905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F37711,?,?,?), ref: 00F79094

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: bd735cc7cfc8145b6b36f6b79c66e27678c12057effbdde57d960cda8265e22e
Instruction ID: e4874db58e8d34ad0cbf6397734ce3aaa300d36f9d7b3a06d5436f7385805754
Opcode Fuzzy Hash: bd735cc7cfc8145b6b36f6b79c66e27678c12057effbdde57d960cda8265e22e
Instruction Fuzzy Hash: 59219135610018EFDB258FA4CC98EFA7BF9FB89360F04815AF90957161C37199A0FBA1

Function 00F4D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00F7CB68), ref: 00F4D2FB
GetLastError.KERNEL32 ref: 00F4D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F4D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00F7CB68), ref: 00F4D376

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: a3ed5b3fa1ffe82c4b247ca4d38a46ece41fa8919c68d97fad240178e20150e9
Instruction ID: c8648c7aad9c0a7fc1a397635be2d88ec127a4c28695b7732f3831741a7c2d42
Opcode Fuzzy Hash: a3ed5b3fa1ffe82c4b247ca4d38a46ece41fa8919c68d97fad240178e20150e9
Instruction Fuzzy Hash: 2221B2709083059F8710DF28C88186E7BE4EF56368F504A5DF899D32A2E731DD45DB93

Function 00F41571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F41014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F4102A
Part of subcall function 00F41014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F41036
Part of subcall function 00F41014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F41045
Part of subcall function 00F41014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F4104C
Part of subcall function 00F41014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F41062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F415BE
_memcmp.LIBVCRUNTIME ref: 00F415E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F41617
HeapFree.KERNEL32(00000000), ref: 00F4161E

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 0a8a3c91f8a80a0e7fff8d029f4304ed1a2309977d92f98f7f7c67d79db5fd3d
Instruction ID: d34a66215385d798a3fb005c6acc5faa2af1fdf3f308198ca7d9c7e4e9710dad
Opcode Fuzzy Hash: 0a8a3c91f8a80a0e7fff8d029f4304ed1a2309977d92f98f7f7c67d79db5fd3d
Instruction Fuzzy Hash: 62219D31E00108EFDF10DFA4C945BEEBBB8FF44354F094459E845AB241E774AA85EBA0

Function 00F72782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00F7280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F72824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F72832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00F72840

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: c438bfd183fa5106319a66fcfe482b5e3332e51ff2ca8798db37a70cc455e0d3
Instruction ID: 68947ea88caad38ff25b159b0223d94d650d9e2820f0256d27a2f52458a9e659
Opcode Fuzzy Hash: c438bfd183fa5106319a66fcfe482b5e3332e51ff2ca8798db37a70cc455e0d3
Instruction Fuzzy Hash: 30210331604114AFD7149B24CC44FAA7B99EF45324F18815EF42A8B2E2CB76FC82DBD2

Function 00F478F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F48D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00F4790A,?,000000FF,?,00F48754,00000000,?,0000001C,?,?), ref: 00F48D8C
Part of subcall function 00F48D7D: lstrcpyW.KERNEL32(00000000,?,?,00F4790A,?,000000FF,?,00F48754,00000000,?,0000001C,?,?,00000000), ref: 00F48DB2
Part of subcall function 00F48D7D: lstrcmpiW.KERNEL32(00000000,?,00F4790A,?,000000FF,?,00F48754,00000000,?,0000001C,?,?), ref: 00F48DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00F48754,00000000,?,0000001C,?,?,00000000), ref: 00F47923
lstrcpyW.KERNEL32(00000000,?,?,00F48754,00000000,?,0000001C,?,?,00000000), ref: 00F47949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00F48754,00000000,?,0000001C,?,?,00000000), ref: 00F47984

Strings

cdecl, xrefs: 00F4797B

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 63d142073ce404c8353ef4d66aa8a5a07bd5d3a569b3d938d4753a0ec567e075
Instruction ID: f48b527c95f1daaf45623b939948a0e404b1a77fda8653ff0e88a81a59b1dfe7
Opcode Fuzzy Hash: 63d142073ce404c8353ef4d66aa8a5a07bd5d3a569b3d938d4753a0ec567e075
Instruction Fuzzy Hash: BA11063A200345ABCB156F34CC44D7A7BA5FF853A0B40402AFD06C72A4EB319801E791

Function 00F77CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00F77D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00F77D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F77D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F5B7AD,00000000), ref: 00F77D6B

Part of subcall function 00EF9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00EF9BB2

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: a7ad68c8c8c10aa91d6e97693b0b1303bd1cf9ef5ea0746baa473df586558708
Instruction ID: e0f17e547bdcfa7e923e4b99ce77e66a3b855cd6d633d12f7c91bf0082617165
Opcode Fuzzy Hash: a7ad68c8c8c10aa91d6e97693b0b1303bd1cf9ef5ea0746baa473df586558708
Instruction Fuzzy Hash: F211D232514718AFCB20AF68CC44AA63BA5BF49370B158729F83DD72F0D7318960EB81

Function 00F75660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00F756BB
_wcslen.LIBCMT ref: 00F756CD
_wcslen.LIBCMT ref: 00F756D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F75816

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 1b8e5c5136325d86b34c736db9cd6fec2e36099b911d965a2f1262a7296d5f34
Instruction ID: 2961b89287f3513dbea369b4c00efb3988d02547d88d230ddb29e897c272b4c7
Opcode Fuzzy Hash: 1b8e5c5136325d86b34c736db9cd6fec2e36099b911d965a2f1262a7296d5f34
Instruction Fuzzy Hash: 9A11A271A0060896DB20DF618C85AEE776CAB10B60B50802BFA1DD6081E7B4D980EB62

Function 00F11D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ea1f4dd3298655bacaa3ffeba0a92eab851fad8e8f0ee4e89eeded83098515
Instruction ID: aa427f1126e2877c2b3a4dbbd5d1cdadce684d388d2199fd98be8d9603a2a7a2
Opcode Fuzzy Hash: 53ea1f4dd3298655bacaa3ffeba0a92eab851fad8e8f0ee4e89eeded83098515
Instruction Fuzzy Hash: 810162B260961A7EF61116B87CC1FA7762DEF413B8B340329F621652D2DB649C947160

Function 00EF990E Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,?), ref: 00EF98D6
SetBkMode.GDI32(?,00000001), ref: 00EF98E9
GetStockObject.GDI32(00000005), ref: 00EF98F1
GetWindowLongW.USER32(?,000000EB), ref: 00EF9952

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ColorLongModeObjectStockTextWindow
String ID:
API String ID: 2960364272-0
Opcode ID: 0d0da3f34ec6a86885d6affbaafe16da61d9628d890051537b00e10688fb51e0
Instruction ID: 000c50fae52753315bef7414a61454ab985257bbc309ada6aa65b63851ad5b9a
Opcode Fuzzy Hash: 0d0da3f34ec6a86885d6affbaafe16da61d9628d890051537b00e10688fb51e0
Instruction Fuzzy Hash: 7E113A325452489FC7168F20EC54FF63B60EB92325745015EE682AB173C6A54880DB92

Function 00F41A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00F41A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F41A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F41A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F41A8A

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e1037d0bcdcefbdc45b2b2e3df772239cd3483c5c5c93273883d68daca516a81
Instruction ID: 6a09f8f720402c87b3d05de4f118a22e8deda021ce850771ca7028dc5a13bce0
Opcode Fuzzy Hash: e1037d0bcdcefbdc45b2b2e3df772239cd3483c5c5c93273883d68daca516a81
Instruction Fuzzy Hash: 92113C3AD01219FFEB10DBA4CD85FADBB78FB04750F200495EA04B7290D6716E50EB94

Function 00F4E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F4E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00F4E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F4E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F4E24D

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 3ed0838970603b0e86b6f81f3c630f65ef245fe992b38aae72ab1d830e510603
Instruction ID: 869f4fbde8797f364634a9f1686a92c6ea06a360e4ed7240e4fcc7eed826d35b
Opcode Fuzzy Hash: 3ed0838970603b0e86b6f81f3c630f65ef245fe992b38aae72ab1d830e510603
Instruction Fuzzy Hash: 5C110872D0421CBBD7019FA8DC45A9F7FEDBB45320F444329F815E3290D6B0CA00ABA1

Function 00F0D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00F0CFF9,00000000,00000004,00000000), ref: 00F0D218
GetLastError.KERNEL32 ref: 00F0D224
__dosmaperr.LIBCMT ref: 00F0D22B
ResumeThread.KERNEL32(00000000), ref: 00F0D249

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 71ed9afb3b5c4d44ce025523194a2b2ff6e203b176b369367af894cdc6c233e3
Instruction ID: 89e158bbd141d30e0f4bba80fece47c736522ee20d9a1984bd19a75a014f5b88
Opcode Fuzzy Hash: 71ed9afb3b5c4d44ce025523194a2b2ff6e203b176b369367af894cdc6c233e3
Instruction Fuzzy Hash: AD01D236805208BBDB216BE5DC09BAE7B69DF81731F100219F929961D0CF70C941F7A1

Function 00F79EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00EF9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00EF9BB2

GetClientRect.USER32(?,?), ref: 00F79F31
GetCursorPos.USER32(?), ref: 00F79F3B
ScreenToClient.USER32(?,?), ref: 00F79F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00F79F7A

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: e5af9cf1873902477ac078225f13b93baa13073dca3b22a3efb90bdcfe4d3261
Instruction ID: dfbbf8e0f75334b010e7115fbe1d7025cf6f6f48b4ed8af72304eff49530b851
Opcode Fuzzy Hash: e5af9cf1873902477ac078225f13b93baa13073dca3b22a3efb90bdcfe4d3261
Instruction Fuzzy Hash: 4911973290021AABDB10EFA8DC89DEE77BDFB05311F008456F915E3140C370BA81EBA2

Function 00EE600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00EE604C
GetStockObject.GDI32(00000011), ref: 00EE6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00EE606A

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: f3ac6f848783f035ce72de40aa21fbf6ee5ee1735782a22944f243a5a0cc8ff4
Instruction ID: b8257187b59df7ffe19fdba2550e1ce055203daabfdc45453ab4586f10150036
Opcode Fuzzy Hash: f3ac6f848783f035ce72de40aa21fbf6ee5ee1735782a22944f243a5a0cc8ff4
Instruction Fuzzy Hash: 3E11C47210155CBFEF225F95DC44EEA7B69FF183A4F001215FA0466110C772ECA0EB91

Function 00F03B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00F03B56

Part of subcall function 00F03AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00F03AD2
Part of subcall function 00F03AA3: ___AdjustPointer.LIBCMT ref: 00F03AED

_UnwindNestedFrames.LIBCMT ref: 00F03B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00F03B7C
CallCatchBlock.LIBVCRUNTIME ref: 00F03BA4

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 131178063c68853ad261d34f0a71fc684d8381d048299576a4b6315b3ddc6390
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 27012972500148BBDF126E95CC42EEB7B6DEF88768F044414FE4896161C73AE961FBA0

Function 00F13073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00EE13C6,00000000,00000000,?,00F1301A,00EE13C6,00000000,00000000,00000000,?,00F1328B,00000006,FlsSetValue), ref: 00F130A5
GetLastError.KERNEL32(?,00F1301A,00EE13C6,00000000,00000000,00000000,?,00F1328B,00000006,FlsSetValue,00F82290,FlsSetValue,00000000,00000364,?,00F12E46), ref: 00F130B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F1301A,00EE13C6,00000000,00000000,00000000,?,00F1328B,00000006,FlsSetValue,00F82290,FlsSetValue,00000000), ref: 00F130BF

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 260a0b6ff68021b319dd74eba7f122cfe6cd780fc6907a2ba379602e9c0b34f5
Instruction ID: d94b5bd399d6ff86c1afcfca592391961143d7e9197cd5598ae58797a9cf99a2
Opcode Fuzzy Hash: 260a0b6ff68021b319dd74eba7f122cfe6cd780fc6907a2ba379602e9c0b34f5
Instruction Fuzzy Hash: 6F01A732701626ABDB314B799C44AE77BD8AF4DB75B110724F909E7140DB21DA81E7E0

Function 00F47464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00F4747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F47497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F474AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F474CA

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: d47fb66697215455b198cd8c50eec9174a1824ba05c4d4af813a358e87e31336
Instruction ID: 8571a9664c50eeed3bb8af5eab9bfd197ef03810d0bd8c7226e4ad60cbd4ed85
Opcode Fuzzy Hash: d47fb66697215455b198cd8c50eec9174a1824ba05c4d4af813a358e87e31336
Instruction Fuzzy Hash: E11161B5205315DBE720DF54DC09FA27FFCEB00B04F10856DAA5AD61A1E7B0E944EBA1

Function 00F4B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F4ACD3,?,00008000), ref: 00F4B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F4ACD3,?,00008000), ref: 00F4B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F4ACD3,?,00008000), ref: 00F4B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F4ACD3,?,00008000), ref: 00F4B126

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c84a3cc5b27136fa138e9f3295db4f4edffd404b429e94a782ce33987b12be75
Instruction ID: 4b4869d422ef3abff9c61f32f69e2eea9100daf61f0d82fa96570dce0efffe19
Opcode Fuzzy Hash: c84a3cc5b27136fa138e9f3295db4f4edffd404b429e94a782ce33987b12be75
Instruction Fuzzy Hash: 80115B31C0152CE7CF04AFE9E9586EEBF78FF49721F104099D941B2282CB749650EB92

Function 00F77E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F77E33
ScreenToClient.USER32(?,?), ref: 00F77E4B
ScreenToClient.USER32(?,?), ref: 00F77E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F77E8A

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: bf2c477449ddf1511cd2fbd57fd38b7957e0fb26a28a51b043de1ffab7778b3f
Instruction ID: 4b551989025e412bb9c28cca0824fd6551b7e08642334cabd8ec5c13caca3618
Opcode Fuzzy Hash: bf2c477449ddf1511cd2fbd57fd38b7957e0fb26a28a51b043de1ffab7778b3f
Instruction Fuzzy Hash: FF1143B9D0020AAFDB41DF98D8849EEBBF5FB08310F509056E915E3210D735AA95DF91

Function 00F42DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F42DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F42DD6
GetCurrentThreadId.KERNEL32 ref: 00F42DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F42DE4

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 874a3cefb4f5d49861cfe8ae1dea1b4300c5a37eeeac6f70f7cecc02b1dd27c2
Instruction ID: 45fe7963a2eb971f625cb8f76ffa609d1b25c679cbfc0012ab443970c9c9c71a
Opcode Fuzzy Hash: 874a3cefb4f5d49861cfe8ae1dea1b4300c5a37eeeac6f70f7cecc02b1dd27c2
Instruction Fuzzy Hash: 1EE012729016287BD7201B739C4DFEB7E6CEF56BB1F800129F50DD10909AA5C981E6F1

Function 00F78863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00EF9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00EF9693
Part of subcall function 00EF9639: SelectObject.GDI32(?,00000000), ref: 00EF96A2
Part of subcall function 00EF9639: BeginPath.GDI32(?), ref: 00EF96B9
Part of subcall function 00EF9639: SelectObject.GDI32(?,00000000), ref: 00EF96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00F78887
LineTo.GDI32(?,?,?), ref: 00F78894
EndPath.GDI32(?), ref: 00F788A4
StrokePath.GDI32(?), ref: 00F788B2

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 1840c240ae138210d1193e724e61278e871a28db94d3d12fc0d12d8bf607d80b
Instruction ID: 069e64bcd959570ad248d45ab93766a5ae6418775fef62e7d94fe5c3dbeb019a
Opcode Fuzzy Hash: 1840c240ae138210d1193e724e61278e871a28db94d3d12fc0d12d8bf607d80b
Instruction Fuzzy Hash: A8F03A3604125CBADB126F94AC0DFCA3E59AF06310F448105FB15A50E2C7B55551EFE6

Function 00EF98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00EF98CC
SetTextColor.GDI32(?,?), ref: 00EF98D6
SetBkMode.GDI32(?,00000001), ref: 00EF98E9
GetStockObject.GDI32(00000005), ref: 00EF98F1

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 5c362771f7c89f078192780dc3add196625a8697157a9336b3aa98710417d224
Instruction ID: 68345417b536c965faeab14a7a3edd93ed3b5adcbabca0122a85fe9ede5f676f
Opcode Fuzzy Hash: 5c362771f7c89f078192780dc3add196625a8697157a9336b3aa98710417d224
Instruction Fuzzy Hash: 85E06531644288ABDB215B74FC09BE83F10AB51735F14822DF6F9540E1C3B14680AB11

Function 00F4162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00F41634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00F411D9), ref: 00F4163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F411D9), ref: 00F41648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00F411D9), ref: 00F4164F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 0c584daf6a1af8bc8fb51432592799b5157e50837b73307266ab86ffa171a208
Instruction ID: 0bb82c0191b62f8cd4036213fcf226d16e9bd66fd6e1570b2755bc3fcde5d39d
Opcode Fuzzy Hash: 0c584daf6a1af8bc8fb51432592799b5157e50837b73307266ab86ffa171a208
Instruction Fuzzy Hash: D3E08631A01215DBE7201FA0AD0DB463F7CBF447A1F15480CF649D9090D63484C0E7E5

Function 00F3D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F3D858
GetDC.USER32(00000000), ref: 00F3D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F3D882
ReleaseDC.USER32(?), ref: 00F3D8A3

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5f752aea034368405301e606bec18ae6fb4800b2ba262a0090ede0670a6699b0
Instruction ID: e4978a8c62afef67aa169bf46983f8472bb3d8e6bd03db5111133a4ce52a8414
Opcode Fuzzy Hash: 5f752aea034368405301e606bec18ae6fb4800b2ba262a0090ede0670a6699b0
Instruction Fuzzy Hash: A2E01AB1800208DFCB41AFA0DC4866DBBF2FB08310F24901DE80EE7250CB385981BF81

Function 00F3D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F3D86C
GetDC.USER32(00000000), ref: 00F3D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F3D882
ReleaseDC.USER32(?), ref: 00F3D8A3

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ff7f7b5f0e30b9d6de7d7d4428f788bea7d136cebe619728192e6e2cb0236c53
Instruction ID: 4b1d4d2d2a9212c4b974f9dc1205b9ebfc0d3a38516bf8a093f22fe034084cad
Opcode Fuzzy Hash: ff7f7b5f0e30b9d6de7d7d4428f788bea7d136cebe619728192e6e2cb0236c53
Instruction Fuzzy Hash: CAE01A70800208DFCB41AFA0DC4866DBBF2BB08310B14900CE90EE7250CB385941AF81

Function 00F54D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7620: _wcslen.LIBCMT ref: 00EE7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00F54ED4

Strings

*, xrefs: 00F54E10
LPT, xrefs: 00F54DFB

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 58222081f7474ee3af860499bd4790de0c96127f1cbde92997e536b88d6bb79f
Instruction ID: 234c38dd4d9eff2a136a37d2776f461e5d872c3a6ed4d7012f6bddb793814d35
Opcode Fuzzy Hash: 58222081f7474ee3af860499bd4790de0c96127f1cbde92997e536b88d6bb79f
Instruction Fuzzy Hash: 48917175A002449FCB14DF58C484EAABBF1BF44318F198099E94A9F3A2D731FD89DB91

Function 00EFE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00EFE1B1

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: b66f16ba9f266b47a1bf3ce555f92d43564ad1fda8c633ef522b19b90ba3b26b
Instruction ID: 623e9cc125a39bfd92c6d43296274bc0c80bbd9c36cc99bc8a7c64d62519392a
Opcode Fuzzy Hash: b66f16ba9f266b47a1bf3ce555f92d43564ad1fda8c633ef522b19b90ba3b26b
Instruction Fuzzy Hash: 9B51267590024ADFEB15DF68C4816FE7BA4EF55330F244055ED61AB2E0E734AE82EB90

Function 00EFF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00EFF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00EFF2BB

Strings

@, xrefs: 00EFF2AF

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 5c06579a128c649818cd7c49977c831ffabeed56d7896d8503e95e9f917cebb9
Instruction ID: 036b5482a00012eed2d56944f09d3837f05bee8d28a7945669c03482ff6872b6
Opcode Fuzzy Hash: 5c06579a128c649818cd7c49977c831ffabeed56d7896d8503e95e9f917cebb9
Instruction Fuzzy Hash: 7B5157715087899BD320AF11EC86BABBBF8FF84300F81885DF1D9511A5EB718529CB67

Function 00F65745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00F657E0
_wcslen.LIBCMT ref: 00F657EC

Strings

CALLARGARRAY, xrefs: 00F657E6, 00F657EB

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: bb15ee2fec63ecccad11e6dd64e886e282110962163f534ebde2cab923896aaf
Instruction ID: a2fd112d8523c8386a4dc77d6f0d06c215530c59609cecc1ed840b3373b57696
Opcode Fuzzy Hash: bb15ee2fec63ecccad11e6dd64e886e282110962163f534ebde2cab923896aaf
Instruction Fuzzy Hash: D7418C71E002099FCB14EFB9C8819BEBBF5EF59720F145069E505B72A2E7349D81DB90

Function 00F5D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F5D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F5D13A

Strings

|, xrefs: 00F5D10B

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6783dff76eb7fe9dfa634fd6147b10bf7d6983482c4e81b494f67ef82b0f84eb
Instruction ID: 8606610a7e2813ef7cb675719fc51c253aedf1b48d40828909ea2379e26c96ea
Opcode Fuzzy Hash: 6783dff76eb7fe9dfa634fd6147b10bf7d6983482c4e81b494f67ef82b0f84eb
Instruction Fuzzy Hash: 0C315E71D01209ABDF15EFA5CC85AEE7FB9FF14350F000059F919B61A2EB31AA46DB60

Function 00F7356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00F73621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F7365C

Strings

static, xrefs: 00F735BC

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 15c8a599d0e43ec577f7797a1f178a791e00f98ed7018702ebc61d84a607201c
Instruction ID: 505976178190053f0d4ffc61a52a84aa60ebea0837908d1ed23bb425aa6ec98c
Opcode Fuzzy Hash: 15c8a599d0e43ec577f7797a1f178a791e00f98ed7018702ebc61d84a607201c
Instruction Fuzzy Hash: F1318171500204AADB109F28DC80EFB73A9FF48760F10D61EF96997180DA31ED81E761

Function 00F74537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00F7461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F74634

Strings

', xrefs: 00F7458E

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f4f635a53596ea0af9aac6eec47831312ddad6122c50170fa29419db4e9e9fcb
Instruction ID: 43f13933dfc7e9302855a9be9ec0863d69f407dfcac8e158b2f6b774bfadd6ab
Opcode Fuzzy Hash: f4f635a53596ea0af9aac6eec47831312ddad6122c50170fa29419db4e9e9fcb
Instruction Fuzzy Hash: 97313875A002099FDB14CFA9C990BDABBB5FF09300F14806AE908AB391D770E941DF91

Function 00F731EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F7327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F73287

Strings

Combobox, xrefs: 00F73249

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: e6ec43b91d940842f6ecfe5462ea6a37e943d90fc9ce0741b4f3aca64cd8cb87
Instruction ID: 3f0c1760f6303ac4fa36509602ab5cce4dca29a1425cfdbb45d9eb36b442d9cf
Opcode Fuzzy Hash: e6ec43b91d940842f6ecfe5462ea6a37e943d90fc9ce0741b4f3aca64cd8cb87
Instruction Fuzzy Hash: FE1190717002087FEF219E54DC84EAB376AEB983A4F10812AF91CA7291D6719D51F761

Function 00F73710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00EE600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00EE604C
Part of subcall function 00EE600E: GetStockObject.GDI32(00000011), ref: 00EE6060
Part of subcall function 00EE600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EE606A

GetWindowRect.USER32(00000000,?), ref: 00F7377A
GetSysColor.USER32(00000012), ref: 00F73794

Strings

static, xrefs: 00F73757

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 9192ce6e7a4f52761dde7c1c931851bc070e99aa2b96c06104165086b1377f44
Instruction ID: 3e0fd3092c5b46807dcdf3fb6af29448e97c85eb094d78d62ecf2ac0fd5cc44a
Opcode Fuzzy Hash: 9192ce6e7a4f52761dde7c1c931851bc070e99aa2b96c06104165086b1377f44
Instruction Fuzzy Hash: 8D1129B2610209AFDF10DFA8CC45EEA7BB8FB08354F004919F959E2250D775E851AB52

Function 00F5CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F5CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F5CDA6

Strings

<local>, xrefs: 00F5CD66

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a66ba467c037c86acb7c8ed0519ef334b1ec34ac74aa0cd78189dbb221ac2ab4
Instruction ID: e38f745957d275bf0cb3174fe8b6d20ecafe09a901da5d322b0eb3f7aceb53a5
Opcode Fuzzy Hash: a66ba467c037c86acb7c8ed0519ef334b1ec34ac74aa0cd78189dbb221ac2ab4
Instruction Fuzzy Hash: 7E11A7765057357DD7284A668C45FE7BEB8EB127B5F004229BA1AC3180D6609845E6F0

Function 00F73429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00F734AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F734BA

Strings

edit, xrefs: 00F7348F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 6088d3d5cfc2b842c80bfbe1ebacd79ecb25723ac397b29aef5de34cb3e7f3ab
Instruction ID: 31e7626eff1fea3f3d6a4cf502b95bbcca18b6c6a758d2a72283a473e4ec8e7b
Opcode Fuzzy Hash: 6088d3d5cfc2b842c80bfbe1ebacd79ecb25723ac397b29aef5de34cb3e7f3ab
Instruction Fuzzy Hash: 4F11BF71500108BBEB258E64DC84AEB376AEB14374F508329FA68931D4C771DC91BB52

Function 00F46C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00F46CB6
_wcslen.LIBCMT ref: 00F46CC2

Strings

STOP, xrefs: 00F46CBC, 00F46CC1

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 87ccfde4e340bdc9665d00a324e23663315b9565c9974032df7149a2e58b07dd
Instruction ID: 795658425c243271b878bdcc491ee8ba6cff62740adc485dd771588b9fdc163a
Opcode Fuzzy Hash: 87ccfde4e340bdc9665d00a324e23663315b9565c9974032df7149a2e58b07dd
Instruction Fuzzy Hash: 8101C432E0052A8ACB20AFBDDC809BF7BF5EF627247500538ED52E6191FA31DD40E651

Function 00F41CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

Part of subcall function 00F43CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F43CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F41D4C

Strings

ListBox, xrefs: 00F41D16
ComboBox, xrefs: 00F41CEB

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 283f2b3d7d73f9adb9274e6d0a1ffe95018bf7100629d3b4e2ecfcdd35fcb82b
Instruction ID: 9895b7b2e14906b6e666335532cd24563688dba2345e68992d718de234b465bb
Opcode Fuzzy Hash: 283f2b3d7d73f9adb9274e6d0a1ffe95018bf7100629d3b4e2ecfcdd35fcb82b
Instruction Fuzzy Hash: 3E01DDB1E411186B8B18FFA4CC51DFE77F4FB46350B140519FC22673D2EA345948A661

Function 00F41BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

Part of subcall function 00F43CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F43CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00F41C46

Strings

ListBox, xrefs: 00F41C10
ComboBox, xrefs: 00F41BE5

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3f1cb152ea43a94163f6d1da1aecc77e6ec53ffb7b9eb0d22a04a2cb64dde804
Instruction ID: b2da4b3635a95603d7a36fa668936f412eaf192cee47157bd529f26a9e340452
Opcode Fuzzy Hash: 3f1cb152ea43a94163f6d1da1aecc77e6ec53ffb7b9eb0d22a04a2cb64dde804
Instruction Fuzzy Hash: 1801AC75A8111866DB14F790CD91EFF7BE8AB51340F140019AD0677182FA249E48A6B1

Function 00F41C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

Part of subcall function 00F43CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F43CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00F41CC8

Strings

ListBox, xrefs: 00F41C94
ComboBox, xrefs: 00F41C69

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cc58566fcbc2a93fee0fc2629252b37f07497d2dc797c67f7f893a21ad6ca3c5
Instruction ID: 2becc4ebfcc94f3576cd2050c846d4ece228430fba56119bb74911cb0b1021ba
Opcode Fuzzy Hash: cc58566fcbc2a93fee0fc2629252b37f07497d2dc797c67f7f893a21ad6ca3c5
Instruction Fuzzy Hash: 1B01DBB1B8011C67CB14F791CE81AFE7BE8AB11340F640015BD0573282FA249F48E672

Function 00F41D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE9CB3: _wcslen.LIBCMT ref: 00EE9CBD

Part of subcall function 00F43CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F43CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00F41DD3

Strings

ListBox, xrefs: 00F41DA0
ComboBox, xrefs: 00F41D75

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1d6f52260a1f6244515f62a4905239d80d64aa4fefe96f7e81dc06e3f2b717f7
Instruction ID: cbc17a0af8f5a4d65c374abbbc3428ca693b475aefe1650a3dbbe9a3207acc91
Opcode Fuzzy Hash: 1d6f52260a1f6244515f62a4905239d80d64aa4fefe96f7e81dc06e3f2b717f7
Instruction Fuzzy Hash: F7F0A9B1F4121C66D714F7A5CC91BFE7BF8BB02750F540919BC22732C2EA6459489265

Function 00F6747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F67493
_wcslen.LIBCMT ref: 00F674B9

Strings

3, 3, 16, 1, xrefs: 00F67483

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: e1667101ade75ec32bdb9bd880a371a7ab72cfc0c9374a95e1f7fd4b8071eaa2
Instruction ID: 9c588c4ee7ebbb45df15a79589d393235512e0c136149d16d819e78cb1954d3a
Opcode Fuzzy Hash: e1667101ade75ec32bdb9bd880a371a7ab72cfc0c9374a95e1f7fd4b8071eaa2
Instruction Fuzzy Hash: 51E02B4260532050D23132799CC5A7F6689CFC6B60710183BFE81C22A6EE98DD91B3A1

Function 00F40B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F40B23

Strings

Error allocating memory., xrefs: 00F40B1C
AutoIt, xrefs: 00F40B17

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 2f787a4f7c5cbe6a5c1d973b2ec39bac4e5f05437ca4a6c37e538269fa6cd28e
Instruction ID: 30f7b7dfb6d5554d1457074e7faea19d657bb9e3b7f9f4446638d5debedff79b
Opcode Fuzzy Hash: 2f787a4f7c5cbe6a5c1d973b2ec39bac4e5f05437ca4a6c37e538269fa6cd28e
Instruction Fuzzy Hash: C7E04F3228435C6AE2143795BC43F997AC48F09F65F10446FFB9CA95C38EE2649066EB

Function 00F00D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00EFF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F00D71,?,?,?,00EE100A), ref: 00EFF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00EE100A), ref: 00F00D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00EE100A), ref: 00F00D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F00D7F

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 9b84578a121a7d8b2c1000e0ad780346f67a4c01403c82e8ad48405279d1a9e3
Instruction ID: 9017d446a7fd46534bcd7b9122f4bc3d3837de0f279b9e92bf6ad76ad09c837c
Opcode Fuzzy Hash: 9b84578a121a7d8b2c1000e0ad780346f67a4c01403c82e8ad48405279d1a9e3
Instruction Fuzzy Hash: 17E065702007414BD3209FB8E8047427BE0AF00740F00892EE485C6692DFB4E584EBA2

Function 00F53017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00F5302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00F53044

Strings

aut, xrefs: 00F53038

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b0f55bd147d9a09b05b99c4d3707066aecbdad855d39027445a70b77546b7395
Instruction ID: 040bb7b60b075bc168c860f24adf0083431eedcb02d3cb6d21a018957009c4ea
Opcode Fuzzy Hash: b0f55bd147d9a09b05b99c4d3707066aecbdad855d39027445a70b77546b7395
Instruction Fuzzy Hash: DFD05EB250032867DB20A7A4AC0EFCB3A6CDB05750F0002A1B659E2092DAB4EA84CBD1

Function 00F3D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F3D220

Strings

X64, xrefs: 00F3D2A8
%.3d, xrefs: 00F3D22B

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 96be92457172ae5f0ea54766e8286b1db4e4bc9a4402ac441d7a8c848508fda0
Instruction ID: 53a31cf40845e519e96854efdc45b25926d610aacf9ec9ceb750e2b93753e4c0
Opcode Fuzzy Hash: 96be92457172ae5f0ea54766e8286b1db4e4bc9a4402ac441d7a8c848508fda0
Instruction Fuzzy Hash: 61D012A280820CE9CB9096D0EC45ABBB3BCEB09311F608452F906E1041D634C548B762

Function 00F72356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F7236C
PostMessageW.USER32(00000000), ref: 00F72373

Part of subcall function 00F4E97B: Sleep.KERNEL32 ref: 00F4E9F3

Strings

Shell_TrayWnd, xrefs: 00F72365

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 259fbd0e6863b644c65f99c6e2e5a1568c3831e7c4b647fe2a8900b065f5f624
Instruction ID: af692eba7b86cdf3a492786c4d56398aa9d241bbe451628700a0f496fc674ccb
Opcode Fuzzy Hash: 259fbd0e6863b644c65f99c6e2e5a1568c3831e7c4b647fe2a8900b065f5f624
Instruction Fuzzy Hash: C4D012723D1314BBE664B770DC4FFC67A14AB05B10F04491AB749EA1D0C9F4B841DA95

Function 00F72322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F7232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F7233F

Part of subcall function 00F4E97B: Sleep.KERNEL32 ref: 00F4E9F3

Strings

Shell_TrayWnd, xrefs: 00F72325

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8fa39eef242c4edcee883e1954e495ec5b6c8d0f5d86f1b18200c332ed0d0b9d
Instruction ID: cd7b9e6814c0c8ea1b3d5666779c3445612f1b0db4dfc58807e19a21d25384f6
Opcode Fuzzy Hash: 8fa39eef242c4edcee883e1954e495ec5b6c8d0f5d86f1b18200c332ed0d0b9d
Instruction Fuzzy Hash: 45D01276394314B7E664B770DC4FFC67A14AB00B10F04491AB74DEA1D0C9F4A841DA95

Function 00F1BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00F1BE93
GetLastError.KERNEL32 ref: 00F1BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F1BEFC

Memory Dump Source

Source File: 00000000.00000002.2182563626.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2182485734.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000F7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185042515.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185252358.0000000000FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185311038.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 05cb01deec1166afc3384e081c86e588d84a7b5e5fdaa9f0cdc7d1ba8678083e
Instruction ID: 486521dcd9367b9cf75943242c20e257bc44d385e62ad061e57100d3b94f7944
Opcode Fuzzy Hash: 05cb01deec1166afc3384e081c86e588d84a7b5e5fdaa9f0cdc7d1ba8678083e
Instruction Fuzzy Hash: 9241B335A04206EFCF218FA5CC44AEA7BA5AF41320F244169F9599B1E1DB308D82FF61

Analysis Process: firefox.exePID: 7192, Parent PID: 5688COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000002CCE5AE8AF7 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000002CCE5AE8B1C

Memory Dump Source

Source File: 00000012.00000002.3379781502.000002CCE5AE4000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002CCE5AE4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2cce5ae4000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: 1ab75a6687c0ad9117a3309248ab996ef3d9ce9dd023255fd58cd118b51f451d
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: 5DA3D331714A598BEB2DDF28DC997B977E5FB95300F14422ED94BC3251DE30EA828B81

Function 000002CCE5AE15B9 Relevance: 1.2, Instructions: 1209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.3379781502.000002CCE5AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002CCE5AE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2cce5ae1000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b91eec399016f33d9ca957beb5a558ed1df22fffe4aed72b96062268001ef7
Instruction ID: 03bed93ec1966bd83fc207663c3c67bcd6f0fe868887f6054a5de15cc5448896
Opcode Fuzzy Hash: 04b91eec399016f33d9ca957beb5a558ed1df22fffe4aed72b96062268001ef7
Instruction Fuzzy Hash: 82529531319E184FEB5AEB18DC99FF933E1E7A9311B14412BD44BC3296DE34E9868781

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 13.32.99.49 13.32.99.49

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2308162199.000001E123A80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2308162199.000001E123A80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2308162199.000001E123A80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2308162199.000001E123A80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2308162199.000001E123A80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2359343724.000001E124D65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2317705157.000001E124D5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2306543921.000001E124D89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300148521.000001E124D7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2187748142.000001E11ED7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2280175427.000001E123AEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2187748142.000001E11ED7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2359343724.000001E124D65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280175427.000001E123A94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2307902381.000001E123A96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2306543921.000001E124D89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300148521.000001E124D7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2314288958.000001E11E985000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2314288958.000001E11E985000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2191346881.000001E11BE67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2187748142.000001E11ED7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2280175427.000001E123AEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2187748142.000001E11ED7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2322857192.000001E11E6A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314800697.000001E11E699000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3374729019.000002CCE5403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2322857192.000001E11E6A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314800697.000001E11E699000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3374729019.000002CCE5403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2322857192.000001E11E6A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314800697.000001E11E699000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3374729019.000002CCE5403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2306543921.000001E124D89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300148521.000001E124D7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://6edd4cbe-8a9f-4158-beca-90f5feba9c8c/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2317480249.000001E124DE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300148521.000001E124DE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2359343724.000001E124D65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2306543921.000001E124D89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300148521.000001E124D7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324955838.000001E11D7D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2317480249.000001E124DE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300148521.000001E124DE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2306543921.000001E124DE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2307902381.000001E123AB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280175427.000001E123AB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: mitmdetection.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.6:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:57866 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:57870 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:57868 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:57867 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:57869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:57871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:57872 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:57873 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 57873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 57872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57815
Source: unknown	Network traffic detected: HTTP traffic on port 57868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 57875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 57871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 57869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57867
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57869
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57866
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57871
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57870
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57873
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57872
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 57870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 57866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57875
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_4009200e-1363-4450-9a5a-cfcea6a3c201.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_4009200e-1363-4450-9a5a-cfcea6a3c201.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre