Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1542904
MD5:	a573ed2b5bffe0b5ddcd8bc36359d595
SHA1:	cf598c317a9057bbd1b8363f4cae9e67ec94818a
SHA256:	74995d84d7882a29e32673bc77563c9f1d33e2a706af2e7935f1acb764820ccd
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6584 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A573ED2B5BFFE0B5DDCD8BC36359D595)

taskkill.exe (PID: 6540 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3192 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2436 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5560 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5396 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 3192 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2928 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1276 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1292 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57535545-aed4-40be-aad8-2008f39b3989} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 1c069f6eb10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7720 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4324 -parentBuildID 20230927232528 -prefsHandle 4316 -prefMapHandle 4308 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2443f705-0920-4c1b-8ba2-e5993ec13cb8} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 1c07c422c10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7636 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4644 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5172 -prefMapHandle 5156 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {322f45bd-ef92-49ae-b9cd-ac0d5c91d89f} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 1c081b83710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2106879441.00000000018FE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
00000000.00000003.2107045434.0000000001907000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 6584	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0035EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0035EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0035ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0035ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0035EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0034AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0034AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00379576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00379576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2044814069.00000000003A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cc97ad11-f
Source: file.exe, 00000000.00000000.2044814069.00000000003A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_91f730bb-e
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_12f3502c-0
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_32518eda-a

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001B1DD078E77 NtQuerySystemInformation,		17_2_000001B1DD078E77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001B1DD0721F2 NtQuerySystemInformation,		17_2_000001B1DD0721F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0034D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0034D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00341201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00341201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0034E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0034E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002EBF40	0_2_002EBF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002E8060	0_2_002E8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00352046	0_2_00352046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00348298	0_2_00348298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0031E4FF	0_2_0031E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0031676B	0_2_0031676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00374873	0_2_00374873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0030CAA0	0_2_0030CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002ECAF0	0_2_002ECAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FCC39	0_2_002FCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00316DD9	0_2_00316DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FD064	0_2_002FD064
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002E90B7	0_2_002E90B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FB119	0_2_002FB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002E91C0	0_2_002E91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00301394	0_2_00301394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00301706	0_2_00301706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0030781B	0_2_0030781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002E7920	0_2_002E7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F997D	0_2_002F997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003019B0	0_2_003019B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00307A4A	0_2_00307A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00301C77	0_2_00301C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00307CA7	0_2_00307CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00333CD5	0_2_00333CD5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0036BE44	0_2_0036BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00319EEE	0_2_00319EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00301F32	0_2_00301F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001B1DD078E77	17_2_000001B1DD078E77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001B1DD0721F2	17_2_000001B1DD0721F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001B1DD07291C	17_2_000001B1DD07291C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001B1DD072232	17_2_000001B1DD072232

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00300A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 002E9CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 002FF9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/41@73/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003537B5 GetLastError,FormatMessageW,

0_2_003537B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003410BF AdjustTokenPrivileges,CloseHandle,		0_2_003410BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_003416C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003551CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_003551CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0034D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0034D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0035648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0035648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002E42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002E42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Program Files\Mozilla Firefox\firefox.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2257993921.000001C0837F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324728153.000001C07D7A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2287750412.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274167271.000001C0837F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2332005794.000001C07D7A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301056405.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203920375.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329993410.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256344293.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2287750412.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301056405.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203920375.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329993410.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256344293.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2287750412.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301056405.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203920375.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329993410.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256344293.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2287750412.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301056405.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203920375.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329993410.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256344293.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2254709445.000001C08623C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2338944035.000001C07ABD7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2287750412.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301056405.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203920375.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329993410.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256344293.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2287750412.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301056405.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203920375.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329993410.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256344293.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2287750412.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301056405.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203920375.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329993410.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256344293.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2287750412.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301056405.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203920375.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329993410.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256344293.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2287750412.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301056405.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203920375.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329993410.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256344293.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57535545-aed4-40be-aad8-2008f39b3989} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 1c069f6eb10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4324 -parentBuildID 20230927232528 -prefsHandle 4316 -prefMapHandle 4308 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2443f705-0920-4c1b-8ba2-e5993ec13cb8} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 1c07c422c10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4644 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5172 -prefMapHandle 5156 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {322f45bd-ef92-49ae-b9cd-ac0d5c91d89f} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 1c081b83710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57535545-aed4-40be-aad8-2008f39b3989} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 1c069f6eb10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4324 -parentBuildID 20230927232528 -prefsHandle 4316 -prefMapHandle 4308 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2443f705-0920-4c1b-8ba2-e5993ec13cb8} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 1c07c422c10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4644 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5172 -prefMapHandle 5156 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {322f45bd-ef92-49ae-b9cd-ac0d5c91d89f} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 1c081b83710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: rsaenh.pdb source: firefox.exe, 0000000E.00000003.2329287394.000001C07B2E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 0000000E.00000003.2337967529.000001C07AF38000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 0000000E.00000003.2319559077.000001C07B57A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000E.00000003.2337967529.000001C07AF38000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000E.00000003.2338511429.000001C07AF13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 0000000E.00000003.2319559077.000001C07B57A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000E.00000003.2338511429.000001C07AF13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 0000000E.00000003.2338511429.000001C07AF13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000E.00000003.2338511429.000001C07AF13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000E.00000003.2337967529.000001C07AF38000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000E.00000003.2338511429.000001C07AF13000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002E42DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00300A76 push ecx; ret

0_2_00300A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_002FF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00371C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00371C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96467

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000001B1DD078E77 rdtsc

17_2_000001B1DD078E77

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Users\user\Desktop\file.exe TID: 6648	Thread sleep count: 95 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6648	Thread sleep count: 131 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0034DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0031C2A2 FindFirstFileExW,	0_2_0031C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003568EE FindFirstFileW,FindClose,	0_2_003568EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0035698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0035698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0034D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0034D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00359642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00359642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0035979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0035979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00359B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00359B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00355C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00355C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002E42DE

Source: firefox.exe, 00000012.00000002.3916997596.00000247D9D30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW'b
Source: firefox.exe, 00000010.00000002.3917751870.000001D9AC600000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3914736588.000001D9AC1CA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3916698587.000001B1DD660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3917424082.000001D9AC513000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000011.00000002.3913724945.000001B1DCEAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW bf
Source: firefox.exe, 00000010.00000002.3917751870.000001D9AC600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: firefox.exe, 00000012.00000002.3914286237.00000247D9A2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`)
Source: firefox.exe, 00000010.00000002.3917751870.000001D9AC600000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3916698587.000001B1DD660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000001B1DD078E77 rdtsc

17_2_000001B1DD078E77

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0035EAA2 BlockInput,

0_2_0035EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00312622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00312622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002E42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00304CE8 mov eax, dword ptr fs:[00000030h]

0_2_00304CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00340B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00340B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00312622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00312622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0030083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0030083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003009D5 SetUnhandledExceptionFilter,	0_2_003009D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00300C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00300C21

Source: C:\Users\user\Desktop\file.exe

0_2_00341201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00322BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00322BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0034B226 SendInput,keybd_event,

0_2_0034B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003622DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_003622DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00340B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00341663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00341663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2294586699.000001C07E101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00300698 cpuid

0_2_00300698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00358195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00358195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0033D27A GetUserNameW,

0_2_0033D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0031B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0031B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002E42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2106879441.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2107045434.0000000001907000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6584, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2106879441.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2107045434.0000000001907000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6584, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00361204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00361204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00361806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00361806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.1	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.129.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	216.58.212.174	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	172.217.23.110	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.1.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4	firefox.exe, 0000000E.00000003.2271211452.000001C086511000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3914812192.00000247D9CC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2328491419.000001C07B52D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2270004162.000001C079C25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2270329840.000001C079C29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2275368420.000001C08254C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2112633161.000001C081D37000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 0000000E.00000003.2195935638.000001C0860CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3915127792.000001D9AC3CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3915050275.000001B1DD1E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3917128923.00000247D9F03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3915050275.000001B1DD186000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3914812192.00000247D9C8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2265154817.000001C07C825000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2122787131.000001C07BC67000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2319903640.000001C07B561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271211452.000001C08651C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2197343318.000001C081E2B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2326819854.000001C07C36E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2089139512.000001C07A01D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089617547.000001C07A06F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089469212.000001C07A053000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089738864.000001C07A08A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2088970887.000001C079E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089335911.000001C07A038000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2122321368.000001C07ABF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122321368.000001C07ABD7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2338559519.000001C07ABE2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2287750412.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301056405.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203920375.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329993410.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256344293.000001C0856C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2260833617.000001C081C2D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2313936115.000001C081CA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2198267780.000001C081CA8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2258795458.000001C08225B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089738864.000001C07A08A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2088970887.000001C079E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089335911.000001C07A038000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.2261831795.000001C07D755000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2089139512.000001C07A01D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089617547.000001C07A06F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089469212.000001C07A053000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2088970887.000001C079E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089335911.000001C07A038000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2335449542.000001C07C389000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2265154817.000001C07C825000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2330185275.000001C083738000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2121946274.000001C07C736000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2255086712.000001C0860D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202032657.000001C0860CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195935638.000001C0860CD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.2283557717.000001C075D7D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3915050275.000001B1DD10A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3914812192.00000247D9C0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2146108848.000001C08552E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2145189721.000001C08551A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183061332.000001C085511000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2258441623.000001C083790000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3914812192.00000247D9CC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2324445165.000001C081B78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290462171.000001C081B78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2145189721.000001C08551A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2220381100.000001C07B613000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2258441623.000001C083790000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2122321368.000001C07ABF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2275368420.000001C08254C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 0000000E.00000003.2195935638.000001C0860CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3915127792.000001D9AC3CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3915050275.000001B1DD1E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3917128923.00000247D9F03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 0000000E.00000003.2195935638.000001C0860CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3915127792.000001D9AC3CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3915050275.000001B1DD1E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3917128923.00000247D9F03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2321472311.000001C0860CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202032657.000001C0860CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202032657.000001C0860D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300375139.000001C0860CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195935638.000001C0860CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272484650.000001C0860D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195935638.000001C0860D8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000012.00000002.3914812192.00000247D9C13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3916775145.00000247D9D20000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.14.dr	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2264840793.000001C07CB4B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2260833617.000001C081C2D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2250087787.000001C07A8CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2262924402.000001C07D5F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278959779.000001C07A47A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221075836.000001C07B4BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183147859.000001C07A9D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291553762.000001C07B66E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225308438.000001C07A4DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2241098643.000001C079F9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2229929206.000001C07B6E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2132573012.000001C07B498000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2229021074.000001C081D8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221075836.000001C07B498000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2130895792.000001C07B4EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2142973834.000001C07A97F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291613718.000001C07B4BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258441623.000001C083767000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2339522796.000001C079667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234838811.000001C07B7F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2232167947.000001C081D8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2276861906.000001C079667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294989302.000001C07A066000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2261831795.000001C07D755000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000E.00000003.2259936018.000001C0821E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289363885.000001C0821E2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2261831795.000001C07D755000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2198267780.000001C081C56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2286706479.000001C086229000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2197719192.000001C081CF3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2286706479.000001C086229000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2197719192.000001C081CF3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2313936115.000001C081CA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2198267780.000001C081CA8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2122787131.000001C07BC67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2302139532.000001C0822A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258795458.000001C0822A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2323653471.000001C0822A8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2313936115.000001C081CA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2198267780.000001C081CA8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2265154817.000001C07C834000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2328207016.000001C07B5E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309762217.000001C07B5E0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2317297349.000001C07C8E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2265154817.000001C07C8E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2120282783.000001C07C8E0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2146108848.000001C08552E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2184363866.000001C085519000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2145189721.000001C08551A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2146209958.000001C085529000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183061332.000001C085511000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2283557717.000001C075D7D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2258441623.000001C083790000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2313873174.000001C081E4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2122787131.000001C07BC67000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2275368420.000001C08254C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3917025907.000001D9AC420000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3914120616.000001B1DD000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914506255.00000247D9A60000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
216.58.212.174	youtube.com	United States	15169	GOOGLEUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542904
Start date and time:	2024-10-26 20:00:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/41@73/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.231.229.39, 52.13.186.250, 34.208.54.237, 2.22.61.59, 2.22.61.56, 142.250.186.174, 142.250.186.78, 142.250.186.106
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.193
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.193
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.65
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.193
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.129
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.193.91
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	151.101.65.91
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.251.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	157.240.251.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	34.117.188.166
ATGS-MMD-ASUS	kkkmpsl.elf	Get hash	malicious	Unknown	Browse	57.237.235.6
	kkkarm.elf	Get hash	malicious	Unknown	Browse	32.17.43.218
	kkkx86.elf	Get hash	malicious	Unknown	Browse	48.99.4.215
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	ZnPyVAOUBc.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	34.175.139.104
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.193.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
ATGS-MMD-ASUS	kkkmpsl.elf	Get hash	malicious	Unknown	Browse	57.237.235.6
	kkkarm.elf	Get hash	malicious	Unknown	Browse	32.17.43.218
	kkkx86.elf	Get hash	malicious	Unknown	Browse	48.99.4.215
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	ZnPyVAOUBc.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	34.175.139.104
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_e1d9ddb1-93e9-4a73-82e0-22625ed03d5d.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.179127809647231
Encrypted:	false
SSDEEP:	192:uKMiuIbcbhbVbTbfbRbObtbyEl7n0r2JA6wnSrDtTkd/Sw:uPOcNhnzFSJUr1jnSrDhkd/Z
MD5:	E631753B274FB3D18272BD44EDC15722
SHA1:	4CA28DAA26005964146C92B35B87EC4D355F1414
SHA-256:	0F2808232366B48684C55B08C439748E3576EBB1AE7731FCF8C1D8522DF06B52
SHA-512:	CDE251C5C2DF49B4639F434D27BEB688BBDA460BE61607E3FA2EF17C73C3EFA4EA90618B2BA0DF7B352FACC7F7B1795137A2E061FDF09CDC9B74E83C580A1B17
Malicious:	false
Preview:	{"type":"uninstall","id":"e1d9ddb1-93e9-4a73-82e0-22625ed03d5d","creationDate":"2024-10-26T20:01:03.062Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_e1d9ddb1-93e9-4a73-82e0-22625ed03d5d.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.179127809647231
Encrypted:	false
SSDEEP:	192:uKMiuIbcbhbVbTbfbRbObtbyEl7n0r2JA6wnSrDtTkd/Sw:uPOcNhnzFSJUr1jnSrDhkd/Z
MD5:	E631753B274FB3D18272BD44EDC15722
SHA1:	4CA28DAA26005964146C92B35B87EC4D355F1414
SHA-256:	0F2808232366B48684C55B08C439748E3576EBB1AE7731FCF8C1D8522DF06B52
SHA-512:	CDE251C5C2DF49B4639F434D27BEB688BBDA460BE61607E3FA2EF17C73C3EFA4EA90618B2BA0DF7B352FACC7F7B1795137A2E061FDF09CDC9B74E83C580A1B17
Malicious:	false
Preview:	{"type":"uninstall","id":"e1d9ddb1-93e9-4a73-82e0-22625ed03d5d","creationDate":"2024-10-26T20:01:03.062Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	dropped
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.310936917686254
Encrypted:	false
SSDEEP:	24:jodfalOTlXAeTIUx2dWoM15zLN8zmOodfalOTlXAeswM+bpoqdWoM15zLFX1Rgm7:sd23Ugdwwzmd2x6BdwIId2xadwq1
MD5:	BD60A404CC4D3663C915910760D21EE5
SHA1:	F0FED34F6949469330EF481C38F5E66D96EEE2D2
SHA-256:	835784499C8F7238671A15F3F0E93238F8CDD8EF1F5E042B5F3B38D9BC1244BF
SHA-512:	2112876AED6960B3ADC64F2EE7A3DCB95500B9FB7D66C00A4D2E41B689E69938F3846B36EF71F38544615207726F9BD7CCF9F0699F048E50CB62253D2AC3F217
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........)...'..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IZY!.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WZY!.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WZY!...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............M......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.310936917686254
Encrypted:	false
SSDEEP:	24:jodfalOTlXAeTIUx2dWoM15zLN8zmOodfalOTlXAeswM+bpoqdWoM15zLFX1Rgm7:sd23Ugdwwzmd2x6BdwIId2xadwq1
MD5:	BD60A404CC4D3663C915910760D21EE5
SHA1:	F0FED34F6949469330EF481C38F5E66D96EEE2D2
SHA-256:	835784499C8F7238671A15F3F0E93238F8CDD8EF1F5E042B5F3B38D9BC1244BF
SHA-512:	2112876AED6960B3ADC64F2EE7A3DCB95500B9FB7D66C00A4D2E41B689E69938F3846B36EF71F38544615207726F9BD7CCF9F0699F048E50CB62253D2AC3F217
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........)...'..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IZY!.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WZY!.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WZY!...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............M......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KG1OIVVFHBUQU90GQA6N.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.310936917686254
Encrypted:	false
SSDEEP:	24:jodfalOTlXAeTIUx2dWoM15zLN8zmOodfalOTlXAeswM+bpoqdWoM15zLFX1Rgm7:sd23Ugdwwzmd2x6BdwIId2xadwq1
MD5:	BD60A404CC4D3663C915910760D21EE5
SHA1:	F0FED34F6949469330EF481C38F5E66D96EEE2D2
SHA-256:	835784499C8F7238671A15F3F0E93238F8CDD8EF1F5E042B5F3B38D9BC1244BF
SHA-512:	2112876AED6960B3ADC64F2EE7A3DCB95500B9FB7D66C00A4D2E41B689E69938F3846B36EF71F38544615207726F9BD7CCF9F0699F048E50CB62253D2AC3F217
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........)...'..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IZY!.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WZY!.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WZY!...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............M......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q1BJG0BERUVVRI6UH9B1.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.310936917686254
Encrypted:	false
SSDEEP:	24:jodfalOTlXAeTIUx2dWoM15zLN8zmOodfalOTlXAeswM+bpoqdWoM15zLFX1Rgm7:sd23Ugdwwzmd2x6BdwIId2xadwq1
MD5:	BD60A404CC4D3663C915910760D21EE5
SHA1:	F0FED34F6949469330EF481C38F5E66D96EEE2D2
SHA-256:	835784499C8F7238671A15F3F0E93238F8CDD8EF1F5E042B5F3B38D9BC1244BF
SHA-512:	2112876AED6960B3ADC64F2EE7A3DCB95500B9FB7D66C00A4D2E41B689E69938F3846B36EF71F38544615207726F9BD7CCF9F0699F048E50CB62253D2AC3F217
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........)...'..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IZY!.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WZY!.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WZY!...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............M......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.92471710454403
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNC9wxeln:8S+OVPUFRbOdwNIOdYpjvY1Q6Llm8P
MD5:	E9E2C335B7BC0D0B0EA52D3745087410
SHA1:	4CFF69EF5526C154E76EE365658911C40D6479EE
SHA-256:	B202732CF99A3BEB4D1FC56958F1C33F20A6D371E0A07FA3F5BC940E5A4D58F5
SHA-512:	F656BFF73AAB0A9B9BFB605372FE1F36B1B69FB7419665F5B9BB390CB1B389F0D5025FC4244081F0C9E79A3E1827F4AFA4EA25EE9F0D38D09AFBB57954C9DB2A
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.92471710454403
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNC9wxeln:8S+OVPUFRbOdwNIOdYpjvY1Q6Llm8P
MD5:	E9E2C335B7BC0D0B0EA52D3745087410
SHA1:	4CFF69EF5526C154E76EE365658911C40D6479EE
SHA-256:	B202732CF99A3BEB4D1FC56958F1C33F20A6D371E0A07FA3F5BC940E5A4D58F5
SHA-512:	F656BFF73AAB0A9B9BFB605372FE1F36B1B69FB7419665F5B9BB390CB1B389F0D5025FC4244081F0C9E79A3E1827F4AFA4EA25EE9F0D38D09AFBB57954C9DB2A
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.0732288570289085
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkic:DLhesh7Owd4+ji
MD5:	0D1F1E17C64B1DBE1F2DE2E3E351222C
SHA1:	CC6CC36812875B1F41DDD89CD3CB9EED36EEB1A9
SHA-256:	CC5A760F2BED9DCA0D07BF8AE763A24ECDA63AD2F4B173E74D9870C7EE875D7E
SHA-512:	57E407357728D7B0D9DDC52A22A37856D5C9822F940987A16AB49C8CDA624A2E7440FE157CC4E0AD0D38DB3746A05099D0C0E3DE540F88158BC8FCD20CB2F991
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039545238451853294
Encrypted:	false
SSDEEP:	3:GHlhVrqiIjGU6Y5xlalhVrqiIjGU6Y5x/Xol8a9//Ylll4llqlyllel4lt:G7V+vGUZ5DeV+vGUZ5ZoL9XIwlio
MD5:	51A074776C665A4350E4828AEDDCD0DE
SHA1:	C07E5FCF48A61F5599F66892C8F46799FFD13B17
SHA-256:	22B8DAF6A869B756D8C70DEF419E477C157D6619292F15F4D34F9CFFD94D47E5
SHA-512:	C156F0F8A966B39EF501DCA26C3D802EC2A0A6B1F46CB38CDF9F8A40F8BAAABA3E444A7CDC5E2D2352DB4A14E9A3E1EF97EB2538D2899538F4A500B20F591190
Malicious:	false
Preview:	..-......................O.m.b.lRcY.....mo\.66...-......................O.m.b.lRcY.....mo\.66.........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.13353031326467313
Encrypted:	false
SSDEEP:	24:KKfkiLxsZ+i2zxsMlCXsMzqCFZ7pCF6C5WUCuSCCQE/HaaKCc7RCGOxsaD23wlta:dMOQ/2VJCXs4qLWeJa1VygvDZk
MD5:	F9FA7037458FDCE34D2FFFEF09C43669
SHA1:	27EB5CEBC87AB889205002405884A11F2BAE7974
SHA-256:	EAC11BE40CD10DF52EF4AAC35B7183EEE27097592267E6B3DC13F89FD16515EF
SHA-512:	035301B077A359737BD170B0FDECF27A429EE408CA29971AE8620F5404D870ABF7DDCF6BECE3318525CAB647F751070518F23EDFFBB5D2045E4548783464E323
Malicious:	false
Preview:	7....-..........RcY...... fev..$........RcY........E...{................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477621892058746
Encrypted:	false
SSDEEP:	192:knPOeRnLYbBp6TJ0aX+q6SEXKUcEuNV55RHWNBw8dSSl:GDe2JUxBaXHEw50
MD5:	3654601B6E00765E3D9C515D2D026199
SHA1:	4EA6F4012F5B6A7FB8073F6296B075EEE54E6A47
SHA-256:	8DC681A3836664C5539AEF01B5923F533CCBDBAA425B3A3AA98807B5A18006D3
SHA-512:	6B5D2AB2ABD7A8159FC640BC190936EAAA310818A5E8DDAB80AF661FD98F4877A21C6306F7567F539F6F1AD9DE616F502C048A1AE998C11D800DE4F63E9D3981
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729972833);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729972833);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729972833);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172997

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477621892058746
Encrypted:	false
SSDEEP:	192:knPOeRnLYbBp6TJ0aX+q6SEXKUcEuNV55RHWNBw8dSSl:GDe2JUxBaXHEw50
MD5:	3654601B6E00765E3D9C515D2D026199
SHA1:	4EA6F4012F5B6A7FB8073F6296B075EEE54E6A47
SHA-256:	8DC681A3836664C5539AEF01B5923F533CCBDBAA425B3A3AA98807B5A18006D3
SHA-512:	6B5D2AB2ABD7A8159FC640BC190936EAAA310818A5E8DDAB80AF661FD98F4877A21C6306F7567F539F6F1AD9DE616F502C048A1AE998C11D800DE4F63E9D3981
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729972833);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729972833);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729972833);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172997

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\bc6cad32-f058-46f5-ab08-226b263ba13d (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.9521179532387585
Encrypted:	false
SSDEEP:	12:YZFg8TaguIVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:Yr/uSlCOlZGV1AQIWZcy6ZXvx
MD5:	B529B25B60FE3C69971D6EE2B0E7C90B
SHA1:	5714898362DF754E6885F46470286C22321DEDBA
SHA-256:	808D1139D61F343FE347822426301157A47F48B8D3B84B550600338ED081A37F
SHA-512:	BAD0DDEAA58EB4C9965222389B7434E343478593C29B7355F13482CAF1BA8E72AEBB2E73551B9E14CAB844C86F653609DB15B9D96E2E1B550465D278ACC8393B
Malicious:	false
Preview:	{"type":"health","id":"bc6cad32-f058-46f5-ab08-226b263ba13d","creationDate":"2024-10-26T20:01:03.681Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\bc6cad32-f058-46f5-ab08-226b263ba13d.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.9521179532387585
Encrypted:	false
SSDEEP:	12:YZFg8TaguIVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:Yr/uSlCOlZGV1AQIWZcy6ZXvx
MD5:	B529B25B60FE3C69971D6EE2B0E7C90B
SHA1:	5714898362DF754E6885F46470286C22321DEDBA
SHA-256:	808D1139D61F343FE347822426301157A47F48B8D3B84B550600338ED081A37F
SHA-512:	BAD0DDEAA58EB4C9965222389B7434E343478593C29B7355F13482CAF1BA8E72AEBB2E73551B9E14CAB844C86F653609DB15B9D96E2E1B550465D278ACC8393B
Malicious:	false
Preview:	{"type":"health","id":"bc6cad32-f058-46f5-ab08-226b263ba13d","creationDate":"2024-10-26T20:01:03.681Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.34486931213899
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSILXnIr6/pnxQwRcWT5sKmgb0hA3eHVpjO+3amhujJwO2c0TiVm0Bh:GUpOx93nRcoeggA3erjx34Jwc3zBtT
MD5:	D91C930404C1318DB3B16942BB49193B
SHA1:	C9503F63F9C637D06D9F1AE5FAE94920B31D69FA
SHA-256:	D3C08AE87938FAD6EFE6980F501A92AB5797DBDE36190BAA9F5577A95F123756
SHA-512:	92646C83C4B8EAC5DCB0B64D0B9BFE46DC17123B491F4031CF445B61B92A45D8CA898CFB0CA87EFB8BD2B38BD32275A5473EEE992A8C70C065219C598DED63D6
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{1fa2bb7d-4b0e-41c9-b45d-9adc3d0577f2}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1729972838726,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..A0241...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...07437,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.34486931213899
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSILXnIr6/pnxQwRcWT5sKmgb0hA3eHVpjO+3amhujJwO2c0TiVm0Bh:GUpOx93nRcoeggA3erjx34Jwc3zBtT
MD5:	D91C930404C1318DB3B16942BB49193B
SHA1:	C9503F63F9C637D06D9F1AE5FAE94920B31D69FA
SHA-256:	D3C08AE87938FAD6EFE6980F501A92AB5797DBDE36190BAA9F5577A95F123756
SHA-512:	92646C83C4B8EAC5DCB0B64D0B9BFE46DC17123B491F4031CF445B61B92A45D8CA898CFB0CA87EFB8BD2B38BD32275A5473EEE992A8C70C065219C598DED63D6
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{1fa2bb7d-4b0e-41c9-b45d-9adc3d0577f2}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1729972838726,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..A0241...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...07437,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.34486931213899
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSILXnIr6/pnxQwRcWT5sKmgb0hA3eHVpjO+3amhujJwO2c0TiVm0Bh:GUpOx93nRcoeggA3erjx34Jwc3zBtT
MD5:	D91C930404C1318DB3B16942BB49193B
SHA1:	C9503F63F9C637D06D9F1AE5FAE94920B31D69FA
SHA-256:	D3C08AE87938FAD6EFE6980F501A92AB5797DBDE36190BAA9F5577A95F123756
SHA-512:	92646C83C4B8EAC5DCB0B64D0B9BFE46DC17123B491F4031CF445B61B92A45D8CA898CFB0CA87EFB8BD2B38BD32275A5473EEE992A8C70C065219C598DED63D6
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{1fa2bb7d-4b0e-41c9-b45d-9adc3d0577f2}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1729972838726,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..A0241...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...07437,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.028716817711872
Encrypted:	false
SSDEEP:	96:ycFMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:cTEr5NX0z3DhRe
MD5:	9B30048BBC1E72DBDFADC479476174C0
SHA1:	D120CB907B3901D7ACFBC2E54C098F4455C052B1
SHA-256:	5B6BA95593DE10838DE70F08A8706831B57508FA822ACC45AA6E19973E6368EC
SHA-512:	FD082F7A103F192D90814CA694559680FBFCDEE50803CBA1AB807808E4F7F19807F4FD612B71C17CFCB10AD99DA52416E4B8AE6DC4877419E32AA83DACAF9154
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-26T20:00:23.295Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.028716817711872
Encrypted:	false
SSDEEP:	96:ycFMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:cTEr5NX0z3DhRe
MD5:	9B30048BBC1E72DBDFADC479476174C0
SHA1:	D120CB907B3901D7ACFBC2E54C098F4455C052B1
SHA-256:	5B6BA95593DE10838DE70F08A8706831B57508FA822ACC45AA6E19973E6368EC
SHA-512:	FD082F7A103F192D90814CA694559680FBFCDEE50803CBA1AB807808E4F7F19807F4FD612B71C17CFCB10AD99DA52416E4B8AE6DC4877419E32AA83DACAF9154
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-26T20:00:23.295Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584707619361631
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	a573ed2b5bffe0b5ddcd8bc36359d595
SHA1:	cf598c317a9057bbd1b8363f4cae9e67ec94818a
SHA256:	74995d84d7882a29e32673bc77563c9f1d33e2a706af2e7935f1acb764820ccd
SHA512:	2cc72118adc254cb6d37acdd96d4414fab9ed2a85cd4e16163b73e855a1b6b5cbb2097c0ee543df410860644e0feded138e142bdd4dfcc3adbc5eb838e192e86
SSDEEP:	12288:lqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Ta:lqDEvCTbMWu7rQYlBQcBiT6rprG8aba
TLSH:	B8159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671D2C14 [Sat Oct 26 17:51:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F135CB4A4F3h
jmp 00007F135CB49DFFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F135CB49FDDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F135CB49FAAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F135CB4CB9Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F135CB4CBE8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F135CB4CBD1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	d2c621808c07943bbcfb2bfb9bf0ec71	False	0.3156398338607595	data	5.374340066946005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 20:01:04.799302101 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 26, 2024 20:01:04.799355984 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 26, 2024 20:01:04.799680948 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 26, 2024 20:01:04.803194046 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 26, 2024 20:01:04.803211927 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 26, 2024 20:01:05.416852951 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 26, 2024 20:01:05.422193050 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 26, 2024 20:01:05.434461117 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 26, 2024 20:01:05.434487104 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 26, 2024 20:01:05.434549093 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 26, 2024 20:01:05.434708118 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 26, 2024 20:01:05.434827089 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 26, 2024 20:01:05.595128059 CEST	49711	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:05.595177889 CEST	443	49711	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:05.601315975 CEST	49711	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:05.602761984 CEST	49711	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:05.602776051 CEST	443	49711	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:05.880530119 CEST	49712	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:05.880614042 CEST	443	49712	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:05.884984970 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:05.889519930 CEST	49712	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:05.890415907 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:05.890837908 CEST	49712	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:05.890916109 CEST	443	49712	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:05.891572952 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:05.891613007 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:05.897243023 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:06.079015970 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:06.079058886 CEST	443	49714	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:06.080343962 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:06.081821918 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:06.081840038 CEST	443	49714	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:06.088795900 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:06.088834047 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:06.090500116 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:06.094753981 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:06.094773054 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:06.143441916 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:06.143522978 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:06.151392937 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:06.151513100 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:06.151544094 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:06.458767891 CEST	443	49711	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:06.459537983 CEST	443	49711	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:06.461189985 CEST	49711	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:06.461216927 CEST	443	49711	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:06.484436035 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:06.516937017 CEST	49711	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:06.547142029 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:06.695791960 CEST	443	49714	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:06.695864916 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:06.712089062 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:06.715889931 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:06.739927053 CEST	443	49712	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:06.739940882 CEST	443	49712	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:06.740001917 CEST	49712	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:06.741003990 CEST	443	49712	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:06.741080999 CEST	49712	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:06.762635946 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:06.762651920 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:06.762861967 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:06.911886930 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:06.911967039 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:06.912349939 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:06.914253950 CEST	49711	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:06.914278030 CEST	443	49711	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:06.914338112 CEST	49711	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:06.914547920 CEST	443	49711	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:06.917517900 CEST	49712	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:06.917594910 CEST	443	49712	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:06.917819023 CEST	443	49712	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:06.918054104 CEST	49712	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:06.918111086 CEST	443	49712	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:06.918813944 CEST	49718	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:06.918848038 CEST	443	49718	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:06.920449972 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:06.920463085 CEST	443	49714	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:06.920629025 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:06.920663118 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:06.920687914 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:06.920687914 CEST	443	49714	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:06.920701981 CEST	443	49714	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:06.920908928 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:06.920975924 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:06.920984983 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:06.921489000 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:06.921581030 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:06.921690941 CEST	49720	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:06.921724081 CEST	443	49720	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:06.922190905 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:06.922190905 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:06.922311068 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:06.922326088 CEST	49711	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:06.922373056 CEST	49718	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:06.923141956 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:06.923199892 CEST	49720	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:06.923816919 CEST	49718	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:06.923830032 CEST	443	49718	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:06.925182104 CEST	49720	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:06.925199986 CEST	443	49720	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:06.926412106 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:06.926461935 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:07.029880047 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:07.035969973 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:07.044804096 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:07.053669930 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:07.055490971 CEST	49722	443	192.168.2.5	34.160.144.191
Oct 26, 2024 20:01:07.055541039 CEST	443	49722	34.160.144.191	192.168.2.5
Oct 26, 2024 20:01:07.059109926 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:07.060395956 CEST	49722	443	192.168.2.5	34.160.144.191
Oct 26, 2024 20:01:07.060568094 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:07.061012030 CEST	49722	443	192.168.2.5	34.160.144.191
Oct 26, 2024 20:01:07.061023951 CEST	443	49722	34.160.144.191	192.168.2.5
Oct 26, 2024 20:01:07.061238050 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:07.066667080 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:07.127327919 CEST	443	49714	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:07.127331018 CEST	443	49712	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:07.127335072 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:07.127393961 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:07.127409935 CEST	49712	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:07.127420902 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:07.177541971 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:07.183121920 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:07.183214903 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:07.183355093 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:07.188652039 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:07.540792942 CEST	443	49720	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:07.541003942 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:07.544003963 CEST	49720	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:07.544008970 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:07.550071001 CEST	49720	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:07.550079107 CEST	443	49720	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:07.550172091 CEST	49720	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:07.550263882 CEST	443	49720	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:07.550287962 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:07.550304890 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:07.550331116 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:07.550477028 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:07.551862955 CEST	49720	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:07.551886082 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:07.657069921 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:07.677901030 CEST	443	49722	34.160.144.191	192.168.2.5
Oct 26, 2024 20:01:07.677968025 CEST	49722	443	192.168.2.5	34.160.144.191
Oct 26, 2024 20:01:07.681102991 CEST	49722	443	192.168.2.5	34.160.144.191
Oct 26, 2024 20:01:07.681116104 CEST	443	49722	34.160.144.191	192.168.2.5
Oct 26, 2024 20:01:07.681370974 CEST	443	49722	34.160.144.191	192.168.2.5
Oct 26, 2024 20:01:07.683769941 CEST	49722	443	192.168.2.5	34.160.144.191
Oct 26, 2024 20:01:07.683851004 CEST	49722	443	192.168.2.5	34.160.144.191
Oct 26, 2024 20:01:07.683922052 CEST	443	49722	34.160.144.191	192.168.2.5
Oct 26, 2024 20:01:07.685834885 CEST	49722	443	192.168.2.5	34.160.144.191
Oct 26, 2024 20:01:07.708966970 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:07.716018915 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:07.716068983 CEST	443	49724	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:07.716764927 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:07.718197107 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:07.718206882 CEST	443	49724	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:07.779500961 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:07.784387112 CEST	443	49718	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:07.784485102 CEST	49718	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:07.785134077 CEST	443	49718	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:07.785180092 CEST	49718	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:07.789274931 CEST	49718	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:07.789285898 CEST	443	49718	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:07.789367914 CEST	49718	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:07.789463997 CEST	443	49718	216.58.212.174	192.168.2.5
Oct 26, 2024 20:01:07.789849043 CEST	49718	443	192.168.2.5	216.58.212.174
Oct 26, 2024 20:01:07.828521013 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:07.950562954 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:07.956041098 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:08.075860977 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:08.125713110 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:08.326800108 CEST	443	49724	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:08.329138041 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:08.333005905 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:08.333014011 CEST	443	49724	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:08.333132982 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:08.333185911 CEST	443	49724	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:08.333483934 CEST	49725	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:08.333573103 CEST	443	49725	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:08.333991051 CEST	49724	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:08.334166050 CEST	49725	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:08.335453033 CEST	49725	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:08.335509062 CEST	443	49725	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:08.357779980 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:08.363298893 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:08.482851982 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:08.549149990 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:08.955074072 CEST	443	49725	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:08.959338903 CEST	443	49725	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:08.965897083 CEST	49725	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:08.970875978 CEST	49725	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:08.970904112 CEST	443	49725	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:08.970968008 CEST	49725	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:08.971220970 CEST	443	49725	34.117.188.166	192.168.2.5
Oct 26, 2024 20:01:08.971539021 CEST	49725	443	192.168.2.5	34.117.188.166
Oct 26, 2024 20:01:09.145279884 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:09.150712967 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:09.271400928 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:09.324182034 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:13.110699892 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:13.116353035 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:13.146718979 CEST	49729	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:13.146764040 CEST	443	49729	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:13.147578955 CEST	49729	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:13.148978949 CEST	49729	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:13.148996115 CEST	443	49729	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:13.172251940 CEST	49730	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:13.172270060 CEST	443	49730	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:13.181684017 CEST	49730	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:13.184211969 CEST	49730	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:13.184240103 CEST	443	49730	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:13.216660023 CEST	49731	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:13.216747046 CEST	443	49731	34.149.100.209	192.168.2.5
Oct 26, 2024 20:01:13.219944000 CEST	49731	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:13.222146034 CEST	49731	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:13.222187042 CEST	443	49731	34.149.100.209	192.168.2.5
Oct 26, 2024 20:01:13.229238987 CEST	49732	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:13.229284048 CEST	443	49732	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:13.229914904 CEST	49732	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:13.230134010 CEST	49732	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:13.230146885 CEST	443	49732	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:13.236232042 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:13.282669067 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:13.760180950 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:13.763434887 CEST	443	49729	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:13.764003992 CEST	49729	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:13.765510082 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:13.770850897 CEST	49729	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:13.770860910 CEST	443	49729	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:13.770946026 CEST	49729	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:13.771105051 CEST	443	49729	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:13.774786949 CEST	49729	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:13.796715021 CEST	443	49730	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:13.796731949 CEST	443	49730	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:13.804388046 CEST	49730	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:13.809113979 CEST	49730	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:13.809120893 CEST	443	49730	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:13.809204102 CEST	49730	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:13.809334993 CEST	443	49730	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:13.811891079 CEST	49730	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:13.834680080 CEST	443	49731	34.149.100.209	192.168.2.5
Oct 26, 2024 20:01:13.844882011 CEST	49731	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:13.848762989 CEST	443	49732	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:13.849150896 CEST	49732	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:13.885303974 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:13.945868015 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:15.094104052 CEST	49732	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:15.094132900 CEST	443	49732	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:15.095109940 CEST	443	49732	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:15.098330021 CEST	49731	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:15.098330021 CEST	49731	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:15.098419905 CEST	443	49731	34.149.100.209	192.168.2.5
Oct 26, 2024 20:01:15.098438978 CEST	49732	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:15.098490953 CEST	49732	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:15.098699093 CEST	443	49731	34.149.100.209	192.168.2.5
Oct 26, 2024 20:01:15.098895073 CEST	443	49732	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:15.113120079 CEST	49732	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:15.113121033 CEST	49731	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:19.777842999 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:19.783289909 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:19.817444086 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:19.817466021 CEST	443	49754	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:19.817869902 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:19.819216967 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:19.819233894 CEST	443	49754	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:19.824429035 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:19.830199957 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:19.831574917 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:20.428597927 CEST	443	49754	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:20.428802967 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:21.515558004 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:21.517005920 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:21.517024040 CEST	443	49754	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:21.517081976 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:21.517597914 CEST	443	49754	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:21.520194054 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:21.520911932 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:21.522268057 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:21.522399902 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:21.527658939 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:21.712039948 CEST	49766	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:21.712076902 CEST	443	49766	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:21.712285995 CEST	49767	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:21.712294102 CEST	443	49767	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:21.712574005 CEST	49766	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:21.712618113 CEST	49767	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:21.713856936 CEST	49766	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:21.713866949 CEST	443	49766	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:22.127650023 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:22.176165104 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:22.185372114 CEST	49767	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:22.185384989 CEST	443	49767	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:22.340076923 CEST	443	49766	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:22.340186119 CEST	49766	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:22.344688892 CEST	49766	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:22.344695091 CEST	443	49766	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:22.344775915 CEST	49766	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:22.344882011 CEST	443	49766	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:22.345035076 CEST	49766	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:22.785980940 CEST	443	49767	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:22.786076069 CEST	49767	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:22.790659904 CEST	49767	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:22.790666103 CEST	443	49767	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:22.790771961 CEST	49767	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:22.790827036 CEST	443	49767	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:22.790939093 CEST	49767	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:23.903359890 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:23.908865929 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:23.976025105 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:23.977320910 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:23.978775024 CEST	49778	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:23.978844881 CEST	443	49778	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:23.979098082 CEST	49779	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:23.979159117 CEST	443	49779	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:23.981384993 CEST	49778	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:23.981440067 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:23.981496096 CEST	49779	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:23.981563091 CEST	49778	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:23.981597900 CEST	443	49778	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:23.981662989 CEST	49779	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:23.981686115 CEST	443	49779	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:23.982669115 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:24.101314068 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:24.104528904 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:24.150693893 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:24.150708914 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:24.346179962 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:24.351774931 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:24.380810976 CEST	49785	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:24.380851984 CEST	443	49785	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:24.381584883 CEST	49785	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:24.383095026 CEST	49785	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:24.383132935 CEST	443	49785	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:24.471911907 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:24.520685911 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:24.591212988 CEST	443	49779	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:24.591337919 CEST	49779	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:24.595200062 CEST	443	49778	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:24.595309973 CEST	49778	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:24.615338087 CEST	49779	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:24.615365028 CEST	443	49779	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:24.615753889 CEST	443	49779	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:24.617717028 CEST	49778	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:24.617763996 CEST	443	49778	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:24.618597984 CEST	443	49778	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:24.641096115 CEST	49779	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:24.641171932 CEST	49779	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:24.641310930 CEST	443	49779	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:24.641928911 CEST	49779	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:24.667727947 CEST	49778	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:24.993037939 CEST	443	49785	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:24.993160963 CEST	49785	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:25.248703957 CEST	49778	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:25.248817921 CEST	49778	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:25.248982906 CEST	443	49778	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:25.251311064 CEST	49785	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:25.251346111 CEST	443	49785	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:25.251380920 CEST	49785	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:25.251784086 CEST	443	49785	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:25.253876925 CEST	49778	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:25.253892899 CEST	49785	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:25.454793930 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:25.460177898 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:25.582151890 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:25.623707056 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:25.669967890 CEST	49791	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:25.670067072 CEST	443	49791	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:25.670739889 CEST	49791	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:25.672231913 CEST	49791	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:25.672312021 CEST	443	49791	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:25.674206972 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:25.679564953 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:25.799455881 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:25.839907885 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:26.280479908 CEST	443	49791	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:26.280561924 CEST	49791	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:27.574879885 CEST	49791	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:27.574940920 CEST	443	49791	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:27.574975014 CEST	49791	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:27.575228930 CEST	443	49791	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:27.576128960 CEST	49791	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:28.626416922 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:28.628396988 CEST	49807	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:28.628448009 CEST	443	49807	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:28.630320072 CEST	49807	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:28.631710052 CEST	49807	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:28.631726027 CEST	443	49807	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:28.631951094 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:28.753746033 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:28.756781101 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:28.762332916 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:28.795209885 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:28.882769108 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:28.933231115 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:29.232526064 CEST	443	49807	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:29.233702898 CEST	49807	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:29.237843037 CEST	49807	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:29.237864971 CEST	443	49807	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:29.237963915 CEST	49807	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:29.238094091 CEST	443	49807	34.120.208.123	192.168.2.5
Oct 26, 2024 20:01:29.239878893 CEST	49807	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:01:29.240808964 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:29.246356964 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:29.367614985 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:29.370510101 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:29.375864983 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:29.419063091 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:29.495619059 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:29.550615072 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:33.597462893 CEST	49838	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:33.597481966 CEST	443	49838	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:33.600666046 CEST	49838	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:33.600955963 CEST	49838	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:33.600966930 CEST	443	49838	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:33.603080034 CEST	49839	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:33.603137016 CEST	443	49839	34.149.100.209	192.168.2.5
Oct 26, 2024 20:01:33.603372097 CEST	49840	443	192.168.2.5	35.190.72.216
Oct 26, 2024 20:01:33.603408098 CEST	443	49840	35.190.72.216	192.168.2.5
Oct 26, 2024 20:01:33.606353045 CEST	49839	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:33.606534958 CEST	49840	443	192.168.2.5	35.190.72.216
Oct 26, 2024 20:01:33.606549025 CEST	49839	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:33.606585026 CEST	443	49839	34.149.100.209	192.168.2.5
Oct 26, 2024 20:01:33.607918024 CEST	49840	443	192.168.2.5	35.190.72.216
Oct 26, 2024 20:01:33.607929945 CEST	443	49840	35.190.72.216	192.168.2.5
Oct 26, 2024 20:01:33.622881889 CEST	49841	443	192.168.2.5	151.101.129.91
Oct 26, 2024 20:01:33.622891903 CEST	443	49841	151.101.129.91	192.168.2.5
Oct 26, 2024 20:01:33.628242970 CEST	49841	443	192.168.2.5	151.101.129.91
Oct 26, 2024 20:01:33.628539085 CEST	49841	443	192.168.2.5	151.101.129.91
Oct 26, 2024 20:01:33.628554106 CEST	443	49841	151.101.129.91	192.168.2.5
Oct 26, 2024 20:01:33.629554033 CEST	49842	443	192.168.2.5	35.201.103.21
Oct 26, 2024 20:01:33.629616976 CEST	443	49842	35.201.103.21	192.168.2.5
Oct 26, 2024 20:01:33.631434917 CEST	49842	443	192.168.2.5	35.201.103.21
Oct 26, 2024 20:01:33.634480000 CEST	49842	443	192.168.2.5	35.201.103.21
Oct 26, 2024 20:01:33.634511948 CEST	443	49842	35.201.103.21	192.168.2.5
Oct 26, 2024 20:01:34.102483988 CEST	49844	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:34.102570057 CEST	443	49844	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:34.102650881 CEST	49844	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:34.104690075 CEST	49844	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:34.104732037 CEST	443	49844	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:34.218097925 CEST	443	49839	34.149.100.209	192.168.2.5
Oct 26, 2024 20:01:34.218240976 CEST	49839	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:34.221807957 CEST	49839	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:34.221824884 CEST	443	49839	34.149.100.209	192.168.2.5
Oct 26, 2024 20:01:34.222176075 CEST	443	49839	34.149.100.209	192.168.2.5
Oct 26, 2024 20:01:34.223668098 CEST	443	49840	35.190.72.216	192.168.2.5
Oct 26, 2024 20:01:34.223788977 CEST	49840	443	192.168.2.5	35.190.72.216
Oct 26, 2024 20:01:34.224845886 CEST	443	49838	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.225120068 CEST	49838	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.228594065 CEST	49838	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.228599072 CEST	443	49838	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.228892088 CEST	443	49838	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.229134083 CEST	49839	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:34.229231119 CEST	49839	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:34.229363918 CEST	443	49839	34.149.100.209	192.168.2.5
Oct 26, 2024 20:01:34.232686043 CEST	49839	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:34.232814074 CEST	49840	443	192.168.2.5	35.190.72.216
Oct 26, 2024 20:01:34.232841015 CEST	443	49840	35.190.72.216	192.168.2.5
Oct 26, 2024 20:01:34.232933998 CEST	49840	443	192.168.2.5	35.190.72.216
Oct 26, 2024 20:01:34.233119011 CEST	443	49840	35.190.72.216	192.168.2.5
Oct 26, 2024 20:01:34.233869076 CEST	49838	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.233869076 CEST	49838	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.234026909 CEST	443	49838	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.235057116 CEST	49840	443	192.168.2.5	35.190.72.216
Oct 26, 2024 20:01:34.235268116 CEST	49838	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.243100882 CEST	443	49841	151.101.129.91	192.168.2.5
Oct 26, 2024 20:01:34.243246078 CEST	49841	443	192.168.2.5	151.101.129.91
Oct 26, 2024 20:01:34.246519089 CEST	49841	443	192.168.2.5	151.101.129.91
Oct 26, 2024 20:01:34.246524096 CEST	443	49841	151.101.129.91	192.168.2.5
Oct 26, 2024 20:01:34.246591091 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:34.246840000 CEST	443	49841	151.101.129.91	192.168.2.5
Oct 26, 2024 20:01:34.250607014 CEST	49841	443	192.168.2.5	151.101.129.91
Oct 26, 2024 20:01:34.250683069 CEST	49841	443	192.168.2.5	151.101.129.91
Oct 26, 2024 20:01:34.250852108 CEST	443	49841	151.101.129.91	192.168.2.5
Oct 26, 2024 20:01:34.252024889 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:34.258366108 CEST	49847	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.258378029 CEST	443	49847	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.260144949 CEST	49841	443	192.168.2.5	151.101.129.91
Oct 26, 2024 20:01:34.260144949 CEST	49847	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.260581017 CEST	49847	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.260592937 CEST	443	49847	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.261830091 CEST	49848	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.261868000 CEST	443	49848	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.263029099 CEST	49848	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.263150930 CEST	49848	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.263159990 CEST	443	49848	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.265074968 CEST	49849	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.265115976 CEST	443	49849	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.265368938 CEST	49849	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.265471935 CEST	49849	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.265515089 CEST	443	49849	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.269985914 CEST	443	49842	35.201.103.21	192.168.2.5
Oct 26, 2024 20:01:34.270237923 CEST	49842	443	192.168.2.5	35.201.103.21
Oct 26, 2024 20:01:34.274106979 CEST	49842	443	192.168.2.5	35.201.103.21
Oct 26, 2024 20:01:34.274116039 CEST	443	49842	35.201.103.21	192.168.2.5
Oct 26, 2024 20:01:34.274243116 CEST	49842	443	192.168.2.5	35.201.103.21
Oct 26, 2024 20:01:34.274389982 CEST	443	49842	35.201.103.21	192.168.2.5
Oct 26, 2024 20:01:34.274857998 CEST	49842	443	192.168.2.5	35.201.103.21
Oct 26, 2024 20:01:34.285923958 CEST	49851	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:34.285965919 CEST	443	49851	34.149.100.209	192.168.2.5
Oct 26, 2024 20:01:34.286051989 CEST	49851	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:34.286164999 CEST	49851	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:34.286190033 CEST	443	49851	34.149.100.209	192.168.2.5
Oct 26, 2024 20:01:34.374650955 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:34.384254932 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:34.389650106 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:34.433710098 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:34.509438992 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:34.549619913 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:34.722146034 CEST	443	49844	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:34.727339983 CEST	443	49844	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:34.728166103 CEST	49844	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:34.732569933 CEST	49844	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:34.732584953 CEST	443	49844	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:34.732660055 CEST	49844	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:34.732872009 CEST	443	49844	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:34.734632969 CEST	49844	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:34.741108894 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:34.746586084 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:34.868573904 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:34.871407986 CEST	443	49847	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.871901989 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:34.872186899 CEST	49847	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.875104904 CEST	49847	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.875109911 CEST	443	49847	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.875377893 CEST	443	49847	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.877243042 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:34.878199100 CEST	49847	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.878294945 CEST	49847	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.878350973 CEST	443	49847	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.878593922 CEST	49847	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.879040003 CEST	443	49849	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.879123926 CEST	49849	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.879410028 CEST	443	49848	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.881773949 CEST	49848	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.882200003 CEST	49849	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.882210016 CEST	443	49849	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.882463932 CEST	443	49849	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.884519100 CEST	49848	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.884532928 CEST	443	49848	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.884849072 CEST	443	49848	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.886210918 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:34.888380051 CEST	49849	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.888468027 CEST	49849	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.888534069 CEST	443	49849	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.889040947 CEST	49848	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.889110088 CEST	49848	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.889230013 CEST	443	49848	35.244.181.201	192.168.2.5
Oct 26, 2024 20:01:34.889688969 CEST	49849	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.889709949 CEST	49848	443	192.168.2.5	35.244.181.201
Oct 26, 2024 20:01:34.891525030 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:34.906531096 CEST	443	49851	34.149.100.209	192.168.2.5
Oct 26, 2024 20:01:34.906605959 CEST	49851	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:34.909914017 CEST	49851	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:34.909935951 CEST	443	49851	34.149.100.209	192.168.2.5
Oct 26, 2024 20:01:34.910267115 CEST	443	49851	34.149.100.209	192.168.2.5
Oct 26, 2024 20:01:34.912923098 CEST	49851	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:34.913022041 CEST	49851	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:34.913088083 CEST	443	49851	34.149.100.209	192.168.2.5
Oct 26, 2024 20:01:34.913767099 CEST	49851	443	192.168.2.5	34.149.100.209
Oct 26, 2024 20:01:34.996987104 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:35.013376951 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:35.018704891 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:35.024068117 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:35.066694975 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:35.143554926 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:35.198256969 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:45.024764061 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:45.030122042 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:45.162853956 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:45.168868065 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:54.757904053 CEST	49965	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:54.757946014 CEST	443	49965	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:54.758035898 CEST	49965	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:54.760188103 CEST	49965	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:54.760201931 CEST	443	49965	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:55.044044018 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:55.051292896 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:55.182156086 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:55.189336061 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:55.370763063 CEST	443	49965	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:55.370861053 CEST	49965	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:55.376720905 CEST	49965	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:55.376749039 CEST	443	49965	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:55.376810074 CEST	49965	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:55.376966000 CEST	443	49965	34.107.243.93	192.168.2.5
Oct 26, 2024 20:01:55.379858017 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:55.381807089 CEST	49965	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:01:55.385281086 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:55.507671118 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:55.513319016 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:55.518951893 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:55.561398029 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:55.807452917 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:55.807476997 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:01:55.808867931 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:01:55.862132072 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:03.970283985 CEST	50019	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:02:03.970340014 CEST	443	50019	34.120.208.123	192.168.2.5
Oct 26, 2024 20:02:03.976149082 CEST	50020	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:02:03.976161003 CEST	443	50020	34.120.208.123	192.168.2.5
Oct 26, 2024 20:02:03.977204084 CEST	50019	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:02:03.977253914 CEST	50020	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:02:03.977421045 CEST	50019	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:02:03.977438927 CEST	443	50019	34.120.208.123	192.168.2.5
Oct 26, 2024 20:02:03.977554083 CEST	50020	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:02:03.977570057 CEST	443	50020	34.120.208.123	192.168.2.5
Oct 26, 2024 20:02:04.586262941 CEST	443	50019	34.120.208.123	192.168.2.5
Oct 26, 2024 20:02:04.586278915 CEST	443	50019	34.120.208.123	192.168.2.5
Oct 26, 2024 20:02:04.586684942 CEST	50019	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:02:04.589966059 CEST	50019	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:02:04.589998007 CEST	443	50019	34.120.208.123	192.168.2.5
Oct 26, 2024 20:02:04.590280056 CEST	443	50019	34.120.208.123	192.168.2.5
Oct 26, 2024 20:02:04.592725039 CEST	50019	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:02:04.592837095 CEST	50019	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:02:04.602920055 CEST	443	50020	34.120.208.123	192.168.2.5
Oct 26, 2024 20:02:04.606955051 CEST	50020	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:02:04.610320091 CEST	50020	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:02:04.610327959 CEST	443	50020	34.120.208.123	192.168.2.5
Oct 26, 2024 20:02:04.610654116 CEST	443	50020	34.120.208.123	192.168.2.5
Oct 26, 2024 20:02:04.613181114 CEST	50020	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:02:04.613265991 CEST	50020	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:02:04.613360882 CEST	443	50020	34.120.208.123	192.168.2.5
Oct 26, 2024 20:02:04.613640070 CEST	50020	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:02:04.632787943 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:04.638184071 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:04.759802103 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:04.782480001 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:04.788563013 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:04.810522079 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:04.854392052 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:04.859874010 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:04.908695936 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:04.957662106 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:04.981714010 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:04.988693953 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:04.994218111 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:05.026701927 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:05.113672018 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:05.158231020 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:14.986515045 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:14.991889000 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:15.118069887 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:15.123481035 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:24.999646902 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:25.131297112 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:25.196182013 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:25.196315050 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:35.197793007 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:35.197860956 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:35.203238010 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:35.203308105 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:35.516607046 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:02:35.516652107 CEST	443	50029	34.107.243.93	192.168.2.5
Oct 26, 2024 20:02:35.516766071 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:02:35.518265963 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:02:35.518304110 CEST	443	50029	34.107.243.93	192.168.2.5
Oct 26, 2024 20:02:36.164985895 CEST	443	50029	34.107.243.93	192.168.2.5
Oct 26, 2024 20:02:36.165216923 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:02:36.170855045 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:02:36.170877934 CEST	443	50029	34.107.243.93	192.168.2.5
Oct 26, 2024 20:02:36.170954943 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:02:36.171189070 CEST	443	50029	34.107.243.93	192.168.2.5
Oct 26, 2024 20:02:36.171767950 CEST	50029	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:02:36.173681974 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:36.179071903 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:36.301436901 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:36.306338072 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:36.311758995 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:36.347836971 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:36.431291103 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:36.479401112 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:46.309437037 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:46.315017939 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:46.447387934 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:46.660238028 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:56.321127892 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:56.326663971 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:02:56.675393105 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:02:56.680849075 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:03:06.333821058 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:03:06.339479923 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:03:06.688123941 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:03:06.693665981 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:03:16.347865105 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:03:16.353606939 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:03:16.695563078 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:03:16.703074932 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:03:26.361196995 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:03:26.366699934 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:03:26.708384037 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:03:26.714260101 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:03:36.374896049 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:03:36.380327940 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:03:36.722719908 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:03:36.728349924 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:03:46.381606102 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:03:46.387428045 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:03:46.736002922 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:03:46.741874933 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:03:56.209408045 CEST	50030	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:03:56.209453106 CEST	443	50030	34.107.243.93	192.168.2.5
Oct 26, 2024 20:03:56.209640026 CEST	50030	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:03:56.211600065 CEST	50030	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:03:56.211616993 CEST	443	50030	34.107.243.93	192.168.2.5
Oct 26, 2024 20:03:56.395733118 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:03:56.750185013 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:03:57.264352083 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:03:57.265537024 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:03:57.879925013 CEST	443	50030	34.107.243.93	192.168.2.5
Oct 26, 2024 20:03:57.880065918 CEST	50030	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:03:57.886188984 CEST	50030	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:03:57.886198997 CEST	443	50030	34.107.243.93	192.168.2.5
Oct 26, 2024 20:03:57.886291981 CEST	50030	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:03:57.886421919 CEST	443	50030	34.107.243.93	192.168.2.5
Oct 26, 2024 20:03:57.887125015 CEST	50030	443	192.168.2.5	34.107.243.93
Oct 26, 2024 20:03:57.889013052 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:03:57.894414902 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:03:58.016129017 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:03:58.020052910 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:03:58.025389910 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:03:58.069417000 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:03:58.342674017 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:03:58.386053085 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:04:04.800285101 CEST	50031	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:04.800323963 CEST	443	50031	34.120.208.123	192.168.2.5
Oct 26, 2024 20:04:04.800549030 CEST	50032	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:04.800585032 CEST	443	50032	34.120.208.123	192.168.2.5
Oct 26, 2024 20:04:04.800688982 CEST	50033	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:04.800724030 CEST	443	50033	34.120.208.123	192.168.2.5
Oct 26, 2024 20:04:04.800789118 CEST	50031	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:04.800889969 CEST	50033	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:04.800890923 CEST	50032	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:04.800924063 CEST	50031	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:04.800930977 CEST	443	50031	34.120.208.123	192.168.2.5
Oct 26, 2024 20:04:04.801090002 CEST	50032	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:04.801104069 CEST	443	50032	34.120.208.123	192.168.2.5
Oct 26, 2024 20:04:04.801233053 CEST	50033	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:04.801245928 CEST	443	50033	34.120.208.123	192.168.2.5
Oct 26, 2024 20:04:05.424355030 CEST	443	50032	34.120.208.123	192.168.2.5
Oct 26, 2024 20:04:05.424995899 CEST	50032	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:05.425765991 CEST	443	50033	34.120.208.123	192.168.2.5
Oct 26, 2024 20:04:05.425913095 CEST	443	50031	34.120.208.123	192.168.2.5
Oct 26, 2024 20:04:05.426553965 CEST	50033	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:05.426646948 CEST	50031	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:05.428240061 CEST	50032	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:05.428256035 CEST	443	50032	34.120.208.123	192.168.2.5
Oct 26, 2024 20:04:05.428580999 CEST	443	50032	34.120.208.123	192.168.2.5
Oct 26, 2024 20:04:05.430727959 CEST	50031	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:05.430737972 CEST	443	50031	34.120.208.123	192.168.2.5
Oct 26, 2024 20:04:05.431065083 CEST	443	50031	34.120.208.123	192.168.2.5
Oct 26, 2024 20:04:05.433024883 CEST	50033	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:05.433058977 CEST	443	50033	34.120.208.123	192.168.2.5
Oct 26, 2024 20:04:05.433429956 CEST	443	50033	34.120.208.123	192.168.2.5
Oct 26, 2024 20:04:05.436285973 CEST	50032	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:05.436611891 CEST	50032	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:05.436702013 CEST	443	50032	34.120.208.123	192.168.2.5
Oct 26, 2024 20:04:05.436917067 CEST	50031	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:05.436981916 CEST	50031	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:05.437311888 CEST	443	50031	34.120.208.123	192.168.2.5
Oct 26, 2024 20:04:05.437319040 CEST	50033	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:05.437383890 CEST	50033	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:05.437740088 CEST	443	50033	34.120.208.123	192.168.2.5
Oct 26, 2024 20:04:05.439203978 CEST	50031	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:05.439248085 CEST	50032	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:05.439249039 CEST	50033	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:05.439261913 CEST	50031	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:05.439374924 CEST	50033	443	192.168.2.5	34.120.208.123
Oct 26, 2024 20:04:05.439606905 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:04:05.445589066 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:04:05.567441940 CEST	80	49765	34.107.221.82	192.168.2.5
Oct 26, 2024 20:04:05.570139885 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:04:05.575623989 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:04:05.613940001 CEST	49765	80	192.168.2.5	34.107.221.82
Oct 26, 2024 20:04:05.695224047 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 26, 2024 20:04:05.745460987 CEST	49721	80	192.168.2.5	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 20:01:04.801326990 CEST	59565	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:04.809904099 CEST	53	59565	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:04.813524961 CEST	54793	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:04.820889950 CEST	53	54793	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:05.584567070 CEST	59856	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:05.592350006 CEST	53	59856	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:05.595808029 CEST	52625	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:05.603775978 CEST	53	52625	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:05.607847929 CEST	53919	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:05.616965055 CEST	53	53919	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:05.822947979 CEST	56809	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:05.832128048 CEST	57816	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:05.839879990 CEST	53	57816	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:05.841475964 CEST	64706	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:05.849639893 CEST	53	64706	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:06.068217993 CEST	52959	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:06.076271057 CEST	53	52959	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:06.079688072 CEST	62576	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:06.080199957 CEST	52312	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:06.087656021 CEST	53	62576	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:06.087920904 CEST	53	52312	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:06.088321924 CEST	63515	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:06.089447975 CEST	57266	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:06.095820904 CEST	53	63515	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:06.097757101 CEST	53	57266	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:06.135629892 CEST	60758	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:06.143450022 CEST	53	60758	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:06.143532991 CEST	64630	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:06.152244091 CEST	53	64630	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:06.159264088 CEST	58273	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:06.168112040 CEST	53	58273	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:07.027596951 CEST	55407	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:07.028105021 CEST	56024	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:07.034516096 CEST	61089	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:07.035423040 CEST	53	55407	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:07.036118984 CEST	53	56024	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:07.036881924 CEST	54212	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:07.043122053 CEST	53	61089	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:07.063908100 CEST	64528	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:07.071852922 CEST	53	64528	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:07.072422028 CEST	59211	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:07.080898046 CEST	53	59211	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:08.483648062 CEST	54424	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:08.525373936 CEST	53	49946	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:09.146274090 CEST	51961	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:09.155682087 CEST	53	51961	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:09.164771080 CEST	61686	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:09.173255920 CEST	53	61686	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:09.182427883 CEST	62129	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:09.190550089 CEST	53	62129	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:13.114828110 CEST	59791	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:13.123434067 CEST	53	59791	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:13.147377968 CEST	62642	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:13.147480011 CEST	52753	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:13.155587912 CEST	53	62642	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:13.155620098 CEST	53	52753	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:13.163783073 CEST	51502	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:13.164181948 CEST	53569	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:13.171231985 CEST	53	51502	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:13.171243906 CEST	51130	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:13.174653053 CEST	53	53569	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:13.178596020 CEST	53	51130	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:13.218672037 CEST	52564	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:13.219578981 CEST	49170	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:13.226985931 CEST	53	49170	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:13.227015972 CEST	53	52564	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:13.231508970 CEST	58450	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:13.239149094 CEST	53	58450	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:19.808051109 CEST	51542	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:19.816102028 CEST	53	51542	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:21.716192961 CEST	61306	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:21.724212885 CEST	53	61306	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:25.670185089 CEST	56777	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:25.678359032 CEST	53	56777	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:27.634521961 CEST	56398	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:27.634844065 CEST	62702	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:27.635108948 CEST	50889	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:27.642442942 CEST	53	62702	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:27.642462015 CEST	53	50889	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:27.644925117 CEST	53	56398	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:28.537363052 CEST	62507	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:28.537471056 CEST	58784	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:28.537751913 CEST	59699	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:28.544776917 CEST	53	62507	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:28.545283079 CEST	53	58784	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:28.545329094 CEST	56150	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:28.545684099 CEST	52084	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:28.547899961 CEST	53	59699	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:28.548404932 CEST	57698	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:28.552769899 CEST	53	56150	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:28.553808928 CEST	53	52084	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:28.554527998 CEST	64875	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:28.555140972 CEST	58639	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:28.555825949 CEST	53	57698	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:28.562304974 CEST	53	64875	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:28.562825918 CEST	62159	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:28.563019991 CEST	53	58639	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:28.563592911 CEST	51685	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:28.570127964 CEST	53	62159	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:28.570600986 CEST	53182	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:28.570875883 CEST	53	51685	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:28.571217060 CEST	60991	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:28.578361034 CEST	53	53182	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:28.578675032 CEST	53	60991	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:33.597363949 CEST	60992	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:33.598331928 CEST	62536	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:33.606045961 CEST	53	60992	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:33.615298033 CEST	53	62536	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:33.617748976 CEST	51219	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:33.623845100 CEST	55342	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:33.626137018 CEST	53	51219	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:33.630223989 CEST	60992	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:33.632181883 CEST	53	55342	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:33.635828972 CEST	59624	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:33.638497114 CEST	53	60992	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:33.639764071 CEST	49749	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:33.644676924 CEST	53	59624	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:33.647574902 CEST	53	49749	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:34.103231907 CEST	60465	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:34.111258030 CEST	53	60465	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:54.747791052 CEST	61507	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:54.756639004 CEST	53	61507	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:54.757813931 CEST	63814	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:01:54.765357018 CEST	53	63814	1.1.1.1	192.168.2.5
Oct 26, 2024 20:01:55.380677938 CEST	57842	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:02:03.958606005 CEST	50812	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:02:03.966321945 CEST	53	50812	1.1.1.1	192.168.2.5
Oct 26, 2024 20:02:35.508378983 CEST	60375	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:02:35.515574932 CEST	53	60375	1.1.1.1	192.168.2.5
Oct 26, 2024 20:02:35.516505957 CEST	60519	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:02:35.524538994 CEST	53	60519	1.1.1.1	192.168.2.5
Oct 26, 2024 20:02:36.173995972 CEST	64757	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:03:56.186150074 CEST	63686	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:03:56.194237947 CEST	53	63686	1.1.1.1	192.168.2.5
Oct 26, 2024 20:03:56.196285009 CEST	52869	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:03:56.203974009 CEST	53	52869	1.1.1.1	192.168.2.5
Oct 26, 2024 20:03:56.209204912 CEST	52618	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:03:56.216490030 CEST	53	52618	1.1.1.1	192.168.2.5
Oct 26, 2024 20:03:57.889348030 CEST	59501	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:04:04.800801992 CEST	52128	53	192.168.2.5	1.1.1.1
Oct 26, 2024 20:04:04.808917999 CEST	53	52128	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 26, 2024 20:01:04.801326990 CEST	192.168.2.5	1.1.1.1	0xb23e	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:04.813524961 CEST	192.168.2.5	1.1.1.1	0x852e	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 20:01:05.584567070 CEST	192.168.2.5	1.1.1.1	0xf4b7	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:05.595808029 CEST	192.168.2.5	1.1.1.1	0x44	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:05.607847929 CEST	192.168.2.5	1.1.1.1	0xc269	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 26, 2024 20:01:05.822947979 CEST	192.168.2.5	1.1.1.1	0xf30d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:05.832128048 CEST	192.168.2.5	1.1.1.1	0x1892	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:05.841475964 CEST	192.168.2.5	1.1.1.1	0xa646	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 20:01:06.068217993 CEST	192.168.2.5	1.1.1.1	0xa130	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:06.079688072 CEST	192.168.2.5	1.1.1.1	0x52b	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:06.080199957 CEST	192.168.2.5	1.1.1.1	0x3ec0	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:06.088321924 CEST	192.168.2.5	1.1.1.1	0x606d	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 20:01:06.089447975 CEST	192.168.2.5	1.1.1.1	0x6248	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:06.135629892 CEST	192.168.2.5	1.1.1.1	0xc575	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 20:01:06.143532991 CEST	192.168.2.5	1.1.1.1	0x50ed	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:06.159264088 CEST	192.168.2.5	1.1.1.1	0x59de	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 20:01:07.027596951 CEST	192.168.2.5	1.1.1.1	0x887d	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:07.028105021 CEST	192.168.2.5	1.1.1.1	0x7a66	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:07.034516096 CEST	192.168.2.5	1.1.1.1	0x1dd	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:07.036881924 CEST	192.168.2.5	1.1.1.1	0xf3d7	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:07.063908100 CEST	192.168.2.5	1.1.1.1	0xfdaf	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:07.072422028 CEST	192.168.2.5	1.1.1.1	0x84cb	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 20:01:08.483648062 CEST	192.168.2.5	1.1.1.1	0x9afa	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:09.146274090 CEST	192.168.2.5	1.1.1.1	0xbc9	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:09.164771080 CEST	192.168.2.5	1.1.1.1	0xb796	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:09.182427883 CEST	192.168.2.5	1.1.1.1	0x2f11	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 20:01:13.114828110 CEST	192.168.2.5	1.1.1.1	0xab5	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:13.147377968 CEST	192.168.2.5	1.1.1.1	0xf381	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:13.147480011 CEST	192.168.2.5	1.1.1.1	0x2c21	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:13.163783073 CEST	192.168.2.5	1.1.1.1	0xc42c	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 20:01:13.164181948 CEST	192.168.2.5	1.1.1.1	0xf28c	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 20:01:13.171243906 CEST	192.168.2.5	1.1.1.1	0xc8a4	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:13.218672037 CEST	192.168.2.5	1.1.1.1	0x7fb3	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:13.219578981 CEST	192.168.2.5	1.1.1.1	0xb43a	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 20:01:13.231508970 CEST	192.168.2.5	1.1.1.1	0x4059	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 20:01:19.808051109 CEST	192.168.2.5	1.1.1.1	0x85d4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 20:01:21.716192961 CEST	192.168.2.5	1.1.1.1	0x81b1	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 20:01:25.670185089 CEST	192.168.2.5	1.1.1.1	0xefc	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 20:01:27.634521961 CEST	192.168.2.5	1.1.1.1	0x246a	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.634844065 CEST	192.168.2.5	1.1.1.1	0x5212	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.635108948 CEST	192.168.2.5	1.1.1.1	0x8e58	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.537363052 CEST	192.168.2.5	1.1.1.1	0x3a63	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.537471056 CEST	192.168.2.5	1.1.1.1	0xf91d	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.537751913 CEST	192.168.2.5	1.1.1.1	0xf1b9	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.545329094 CEST	192.168.2.5	1.1.1.1	0x8acc	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 26, 2024 20:01:28.545684099 CEST	192.168.2.5	1.1.1.1	0x3cfc	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 26, 2024 20:01:28.548404932 CEST	192.168.2.5	1.1.1.1	0x47ab	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 26, 2024 20:01:28.554527998 CEST	192.168.2.5	1.1.1.1	0x31f1	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.555140972 CEST	192.168.2.5	1.1.1.1	0xc51f	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.562825918 CEST	192.168.2.5	1.1.1.1	0xde8b	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.563592911 CEST	192.168.2.5	1.1.1.1	0x645d	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.570600986 CEST	192.168.2.5	1.1.1.1	0x4263	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 26, 2024 20:01:28.571217060 CEST	192.168.2.5	1.1.1.1	0x5383	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 26, 2024 20:01:33.597363949 CEST	192.168.2.5	1.1.1.1	0x197	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 20:01:33.598331928 CEST	192.168.2.5	1.1.1.1	0xe814	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:33.617748976 CEST	192.168.2.5	1.1.1.1	0x85ce	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:33.623845100 CEST	192.168.2.5	1.1.1.1	0xf083	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:33.630223989 CEST	192.168.2.5	1.1.1.1	0xa37b	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:33.635828972 CEST	192.168.2.5	1.1.1.1	0xcccf	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 26, 2024 20:01:33.639764071 CEST	192.168.2.5	1.1.1.1	0x339c	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 20:01:34.103231907 CEST	192.168.2.5	1.1.1.1	0x33c4	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 20:01:54.747791052 CEST	192.168.2.5	1.1.1.1	0x9578	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:54.757813931 CEST	192.168.2.5	1.1.1.1	0x8d9	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 20:01:55.380677938 CEST	192.168.2.5	1.1.1.1	0x1296	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:02:03.958606005 CEST	192.168.2.5	1.1.1.1	0x3ccf	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 20:02:35.508378983 CEST	192.168.2.5	1.1.1.1	0x3dbb	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:02:35.516505957 CEST	192.168.2.5	1.1.1.1	0x9967	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 20:02:36.173995972 CEST	192.168.2.5	1.1.1.1	0x5ae7	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:03:56.186150074 CEST	192.168.2.5	1.1.1.1	0x2257	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:03:56.196285009 CEST	192.168.2.5	1.1.1.1	0x27ad	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:03:56.209204912 CEST	192.168.2.5	1.1.1.1	0x4bac	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 20:03:57.889348030 CEST	192.168.2.5	1.1.1.1	0x339a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:04:04.800801992 CEST	192.168.2.5	1.1.1.1	0xbc2a	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 26, 2024 20:01:04.790858030 CEST	1.1.1.1	192.168.2.5	0xeb9c	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:04.809904099 CEST	1.1.1.1	192.168.2.5	0xb23e	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:05.592350006 CEST	1.1.1.1	192.168.2.5	0xf4b7	No error (0)	youtube.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:05.603775978 CEST	1.1.1.1	192.168.2.5	0x44	No error (0)	youtube.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:05.616965055 CEST	1.1.1.1	192.168.2.5	0xc269	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 26, 2024 20:01:05.830846071 CEST	1.1.1.1	192.168.2.5	0xf30d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:05.830846071 CEST	1.1.1.1	192.168.2.5	0xf30d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:05.839879990 CEST	1.1.1.1	192.168.2.5	0x1892	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:05.849639893 CEST	1.1.1.1	192.168.2.5	0xa646	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 26, 2024 20:01:06.076271057 CEST	1.1.1.1	192.168.2.5	0xa130	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:06.087656021 CEST	1.1.1.1	192.168.2.5	0x52b	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:06.087920904 CEST	1.1.1.1	192.168.2.5	0x3ec0	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:06.087920904 CEST	1.1.1.1	192.168.2.5	0x3ec0	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:06.097757101 CEST	1.1.1.1	192.168.2.5	0x6248	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:06.141258955 CEST	1.1.1.1	192.168.2.5	0x2742	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:06.141258955 CEST	1.1.1.1	192.168.2.5	0x2742	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:06.152244091 CEST	1.1.1.1	192.168.2.5	0x50ed	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:07.035423040 CEST	1.1.1.1	192.168.2.5	0x887d	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:07.036118984 CEST	1.1.1.1	192.168.2.5	0x7a66	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:07.036118984 CEST	1.1.1.1	192.168.2.5	0x7a66	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:07.043122053 CEST	1.1.1.1	192.168.2.5	0x1dd	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:07.043122053 CEST	1.1.1.1	192.168.2.5	0x1dd	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:07.043122053 CEST	1.1.1.1	192.168.2.5	0x1dd	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:07.044501066 CEST	1.1.1.1	192.168.2.5	0xf3d7	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:07.044501066 CEST	1.1.1.1	192.168.2.5	0xf3d7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:07.071852922 CEST	1.1.1.1	192.168.2.5	0xfdaf	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:07.080898046 CEST	1.1.1.1	192.168.2.5	0x84cb	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 26, 2024 20:01:08.501737118 CEST	1.1.1.1	192.168.2.5	0x9afa	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:09.155682087 CEST	1.1.1.1	192.168.2.5	0xbc9	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:09.173255920 CEST	1.1.1.1	192.168.2.5	0xb796	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:13.123434067 CEST	1.1.1.1	192.168.2.5	0xab5	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:13.123434067 CEST	1.1.1.1	192.168.2.5	0xab5	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:13.123434067 CEST	1.1.1.1	192.168.2.5	0xab5	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:13.127444983 CEST	1.1.1.1	192.168.2.5	0xda20	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:13.155587912 CEST	1.1.1.1	192.168.2.5	0xf381	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:13.155620098 CEST	1.1.1.1	192.168.2.5	0x2c21	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:13.178596020 CEST	1.1.1.1	192.168.2.5	0xc8a4	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:13.178596020 CEST	1.1.1.1	192.168.2.5	0xc8a4	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:13.226608992 CEST	1.1.1.1	192.168.2.5	0x72db	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:13.226608992 CEST	1.1.1.1	192.168.2.5	0x72db	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:13.227015972 CEST	1.1.1.1	192.168.2.5	0x7fb3	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:19.813397884 CEST	1.1.1.1	192.168.2.5	0x3849	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.642442942 CEST	1.1.1.1	192.168.2.5	0x5212	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:27.642442942 CEST	1.1.1.1	192.168.2.5	0x5212	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.642462015 CEST	1.1.1.1	192.168.2.5	0x8e58	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:27.642462015 CEST	1.1.1.1	192.168.2.5	0x8e58	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.644925117 CEST	1.1.1.1	192.168.2.5	0x246a	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:27.644925117 CEST	1.1.1.1	192.168.2.5	0x246a	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.644925117 CEST	1.1.1.1	192.168.2.5	0x246a	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.644925117 CEST	1.1.1.1	192.168.2.5	0x246a	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.644925117 CEST	1.1.1.1	192.168.2.5	0x246a	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.644925117 CEST	1.1.1.1	192.168.2.5	0x246a	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.644925117 CEST	1.1.1.1	192.168.2.5	0x246a	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.644925117 CEST	1.1.1.1	192.168.2.5	0x246a	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.644925117 CEST	1.1.1.1	192.168.2.5	0x246a	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.644925117 CEST	1.1.1.1	192.168.2.5	0x246a	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.644925117 CEST	1.1.1.1	192.168.2.5	0x246a	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.644925117 CEST	1.1.1.1	192.168.2.5	0x246a	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.644925117 CEST	1.1.1.1	192.168.2.5	0x246a	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.644925117 CEST	1.1.1.1	192.168.2.5	0x246a	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.644925117 CEST	1.1.1.1	192.168.2.5	0x246a	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.644925117 CEST	1.1.1.1	192.168.2.5	0x246a	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:27.644925117 CEST	1.1.1.1	192.168.2.5	0x246a	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.544776917 CEST	1.1.1.1	192.168.2.5	0x3a63	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.545283079 CEST	1.1.1.1	192.168.2.5	0xf91d	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.547899961 CEST	1.1.1.1	192.168.2.5	0xf1b9	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.547899961 CEST	1.1.1.1	192.168.2.5	0xf1b9	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.547899961 CEST	1.1.1.1	192.168.2.5	0xf1b9	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.547899961 CEST	1.1.1.1	192.168.2.5	0xf1b9	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.547899961 CEST	1.1.1.1	192.168.2.5	0xf1b9	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.547899961 CEST	1.1.1.1	192.168.2.5	0xf1b9	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.547899961 CEST	1.1.1.1	192.168.2.5	0xf1b9	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.547899961 CEST	1.1.1.1	192.168.2.5	0xf1b9	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.547899961 CEST	1.1.1.1	192.168.2.5	0xf1b9	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.547899961 CEST	1.1.1.1	192.168.2.5	0xf1b9	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.547899961 CEST	1.1.1.1	192.168.2.5	0xf1b9	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.547899961 CEST	1.1.1.1	192.168.2.5	0xf1b9	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.547899961 CEST	1.1.1.1	192.168.2.5	0xf1b9	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.547899961 CEST	1.1.1.1	192.168.2.5	0xf1b9	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.547899961 CEST	1.1.1.1	192.168.2.5	0xf1b9	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.547899961 CEST	1.1.1.1	192.168.2.5	0xf1b9	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.552769899 CEST	1.1.1.1	192.168.2.5	0x8acc	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 26, 2024 20:01:28.553808928 CEST	1.1.1.1	192.168.2.5	0x3cfc	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 26, 2024 20:01:28.555825949 CEST	1.1.1.1	192.168.2.5	0x47ab	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 26, 2024 20:01:28.555825949 CEST	1.1.1.1	192.168.2.5	0x47ab	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 26, 2024 20:01:28.555825949 CEST	1.1.1.1	192.168.2.5	0x47ab	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 26, 2024 20:01:28.555825949 CEST	1.1.1.1	192.168.2.5	0x47ab	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 26, 2024 20:01:28.562304974 CEST	1.1.1.1	192.168.2.5	0x31f1	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:28.562304974 CEST	1.1.1.1	192.168.2.5	0x31f1	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.562304974 CEST	1.1.1.1	192.168.2.5	0x31f1	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.562304974 CEST	1.1.1.1	192.168.2.5	0x31f1	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.562304974 CEST	1.1.1.1	192.168.2.5	0x31f1	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.563019991 CEST	1.1.1.1	192.168.2.5	0xc51f	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.570127964 CEST	1.1.1.1	192.168.2.5	0xde8b	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.570127964 CEST	1.1.1.1	192.168.2.5	0xde8b	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.570127964 CEST	1.1.1.1	192.168.2.5	0xde8b	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.570127964 CEST	1.1.1.1	192.168.2.5	0xde8b	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:28.570875883 CEST	1.1.1.1	192.168.2.5	0x645d	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:33.615298033 CEST	1.1.1.1	192.168.2.5	0xe814	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:33.615298033 CEST	1.1.1.1	192.168.2.5	0xe814	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:33.615298033 CEST	1.1.1.1	192.168.2.5	0xe814	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:33.615298033 CEST	1.1.1.1	192.168.2.5	0xe814	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:33.626137018 CEST	1.1.1.1	192.168.2.5	0x85ce	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:33.626137018 CEST	1.1.1.1	192.168.2.5	0x85ce	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:33.632181883 CEST	1.1.1.1	192.168.2.5	0xf083	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:33.632181883 CEST	1.1.1.1	192.168.2.5	0xf083	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:33.632181883 CEST	1.1.1.1	192.168.2.5	0xf083	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:33.632181883 CEST	1.1.1.1	192.168.2.5	0xf083	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:33.638497114 CEST	1.1.1.1	192.168.2.5	0xa37b	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:34.900937080 CEST	1.1.1.1	192.168.2.5	0x8118	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:34.900937080 CEST	1.1.1.1	192.168.2.5	0x8118	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:54.756639004 CEST	1.1.1.1	192.168.2.5	0x9578	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:01:55.388734102 CEST	1.1.1.1	192.168.2.5	0x1296	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:01:55.388734102 CEST	1.1.1.1	192.168.2.5	0x1296	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:02:03.965214968 CEST	1.1.1.1	192.168.2.5	0x2bec	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:02:35.515574932 CEST	1.1.1.1	192.168.2.5	0x3dbb	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:02:36.181385994 CEST	1.1.1.1	192.168.2.5	0x5ae7	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:02:36.181385994 CEST	1.1.1.1	192.168.2.5	0x5ae7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:03:56.194237947 CEST	1.1.1.1	192.168.2.5	0x2257	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:03:56.203974009 CEST	1.1.1.1	192.168.2.5	0x27ad	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:03:57.897109985 CEST	1.1.1.1	192.168.2.5	0x339a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 20:03:57.897109985 CEST	1.1.1.1	192.168.2.5	0x339a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 20:04:04.799246073 CEST	1.1.1.1	192.168.2.5	0xd85a	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	34.107.221.82	80	1276	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 20:01:05.891613007 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 20:01:06.484436035 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15409 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49721	34.107.221.82	80	1276	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 20:01:07.061238050 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 20:01:07.657069921 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 19274 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 20:01:07.950562954 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 20:01:08.075860977 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 19275 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 20:01:09.145279884 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 20:01:09.271400928 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 19276 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 20:01:13.760180950 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 20:01:13.885303974 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 19280 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 20:01:23.903359890 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:01:23.976025105 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 20:01:24.101314068 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 19291 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 20:01:24.346179962 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 20:01:24.471911907 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 19291 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 20:01:25.674206972 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 20:01:25.799455881 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 19292 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 20:01:28.756781101 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 20:01:28.882769108 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 19295 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 20:01:29.370510101 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 20:01:29.495619059 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 19296 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 20:01:34.384254932 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 20:01:34.509438992 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 19301 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 20:01:34.871901989 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 20:01:34.996987104 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 19301 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 20:01:35.018704891 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 20:01:35.143554926 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 19302 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 20:01:45.162853956 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:01:55.182156086 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:01:55.513319016 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 20:01:55.807452917 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 19322 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 20:02:04.782480001 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 20:02:04.908695936 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 19331 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 20:02:04.988693953 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 20:02:05.113672018 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 19332 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 20:02:15.118069887 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:02:25.131297112 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:02:35.197860956 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:02:36.306338072 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 20:02:36.431291103 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 19363 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 20:02:46.447387934 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:02:56.675393105 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:03:06.688123941 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:03:16.695563078 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:03:58.020052910 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 20:03:58.342674017 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 19445 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 20:04:05.570139885 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 20:04:05.695224047 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 19452 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49723	34.107.221.82	80	1276	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 20:01:07.183355093 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 20:01:07.779500961 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15410 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 20:01:08.357779980 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 20:01:08.482851982 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15411 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 20:01:13.110699892 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 20:01:13.236232042 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15416 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 20:01:19.777842999 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49765	34.107.221.82	80	1276	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 20:01:21.522399902 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 20:01:22.127650023 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15425 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 20:01:23.977320910 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 20:01:24.104528904 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15427 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 20:01:25.454793930 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 20:01:25.582151890 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15428 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 20:01:28.626416922 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 20:01:28.753746033 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15431 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 20:01:29.240808964 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 20:01:29.367614985 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15432 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 20:01:34.246591091 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 20:01:34.374650955 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15437 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 20:01:34.741108894 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 20:01:34.868573904 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15437 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 20:01:34.886210918 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 20:01:35.013376951 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15437 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 20:01:45.024764061 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:01:55.044044018 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:01:55.379858017 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 20:01:55.507671118 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15458 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 20:01:55.807476997 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15458 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 20:02:04.632787943 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 20:02:04.759802103 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15467 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 20:02:04.854392052 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 20:02:04.981714010 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15467 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 20:02:14.986515045 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:02:24.999646902 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:02:35.197793007 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:02:36.173681974 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 20:02:36.301436901 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15499 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 20:02:46.309437037 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:02:56.321127892 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:03:06.333821058 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:03:16.347865105 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:03:26.361196995 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 20:03:57.889013052 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 20:03:58.016129017 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15580 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 20:04:05.439606905 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 20:04:05.567441940 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 15588 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Target ID:	0
Start time:	14:00:57
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x2e0000
File size:	919'552 bytes
MD5 hash:	A573ED2B5BFFE0B5DDCD8BC36359D595
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.2106879441.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.2107045434.0000000001907000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:00:58
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xc20000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:00:58
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:01:00
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xc20000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:01:00
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:01:00
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xc20000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:01:00
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:01:00
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xc20000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:01:00
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:01:00
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xc20000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:01:00
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:01:01
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:01:01
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:01:01
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	14:01:01
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57535545-aed4-40be-aad8-2008f39b3989} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 1c069f6eb10 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	14:01:03
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4324 -parentBuildID 20230927232528 -prefsHandle 4316 -prefMapHandle 4308 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2443f705-0920-4c1b-8ba2-e5993ec13cb8} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 1c07c422c10 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	14:01:12
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4644 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5172 -prefMapHandle 5156 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {322f45bd-ef92-49ae-b9cd-ac0d5c91d89f} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 1c081b83710 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.7%
Total number of Nodes:	1574
Total number of Limit Nodes:	60

Executed Functions

Function 002E42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 002E430D

Part of subcall function 002E6B57: _wcslen.LIBCMT ref: 002E6B6A

GetCurrentProcess.KERNEL32(?,0037CB64,00000000,?,?), ref: 002E4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 002E4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 002E4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 002E4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 002E4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 002E447B
GetSystemInfo.KERNEL32(?,?,?), ref: 002E44A0

Strings

kernel32.dll, xrefs: 002E444F
GetNativeSystemInfo, xrefs: 002E4460
|O, xrefs: 003236F8

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 0bc45cec6feebd6ce1991b11af332353d68ccca831763eb29082f0a287b66c8f
Instruction ID: 0dcd46476e7ec4b1e96a2073722114c80a43ebbb7e59f7e5616a8fa3e3db9f80
Opcode Fuzzy Hash: 0bc45cec6feebd6ce1991b11af332353d68ccca831763eb29082f0a287b66c8f
Instruction Fuzzy Hash: 49A1E87DA2A3D0CFCB13DB697CA01997FEC6B26308FC856ADD24993B61F2644544CB21

Function 002E42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,002E50AA,?,?,00000000,00000000), ref: 002E42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002E50AA,?,?,00000000,00000000), ref: 002E42C9
LoadResource.KERNEL32(?,00000000,?,?,002E50AA,?,?,00000000,00000000,?,?,?,?,?,?,002E4F20), ref: 003235BE
SizeofResource.KERNEL32(?,00000000,?,?,002E50AA,?,?,00000000,00000000,?,?,?,?,?,?,002E4F20), ref: 003235D3
LockResource.KERNEL32(002E50AA,?,?,002E50AA,?,?,00000000,00000000,?,?,?,?,?,?,002E4F20,?), ref: 003235E6

Strings

SCRIPT, xrefs: 002E42BF

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 190792425084c2d08df78aa40cb3ab0024e6b17354a4ef31d9e3b6490ace7d31
Instruction ID: 68d4ced45d185deb3c7e9e997c63b18490d3755a678c1c97742469f858bf7a42
Opcode Fuzzy Hash: 190792425084c2d08df78aa40cb3ab0024e6b17354a4ef31d9e3b6490ace7d31
Instruction Fuzzy Hash: 2E11A070250301BFDB229F66DC48F277BBDEBCAB51F10456DF90696160DB71D810C620

Function 00322BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 002E2B6B

Part of subcall function 002E3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003B1418,?,002E2E7F,?,?,?,00000000), ref: 002E3A78

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,003A2224), ref: 00322C10
ShellExecuteW.SHELL32(00000000,?,?,003A2224), ref: 00322C17

Strings

runas, xrefs: 00322C0B

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: d2c681684e9d44c1fc694c21c9e161c735152267b271496fc748d599707bc9f6
Instruction ID: fbb781ed795b255dcc55d36c778719e58616c7b9b7f559e5fabd17299f0a0d6b
Opcode Fuzzy Hash: d2c681684e9d44c1fc694c21c9e161c735152267b271496fc748d599707bc9f6
Instruction Fuzzy Hash: C4110A311943C1AAC716FF62DC55EEE77AC9B91345FC4142DF186130A2DF308AA9CB52

Function 0034D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0034D501
Process32FirstW.KERNEL32(00000000,?), ref: 0034D50F
Process32NextW.KERNEL32(00000000,?), ref: 0034D52F
CloseHandle.KERNELBASE(00000000), ref: 0034D5DC

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f69cb48b935bf2d7915fbf85220981015bcddbc831cfeb6088ce900c03434841
Instruction ID: 4a24536161e9603fc448df40ab3c8953efdfa2eb54ce8353f68eedff44a9e196
Opcode Fuzzy Hash: f69cb48b935bf2d7915fbf85220981015bcddbc831cfeb6088ce900c03434841
Instruction Fuzzy Hash: C331C2311183409FD311EF54C881AAFBBF8EF99344F90092DF585861A2EB71A988CB92

Function 0034DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00325222), ref: 0034DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0034DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0034DBEE
FindClose.KERNEL32(00000000), ref: 0034DBFA

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: d86a882e65494e80576580b64a878dbe4bfbeaf44bc2fc6df57c7f10c99ebbcf
Instruction ID: 3c176aedac5c529d0ba2c88e9cc7029337ab7cab795c9ed539bb5207e3f22bf2
Opcode Fuzzy Hash: d86a882e65494e80576580b64a878dbe4bfbeaf44bc2fc6df57c7f10c99ebbcf
Instruction Fuzzy Hash: 23F0A03082091457C2336BB8AC4D8AA37AC9F02334F504B1AF83AC20E0EBB06DD48695

Function 00304CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(003128E9,?,00304CBE,003128E9,003A88B8,0000000C,00304E15,003128E9,00000002,00000000,?,003128E9), ref: 00304D09
TerminateProcess.KERNEL32(00000000,?,00304CBE,003128E9,003A88B8,0000000C,00304E15,003128E9,00000002,00000000,?,003128E9), ref: 00304D10
ExitProcess.KERNEL32 ref: 00304D22

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ca031ec6117dc2f568d15bf2336664c5fdea865b18f75cc70be270fbf6b9e085
Instruction ID: b5af83913043c54f7df5b5ed03f445d148d124d5a9707e79102b06bdf28179d1
Opcode Fuzzy Hash: ca031ec6117dc2f568d15bf2336664c5fdea865b18f75cc70be270fbf6b9e085
Instruction Fuzzy Hash: E8E0B671011248BBDF23AF54DD19A983B6DEB45785F114018FD099A173CB39DE82CA80

Function 002EBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#;, xrefs: 003307CE

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#;
API String ID: 3964851224-2752655111
Opcode ID: 2e50400c2afbc822834ef0550453e48ec186bd36ee159bfa7dc311b02ef9799d
Instruction ID: 7a8d55b6d8c845c2d9bcde313a0536928615e9ef4d5dfdccebd8cc5a0cffc6b5
Opcode Fuzzy Hash: 2e50400c2afbc822834ef0550453e48ec186bd36ee159bfa7dc311b02ef9799d
Instruction Fuzzy Hash: 0AA2AB706183418FC715CF59C490B2ABBE0BF89304F64896DE99A8B362D771EC56CF92

Function 0036AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0036B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0036B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0036B1D4
_wcslen.LIBCMT ref: 0036B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0036B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0036B236
_wcslen.LIBCMT ref: 0036B332

Part of subcall function 003505A7: GetStdHandle.KERNEL32(000000F6), ref: 003505C6

_wcslen.LIBCMT ref: 0036B34B
_wcslen.LIBCMT ref: 0036B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0036B3B6
GetLastError.KERNEL32(00000000), ref: 0036B407
CloseHandle.KERNEL32(?), ref: 0036B439
CloseHandle.KERNEL32(00000000), ref: 0036B44A
CloseHandle.KERNEL32(00000000), ref: 0036B45C
CloseHandle.KERNEL32(00000000), ref: 0036B46E
CloseHandle.KERNEL32(?), ref: 0036B4E3

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 2fb124cb18112d22ef4f73a30436bece70f3202ee19ff9ef310080eb2e77e037
Instruction ID: eaed841b5ecd9954fe769a96a7d2889bf683effa390d9659e9d4a671ec3037f7
Opcode Fuzzy Hash: 2fb124cb18112d22ef4f73a30436bece70f3202ee19ff9ef310080eb2e77e037
Instruction Fuzzy Hash: D9F1BE316043409FC726EF25C891B2EBBE5AF85314F15885DF9998B2A6DB31EC84CF52

Function 002ED730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002ED807
timeGetTime.WINMM ref: 002EDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002EDB28
TranslateMessage.USER32(?), ref: 002EDB7B
DispatchMessageW.USER32(?), ref: 002EDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002EDB9F
Sleep.KERNELBASE(0000000A), ref: 002EDBB1

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 954bd2a6aa2c840f4cde1450e27b6f334ebc1265734ef7bc72cdfc5bf1200e11
Instruction ID: 97e417121c783930abc9a22fe9e245921a6b727f97c371d505c97686d88e1ef8
Opcode Fuzzy Hash: 954bd2a6aa2c840f4cde1450e27b6f334ebc1265734ef7bc72cdfc5bf1200e11
Instruction Fuzzy Hash: B3421430668382DFD736CF25C894BAAB7E4BF46304F94462DE5558B291D770E864CF82

Function 002E2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002E2D07
RegisterClassExW.USER32(00000030), ref: 002E2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002E2D42
InitCommonControlsEx.COMCTL32(?), ref: 002E2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002E2D6F
LoadIconW.USER32(000000A9), ref: 002E2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002E2D94

Strings

AutoIt v3 GUI, xrefs: 002E2D23
+, xrefs: 002E2CF0
0, xrefs: 002E2CE9
TaskbarCreated, xrefs: 002E2D37

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 2e6ed3f237f082324c6279f6a7977e2dd7cd81454977e91003ebe9336b440d26
Instruction ID: fc6fb19fe389988ac936e986ab6a000641d5b9086054607d7fd7dd94726549eb
Opcode Fuzzy Hash: 2e6ed3f237f082324c6279f6a7977e2dd7cd81454977e91003ebe9336b440d26
Instruction Fuzzy Hash: F12129B4911348AFDB12DF94EC59BDDBBB8FB08705F00521AF615A6290D7B14544CF90

Function 0032065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0032039A: CreateFileW.KERNELBASE(00000000,00000000,?,00320704,?,?,00000000,?,00320704,00000000,0000000C), ref: 003203B7

GetLastError.KERNEL32 ref: 0032076F
__dosmaperr.LIBCMT ref: 00320776
GetFileType.KERNELBASE(00000000), ref: 00320782
GetLastError.KERNEL32 ref: 0032078C
__dosmaperr.LIBCMT ref: 00320795
CloseHandle.KERNEL32(00000000), ref: 003207B5
CloseHandle.KERNEL32(?), ref: 003208FF
GetLastError.KERNEL32 ref: 00320931
__dosmaperr.LIBCMT ref: 00320938

Strings

H, xrefs: 003208BD

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ce7c0b41ee319b93ee85f678b706e67b29fb0bfbfe55e0195d64cc3f410ef53d
Instruction ID: 2fa84423e0deb6244d428347c364833c2841a72caa2f78b3e69b4f18b42c6625
Opcode Fuzzy Hash: ce7c0b41ee319b93ee85f678b706e67b29fb0bfbfe55e0195d64cc3f410ef53d
Instruction Fuzzy Hash: C5A12536A001188FDF2EEF68E851BAE7BA4EB06324F14015DF8159F2E2C7319856CB91

Function 002E344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002E3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003B1418,?,002E2E7F,?,?,?,00000000), ref: 002E3A78

Part of subcall function 002E3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002E3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002E356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0032318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003231CE
RegCloseKey.ADVAPI32(?), ref: 00323210
_wcslen.LIBCMT ref: 00323277
_wcslen.LIBCMT ref: 00323286

Strings

Include, xrefs: 00323184, 003231C5
\Include\, xrefs: 002E3527
\, xrefs: 0032328C
Software\AutoIt v3\AutoIt, xrefs: 002E3560

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 4c551b8d32463168fd7d94bdfafd012fed724fe94ea165321b86c43008c78aed
Instruction ID: edd02d5cc23604e1cd87e20f37ffd24b690c47fbf8c1ce4223b086e755d915ff
Opcode Fuzzy Hash: 4c551b8d32463168fd7d94bdfafd012fed724fe94ea165321b86c43008c78aed
Instruction Fuzzy Hash: 0771D5755143409EC316EF26EC819ABB7ECFF89744F804A2EF64987160DB349A48CF51

Function 002E2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002E2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 002E2B9D
LoadIconW.USER32(00000063), ref: 002E2BB3
LoadIconW.USER32(000000A4), ref: 002E2BC5
LoadIconW.USER32(000000A2), ref: 002E2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002E2BEF
RegisterClassExW.USER32(?), ref: 002E2C40

Part of subcall function 002E2CD4: GetSysColorBrush.USER32(0000000F), ref: 002E2D07
Part of subcall function 002E2CD4: RegisterClassExW.USER32(00000030), ref: 002E2D31
Part of subcall function 002E2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002E2D42
Part of subcall function 002E2CD4: InitCommonControlsEx.COMCTL32(?), ref: 002E2D5F
Part of subcall function 002E2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002E2D6F
Part of subcall function 002E2CD4: LoadIconW.USER32(000000A9), ref: 002E2D85
Part of subcall function 002E2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002E2D94

Strings

0, xrefs: 002E2C0F
AutoIt v3, xrefs: 002E2C2F
#, xrefs: 002E2C16

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ed27fe862ed8b5f91e27bb67c0b321b47c42fe28071fee79661c700c7889ae50
Instruction ID: f08d7b9d2d3f94cf01b0d45804de2875ee97830cd6ad827a9f771e92cbc85a3d
Opcode Fuzzy Hash: ed27fe862ed8b5f91e27bb67c0b321b47c42fe28071fee79661c700c7889ae50
Instruction Fuzzy Hash: 4E214179D10358AFDB229FA5EC65A9D7FF8FB08B54F50011AE608A6660E7B10540CF90

Function 002E3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,002E316A,?,?), ref: 002E31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,002E316A,?,?), ref: 002E3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002E3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,002E316A,?,?), ref: 002E3232
CreatePopupMenu.USER32 ref: 002E3246
PostQuitMessage.USER32(00000000), ref: 002E3267

Strings

TaskbarCreated, xrefs: 002E322D

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 36595a1d729e4bd9852348653a96aea0324f42c18f2b6596c1b2a20c6e42e77a
Instruction ID: b7cebf45188ed0ef33c37e50a04b03a63e373694b3fedd21106961944ba16393
Opcode Fuzzy Hash: 36595a1d729e4bd9852348653a96aea0324f42c18f2b6596c1b2a20c6e42e77a
Instruction Fuzzy Hash: 05416D352B01C0ABDB279F399C2D7B9365CE701346FC4022DFB598B1A1DBB08E6097A1

Function 002E1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002E1459
CoUninitialize.COMBASE ref: 002E14F8
UnregisterHotKey.USER32(?), ref: 002E16DD
DestroyWindow.USER32(?), ref: 003224B9
FreeLibrary.KERNEL32(?), ref: 0032251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0032254B

Strings

close all, xrefs: 002E1454

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: f616823846785991cbe8b741fa03a28e0c30291d158bdfbbaee75b79a8bddd6a
Instruction ID: fdd57a2ed2c55aeed8981199f48afc19c09931ba18753aba6c60154e026a5877
Opcode Fuzzy Hash: f616823846785991cbe8b741fa03a28e0c30291d158bdfbbaee75b79a8bddd6a
Instruction Fuzzy Hash: 98D1F431721262DFCB2AEF16D895A29F7A4BF05700F6141ADE54A6B261CB30ED32CF50

Function 002E2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002E2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002E2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,002E1CAD,?), ref: 002E2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,002E1CAD,?), ref: 002E2CCF

Strings

AutoIt v3, xrefs: 002E2C89, 002E2C8E, 002E2C8F
edit, xrefs: 002E2CAC

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b6f801fd65424793f4e149a37083955b9d32d965d49da71349c3df72bc585eba
Instruction ID: 4a97edb922ad67a48fe300d8171b91a02f0d09ab66b7b58de20eeee88bb08491
Opcode Fuzzy Hash: b6f801fd65424793f4e149a37083955b9d32d965d49da71349c3df72bc585eba
Instruction Fuzzy Hash: 31F03A795502907AEB330723AC18E772EFDD7C7F54F54511EFA08A21A0E6A50840DBB0

Function 002E3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,002E3B0F,SwapMouseButtons,00000004,?), ref: 002E3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,002E3B0F,SwapMouseButtons,00000004,?), ref: 002E3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,002E3B0F,SwapMouseButtons,00000004,?), ref: 002E3B83

Strings

Control Panel\Mouse, xrefs: 002E3B3E

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: c0ae9b874cf4d9b4f4a3fb6e7a6232ae97fa7a2d737b04317c1b038d40848d7c
Instruction ID: 559dd591fba4ab7de96ded16737d6ca642a2704d87d7cc79b922f8790f44ffc8
Opcode Fuzzy Hash: c0ae9b874cf4d9b4f4a3fb6e7a6232ae97fa7a2d737b04317c1b038d40848d7c
Instruction Fuzzy Hash: 33115AB1560208FFDB21CFA6DC48AAEB7BCEF04749B50445DE806D7110D231DE5097A0

Function 002E3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003233A2

Part of subcall function 002E6B57: _wcslen.LIBCMT ref: 002E6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 002E3A04

Strings

Line: , xrefs: 003233EB

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: f0adae64f7d93febd25e417d2e0fef12a04997203435ff1433a61d30feb2270c
Instruction ID: 443e29ec100254aaa5cf75ae26bd8fc3efecc7078bb71f37fbbcd4f284f8c10a
Opcode Fuzzy Hash: f0adae64f7d93febd25e417d2e0fef12a04997203435ff1433a61d30feb2270c
Instruction Fuzzy Hash: 5631E571468380AAC322EB11DC59BEBB7DCAF40714F90062EF69993091EB709658CBD2

Function 002E2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00322C8C

Part of subcall function 002E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002E3A97,?,?,002E2E7F,?,?,?,00000000), ref: 002E3AC2

Part of subcall function 002E2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002E2DC4

Strings

X, xrefs: 00322C5A
`e:, xrefs: 00322C85

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e:
API String ID: 779396738-2000733710
Opcode ID: 4afac6a504f3886579f8e0ea6bb6d3c7e5ba3032c7cf8247df292b0dce8acb3d
Instruction ID: 0ab3ea73a1fae9fd886fb21ed6bc02c5987f398614a1783b437ab572e42dd30a
Opcode Fuzzy Hash: 4afac6a504f3886579f8e0ea6bb6d3c7e5ba3032c7cf8247df292b0dce8acb3d
Instruction Fuzzy Hash: 6521D870A10298AFCF02DF95CC09BEE7BFCAF49304F444059E505B7241DBB455898F61

Function 002FFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00300668

Part of subcall function 003032A4: RaiseException.KERNEL32(?,?,?,0030068A,?,003B1444,?,?,?,?,?,?,0030068A,002E1129,003A8738,002E1129), ref: 00303304

__CxxThrowException@8.LIBVCRUNTIME ref: 00300685

Strings

Unknown exception, xrefs: 00300692

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 96a9c75fe8dd5015538a38ab2df601f2d7e92431d263dd76170f7b9dd241bcdc
Instruction ID: f267add687018156055e9d13454dec7af8bb5604f8fb0f34329ab7642b715c23
Opcode Fuzzy Hash: 96a9c75fe8dd5015538a38ab2df601f2d7e92431d263dd76170f7b9dd241bcdc
Instruction Fuzzy Hash: 7DF0C23490120DB7CB06BAA4DC66EAEB76DAE01350F604571FA149A5D1EF72EA25C680

Function 002E10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 002E1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002E1BF4
Part of subcall function 002E1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 002E1BFC
Part of subcall function 002E1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002E1C07
Part of subcall function 002E1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002E1C12
Part of subcall function 002E1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 002E1C1A
Part of subcall function 002E1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 002E1C22

Part of subcall function 002E1B4A: RegisterWindowMessageW.USER32(00000004,?,002E12C4), ref: 002E1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002E136A
OleInitialize.OLE32 ref: 002E1388
CloseHandle.KERNEL32(00000000,00000000), ref: 003224AB

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: c3ca0d4878adf6e1dc5796ec85e5404ed517019e976e786f2081622f5a8972fb
Instruction ID: f75cf4479a64058e497cbe9d08ec0c5befbf9275054dd768092e74ce9011b226
Opcode Fuzzy Hash: c3ca0d4878adf6e1dc5796ec85e5404ed517019e976e786f2081622f5a8972fb
Instruction Fuzzy Hash: 3A71B2B99212448EC3A7DF7AA8656953BE8BB8A34CBD4832FD70AC7261E7304411CF51

Function 0034C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 002E3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 002E3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0034C259
KillTimer.USER32(?,00000001,?,?), ref: 0034C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0034C270

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 9a4c981938ebe6561e1922e66b184e513f7775cd4d82076696e1cfd978d84ff5
Instruction ID: 8faad0a53cedb43cd88f64e2e4371086ca67fc73d5dae992f67209ed012120da
Opcode Fuzzy Hash: 9a4c981938ebe6561e1922e66b184e513f7775cd4d82076696e1cfd978d84ff5
Instruction Fuzzy Hash: C631C8709153446FEFB39F6488557D7BBECAB06308F00149DD2DDA7142C7B46A84CB51

Function 003186AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,003185CC,?,003A8CC8,0000000C), ref: 00318704
GetLastError.KERNEL32(?,003185CC,?,003A8CC8,0000000C), ref: 0031870E
__dosmaperr.LIBCMT ref: 00318739

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 5691bf323e0c5b4c71cefa6830b575bdcd290b90184eeee6467c3b0cd9bfcde7
Instruction ID: c30682a6372ca0aff0d276d57bf1d33cfbc2395759b9a643d7095a911bc69f58
Opcode Fuzzy Hash: 5691bf323e0c5b4c71cefa6830b575bdcd290b90184eeee6467c3b0cd9bfcde7
Instruction Fuzzy Hash: 4E012B3670562056D67F633468457FE674D4BCD778F3A061AFA189F1D2DEA08CC18158

Function 002EDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 002EDB7B
DispatchMessageW.USER32(?), ref: 002EDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002EDB9F
Sleep.KERNELBASE(0000000A), ref: 002EDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00331CC9

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: c61856bbda0dea1384eceb8296451b3fd79d0fd92b9eca3ce71e408bee31d978
Instruction ID: 8929906dbc81dd15d632affd3532d37b029171c3cbf52bd01f90b20d4379e984
Opcode Fuzzy Hash: c61856bbda0dea1384eceb8296451b3fd79d0fd92b9eca3ce71e408bee31d978
Instruction Fuzzy Hash: A4F05E306643859BEB35CB61DC99FEA73ACEB45314F50562DE65AC30D0EB30A488CB25

Function 002F1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002F17F6

Strings

CALL, xrefs: 002F17C6

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: b767bc53fc647ea351e89f8812470442f0b2c3f63955c79b5bdd886a738b8ad3
Instruction ID: de40ca2d88800903fcf75cb6d4b7aed778a2ade71d91305622fbef94a8af6dcf
Opcode Fuzzy Hash: b767bc53fc647ea351e89f8812470442f0b2c3f63955c79b5bdd886a738b8ad3
Instruction Fuzzy Hash: DA22AA70618205DFD715CF14C481A2AFBF5BF85394FA4892DF68A8B261D771E861CF82

Function 002E3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 002E3908

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 3f6b7eccf0e7da9dc9f817f6e14f0df4bea953155b04b95ac5439d4e188ebeb2
Instruction ID: 78a0f33127d726066be5db2c3eb6eabfb8f21354fbb97744828016e050acc2cc
Opcode Fuzzy Hash: 3f6b7eccf0e7da9dc9f817f6e14f0df4bea953155b04b95ac5439d4e188ebeb2
Instruction Fuzzy Hash: 2F31F2745143018FD322DF25D8987A7BBF8FB48309F40092EF69D87240E7B1AA54CB52

Function 002FF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 002FF661

Part of subcall function 002ED730: GetInputState.USER32 ref: 002ED807

Sleep.KERNEL32(00000000), ref: 0033F2DE

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 81ad14b90ebf34d3823e2fe1180613c3159e09c632fb5d6f26139c721e10b1e1
Instruction ID: 1d8ba3c4cfd2696e176601228f2a402690139cc55b141fe9e28a27657d6fc85a
Opcode Fuzzy Hash: 81ad14b90ebf34d3823e2fe1180613c3159e09c632fb5d6f26139c721e10b1e1
Instruction Fuzzy Hash: 25F08C352A02459FD324EF7AD449B6AB7E8EF45760F40002DE96EC7360DB70A850CF90

Function 002E4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 002E4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,002E4EDD,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4E9C
Part of subcall function 002E4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002E4EAE
Part of subcall function 002E4E90: FreeLibrary.KERNEL32(00000000,?,?,002E4EDD,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4EFD

Part of subcall function 002E4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00323CDE,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4E62
Part of subcall function 002E4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002E4E74
Part of subcall function 002E4E59: FreeLibrary.KERNEL32(00000000,?,?,00323CDE,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4E87

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: c799979f27ab24a53a333fb25ac0b5ab289c156864ce15f2c80740d3a77049f9
Instruction ID: 7ca46802d48e069460e5815a9111bb7e0f7224ec7771f52e5b4b28bc318a3b19
Opcode Fuzzy Hash: c799979f27ab24a53a333fb25ac0b5ab289c156864ce15f2c80740d3a77049f9
Instruction Fuzzy Hash: 26113A326B0315AACF25FF62DC02FAD77A4AF40B14F50882DF542AA1C1DE789A249B50

Function 00318402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00318440

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 4a823e5d5d96130f4d8f77a8031661c30a574e9316ae5bb9ea0ebe100893e3cd
Instruction ID: f02039dd8865d0911450e7d972f358230fb685daea245378d41977826032a05e
Opcode Fuzzy Hash: 4a823e5d5d96130f4d8f77a8031661c30a574e9316ae5bb9ea0ebe100893e3cd
Instruction Fuzzy Hash: 7111487190410AAFCB0ADF58E9409DA7BF9EF48304F114069F808AB312DB30DA11CBA8

Function 00315000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00314C7D: RtlAllocateHeap.NTDLL(00000008,002E1129,00000000,?,00312E29,00000001,00000364,?,?,?,0030F2DE,00313863,003B1444,?,002FFDF5,?), ref: 00314CBE

_free.LIBCMT ref: 0031506C

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 6127c9d02387435e8f4c2d6ccd819e3e88ad5a89b1d1598b299d0bf329218157
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 90012672204704ABE3268F699881ADAFBECFBCD370F25051DE18487280EA30A845C6B4

Function 0030E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 53e90d9dd617ffb5143759bdc47b246d7bec12f921a8a2ede5ef33184be3c6dc
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 39F07832602A18AAC7373A69AC25B9B338C8F56330F110F15F420DB1C2CF75D84186A9

Function 00314C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,002E1129,00000000,?,00312E29,00000001,00000364,?,?,?,0030F2DE,00313863,003B1444,?,002FFDF5,?), ref: 00314CBE

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5e7f6a43747dfa47dab09a713ee2813ae4de07891638c2c6fe713031ee994b8f
Instruction ID: 0ccaf65eadf5762bd2e11b4cefe26c01ab2c4c6c22f1ac8e455260e2d4dbeca8
Opcode Fuzzy Hash: 5e7f6a43747dfa47dab09a713ee2813ae4de07891638c2c6fe713031ee994b8f
Instruction Fuzzy Hash: 3FF0E93160322477DB2B5F669C09BDA378CBF55BA0B168125BD19AA5C0CA30D88087E0

Function 00313820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,003B1444,?,002FFDF5,?,?,002EA976,00000010,003B1440,002E13FC,?,002E13C6,?,002E1129), ref: 00313852

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1483ef05d77d1b30e2652be7c75b1a687fe9c757e3029e5c87fc15dce48348d5
Instruction ID: 95cca5b021f5bdb032f23e3785cd75b3ea2cc98c4c6b235cc811aa2980b3331c
Opcode Fuzzy Hash: 1483ef05d77d1b30e2652be7c75b1a687fe9c757e3029e5c87fc15dce48348d5
Instruction Fuzzy Hash: 0BE02B3110122496D73727779C14BDB374CAF467B0F060134BD0C968C0DB10DE8582E1

Function 002E4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4F6D

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 69e9efe02c8ef8cb8177e265505317d4bf1bab22b1a0ba0138dbf92bfcd0e274
Instruction ID: 661834d2912bd787566189082913f60452b43ea12b4f6e0229477d9b9dfadcec
Opcode Fuzzy Hash: 69e9efe02c8ef8cb8177e265505317d4bf1bab22b1a0ba0138dbf92bfcd0e274
Instruction Fuzzy Hash: EEF0A070165382CFCB34AF22D490812B7E4BF00719350897EE1DA83910C7319C54DF00

Function 00372A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00372A66

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 64185342742a13d4ef76bfba2f6d9d537b396d3cec2069212cc9fafb72c4ec9a
Instruction ID: 485a39211d3e2bd38ec3da16a9b2a2be706b65d6498d3d16b49dfa82610d300d
Opcode Fuzzy Hash: 64185342742a13d4ef76bfba2f6d9d537b396d3cec2069212cc9fafb72c4ec9a
Instruction Fuzzy Hash: 69E04F36350116AAC766EA30EC809FB739CEB50395B10953AAC1ADA110DF34999586A0

Function 002E30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 002E314E

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: d5aa54a840fe005c4f40f5456b7beea410279671e4a54e38ba5b50530d24b45f
Instruction ID: 31086b17db8fda27cee6139db8a17c90c56e38d7b918234eeec66c20289e1649
Opcode Fuzzy Hash: d5aa54a840fe005c4f40f5456b7beea410279671e4a54e38ba5b50530d24b45f
Instruction Fuzzy Hash: 43F082749143049FE7539B24DC597967AECA70170CF0001E9A24C96181E7705788CB41

Function 002E2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002E2DC4

Part of subcall function 002E6B57: _wcslen.LIBCMT ref: 002E6B6A

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: c63f0e4c3afca630c9133a65f46dd24e523d9a220b8e2797f6f1aa7e08a74d2d
Instruction ID: 71993e6c503ba1a968fb55d052b986118f9cd59ca0442df382f3300761518046
Opcode Fuzzy Hash: c63f0e4c3afca630c9133a65f46dd24e523d9a220b8e2797f6f1aa7e08a74d2d
Instruction Fuzzy Hash: 98E0CD726001246BCB2192589C05FDA77DDDFC87D0F040175FD09E7258D960ADC08550

Function 002E2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 002E3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002E3908

Part of subcall function 002ED730: GetInputState.USER32 ref: 002ED807

SetCurrentDirectoryW.KERNEL32(?), ref: 002E2B6B

Part of subcall function 002E30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 002E314E

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 54dd8584fba0e2bb073bac13e9324a012dff96a87119f408a3b7ff057923eb4c
Instruction ID: be93071179b643f098456588a640ea88d0b51867784987968ea8df5a86bfda6c
Opcode Fuzzy Hash: 54dd8584fba0e2bb073bac13e9324a012dff96a87119f408a3b7ff057923eb4c
Instruction Fuzzy Hash: 1BE026213A02C443C604FB33A82A5ADB35D8BD1316FC0153EF14283162CE244AA94B11

Function 0032039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00320704,?,?,00000000,?,00320704,00000000,0000000C), ref: 003203B7

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8853cab1524b1ff07dbabb609917fdc0f1b84d17a1dd5462fa3ff0e72bdb4614
Instruction ID: 0a2c23d1c6648867d0d74b3b73fe6479e637abbd7713db9ecbede55b7eb94c08
Opcode Fuzzy Hash: 8853cab1524b1ff07dbabb609917fdc0f1b84d17a1dd5462fa3ff0e72bdb4614
Instruction Fuzzy Hash: D9D06C3205010DBBDF128F84DD06EDA3BAAFB48714F014050BE1866020C732E861AB90

Function 002E1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 002E1CBC

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 9226cbc3817d07195c7ddb332561bfa37b51d5e3c36708f97a2aa9301243906b
Instruction ID: 3994e92bcb252db03d374cc18b737fb31e7e18d3bc6c516c36729f8e6dc3e707
Opcode Fuzzy Hash: 9226cbc3817d07195c7ddb332561bfa37b51d5e3c36708f97a2aa9301243906b
Instruction Fuzzy Hash: ABC09B35280304DFF2274781BC5AF11775CA349B14F444101F70D555E3D3A22450D750

Non-executed Functions

Function 00379576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 002F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002F9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0037961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0037965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0037969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003796C9
SendMessageW.USER32 ref: 003796F2
GetKeyState.USER32(00000011), ref: 0037978B
GetKeyState.USER32(00000009), ref: 00379798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003797AE
GetKeyState.USER32(00000010), ref: 003797B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003797E9
SendMessageW.USER32 ref: 00379810
SendMessageW.USER32(?,00001030,?,00377E95), ref: 00379918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0037992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00379941
SetCapture.USER32(?), ref: 0037994A
ClientToScreen.USER32(?,?), ref: 003799AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003799BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003799D6
ReleaseCapture.USER32 ref: 003799E1
GetCursorPos.USER32(?), ref: 00379A19
ScreenToClient.USER32(?,?), ref: 00379A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00379A80
SendMessageW.USER32 ref: 00379AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00379AEB
SendMessageW.USER32 ref: 00379B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00379B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00379B4A
GetCursorPos.USER32(?), ref: 00379B68
ScreenToClient.USER32(?,?), ref: 00379B75
GetParent.USER32(?), ref: 00379B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00379BFA
SendMessageW.USER32 ref: 00379C2B
ClientToScreen.USER32(?,?), ref: 00379C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00379CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00379CDE
SendMessageW.USER32 ref: 00379D01
ClientToScreen.USER32(?,?), ref: 00379D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00379D82

Part of subcall function 002F9944: GetWindowLongW.USER32(?,000000EB), ref: 002F9952

GetWindowLongW.USER32(?,000000F0), ref: 00379E05

Strings

p#;, xrefs: 00379990
F, xrefs: 00379D07
@GUI_DRAGID, xrefs: 0037997D

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#;
API String ID: 3429851547-1510108329
Opcode ID: c6eeef7d7f12e22662902a52734f289269addead95c81357d31cbba774a4b9ec
Instruction ID: 8336be13d7bc8b8aee0c5a1789fe186d031edd6381af8b13fad8eaad1cff1e17
Opcode Fuzzy Hash: c6eeef7d7f12e22662902a52734f289269addead95c81357d31cbba774a4b9ec
Instruction Fuzzy Hash: E6428B74204241AFD736CF24CC84BAABBE9FF49324F15871EF699872A1D735A850CB81

Function 00374873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 003748F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00374908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00374927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0037494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0037495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0037497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 003749AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 003749D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00374A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00374A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00374A7E
IsMenu.USER32(?), ref: 00374A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00374AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00374B20
GetWindowLongW.USER32(?,000000F0), ref: 00374B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00374BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00374C82
wsprintfW.USER32 ref: 00374CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00374CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00374CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00374D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00374D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00374D5A

Strings

%d/%02d/%02d, xrefs: 00374CA8

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: c248564c0fd8e635da1215c1b300a7ab5a01d5429cc96f66dbb61686b798c1e7
Instruction ID: b74c50573c34fe174e2c3b08df8ac3c3dc4550df3a90fd0e5bf05e70b5836201
Opcode Fuzzy Hash: c248564c0fd8e635da1215c1b300a7ab5a01d5429cc96f66dbb61686b798c1e7
Instruction Fuzzy Hash: B312C171500258ABEB368F24CD49FAEBBF8EF45710F14812DF91ADA2E1D778A941CB50

Function 002FF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 002FF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0033F474
IsIconic.USER32(00000000), ref: 0033F47D
ShowWindow.USER32(00000000,00000009), ref: 0033F48A
SetForegroundWindow.USER32(00000000), ref: 0033F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0033F4AA
GetCurrentThreadId.KERNEL32 ref: 0033F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0033F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0033F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0033F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0033F4DE
SetForegroundWindow.USER32(00000000), ref: 0033F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0033F4F6
keybd_event.USER32(00000012,00000000), ref: 0033F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0033F50B
keybd_event.USER32(00000012,00000000), ref: 0033F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0033F519
keybd_event.USER32(00000012,00000000), ref: 0033F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0033F528
keybd_event.USER32(00000012,00000000), ref: 0033F52D
SetForegroundWindow.USER32(00000000), ref: 0033F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0033F557

Strings

Shell_TrayWnd, xrefs: 0033F46F

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: fb52cb981cbdb84f997c9377d7e5ad28c47c69c1f73a43a1cc8cd36b740c5fc7
Instruction ID: 37b80c162a2458f69f7a3c15d3fc8fb3b995dde0a17f63bfe5c79ca440915781
Opcode Fuzzy Hash: fb52cb981cbdb84f997c9377d7e5ad28c47c69c1f73a43a1cc8cd36b740c5fc7
Instruction Fuzzy Hash: 71319471E50218BFFB326BB65C8AFBF7E6CEB45B50F111029F604EA1D1C6B15D40AA60

Function 00341201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 003416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0034170D
Part of subcall function 003416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0034173A
Part of subcall function 003416C3: GetLastError.KERNEL32 ref: 0034174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00341286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 003412A8
CloseHandle.KERNEL32(?), ref: 003412B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003412D1
GetProcessWindowStation.USER32 ref: 003412EA
SetProcessWindowStation.USER32(00000000), ref: 003412F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00341310

Part of subcall function 003410BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003411FC), ref: 003410D4
Part of subcall function 003410BF: CloseHandle.KERNEL32(?,?,003411FC), ref: 003410E9

Strings

winsta0, xrefs: 003412CC
Z:, xrefs: 00341392
, xrefs: 0034125A
default, xrefs: 0034130B

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z:
API String ID: 22674027-902221358
Opcode ID: 5bf55391a52a4842d0e84193c8fb2d7347e04704c03b784f36118d004bdca143
Instruction ID: 2b5d69217868b7321dfec5406ef18e2faaa5caccd54bbc18240f4d62881397f8
Opcode Fuzzy Hash: 5bf55391a52a4842d0e84193c8fb2d7347e04704c03b784f36118d004bdca143
Instruction Fuzzy Hash: 5B819D71900209AFDF229FA5DC49FEE7BBDEF04704F144129FA14BA2A0D775A984CB60

Function 00340B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00341114
Part of subcall function 003410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00340B9B,?,?,?), ref: 00341120
Part of subcall function 003410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00340B9B,?,?,?), ref: 0034112F
Part of subcall function 003410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00340B9B,?,?,?), ref: 00341136
Part of subcall function 003410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0034114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00340BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00340C00
GetLengthSid.ADVAPI32(?), ref: 00340C17
GetAce.ADVAPI32(?,00000000,?), ref: 00340C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00340C6D
GetLengthSid.ADVAPI32(?), ref: 00340C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00340C8C
HeapAlloc.KERNEL32(00000000), ref: 00340C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00340CB4
CopySid.ADVAPI32(00000000), ref: 00340CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00340CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00340D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00340D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00340D45
HeapFree.KERNEL32(00000000), ref: 00340D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00340D55
HeapFree.KERNEL32(00000000), ref: 00340D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00340D65
HeapFree.KERNEL32(00000000), ref: 00340D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00340D78
HeapFree.KERNEL32(00000000), ref: 00340D7F

Part of subcall function 00341193: GetProcessHeap.KERNEL32(00000008,00340BB1,?,00000000,?,00340BB1,?), ref: 003411A1
Part of subcall function 00341193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00340BB1,?), ref: 003411A8
Part of subcall function 00341193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00340BB1,?), ref: 003411B7

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9fca9f234579b9f6eb653d0d723d20f980c94e396afba9c3c889a6a06d5129f9
Instruction ID: fdf569f6b8a7f2c693c6d84ae039975db0dd299679e7c8eea89de992d40f213a
Opcode Fuzzy Hash: 9fca9f234579b9f6eb653d0d723d20f980c94e396afba9c3c889a6a06d5129f9
Instruction Fuzzy Hash: D0715071A00209ABDF16DFE4DC44FAEBBBCBF05310F054529EA15AA151D771E945CBA0

Function 0035EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0037CC08), ref: 0035EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0035EB37
GetClipboardData.USER32(0000000D), ref: 0035EB43
CloseClipboard.USER32 ref: 0035EB4F
GlobalLock.KERNEL32(00000000), ref: 0035EB87
CloseClipboard.USER32 ref: 0035EB91
GlobalUnlock.KERNEL32(00000000), ref: 0035EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0035EBC9
GetClipboardData.USER32(00000001), ref: 0035EBD1
GlobalLock.KERNEL32(00000000), ref: 0035EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0035EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0035EC38
GetClipboardData.USER32(0000000F), ref: 0035EC44
GlobalLock.KERNEL32(00000000), ref: 0035EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0035EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0035EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0035ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0035ECF3
CountClipboardFormats.USER32 ref: 0035ED14
CloseClipboard.USER32 ref: 0035ED59

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 729fc8d1a7026f385743eadfea44f869d6a13820b9804aca7232c2d34330b1b9
Instruction ID: 9d6785942b5f409f8efa69290c2bcef80f9ea4823b1cb051c7e34acf444f86a6
Opcode Fuzzy Hash: 729fc8d1a7026f385743eadfea44f869d6a13820b9804aca7232c2d34330b1b9
Instruction Fuzzy Hash: E06102342042019FC716EF20C898F2A77E8AF84705F58555DF85A972B2CB30DE89CBA2

Function 0035698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003569BE
FindClose.KERNEL32(00000000), ref: 00356A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00356A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00356A75

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00356AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00356ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00356B6A
%4d, xrefs: 00356BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00356B32
%03d, xrefs: 00356DA2
%02d, xrefs: 00356C00, 00356C0A, 00356C5A, 00356CAA, 00356CFA, 00356D4A

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: a85da2adfae785743aa5cf89f3f51624a24655f74f2201bdc249f8bbc7268879
Instruction ID: 7105b3eb39ab18452c16c71b0f2478c2fdf1bd7d6629935ca418fcb83e6933f2
Opcode Fuzzy Hash: a85da2adfae785743aa5cf89f3f51624a24655f74f2201bdc249f8bbc7268879
Instruction Fuzzy Hash: 47D1B6715583409FC711EBA1C992EAFB7ECAF88704F84491EF985C7151EB34DA48CB62

Function 00359642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00359663
GetFileAttributesW.KERNEL32(?), ref: 003596A1
SetFileAttributesW.KERNEL32(?,?), ref: 003596BB
FindNextFileW.KERNEL32(00000000,?), ref: 003596D3
FindClose.KERNEL32(00000000), ref: 003596DE
FindFirstFileW.KERNEL32(*.*,?), ref: 003596FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0035974A
SetCurrentDirectoryW.KERNEL32(003A6B7C), ref: 00359768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00359772
FindClose.KERNEL32(00000000), ref: 0035977F
FindClose.KERNEL32(00000000), ref: 0035978F

Strings

*.*, xrefs: 003596F5

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e0baee60be2ed6c51e5a03aaa1698e207ad0691180bc563b80892141ec60bc9c
Instruction ID: 16ca824585385df90f004d2a5717676e53b4a04fcb222589aa69bdabaaa7a75b
Opcode Fuzzy Hash: e0baee60be2ed6c51e5a03aaa1698e207ad0691180bc563b80892141ec60bc9c
Instruction Fuzzy Hash: E231D232501209AADF22AFB4DC09EDE37AC9F09321F14445BE809E21A0DB34DA888A64

Function 0035979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 003597BE
FindNextFileW.KERNEL32(00000000,?), ref: 00359819
FindClose.KERNEL32(00000000), ref: 00359824
FindFirstFileW.KERNEL32(*.*,?), ref: 00359840
SetCurrentDirectoryW.KERNEL32(?), ref: 00359890
SetCurrentDirectoryW.KERNEL32(003A6B7C), ref: 003598AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 003598B8
FindClose.KERNEL32(00000000), ref: 003598C5
FindClose.KERNEL32(00000000), ref: 003598D5

Part of subcall function 0034DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0034DB00

Strings

*.*, xrefs: 0035983B

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: ac24f5e0b76e970234559548971058c25821f2ddf127a3b17901ed6f0c4ee43c
Instruction ID: 7d55d217daa9f4b9d70b753bac549357ef50a15315f546a52ce59646872a302c
Opcode Fuzzy Hash: ac24f5e0b76e970234559548971058c25821f2ddf127a3b17901ed6f0c4ee43c
Instruction Fuzzy Hash: 5331C332501219EADF22AFB4DC49FDE77ACDF06321F15455AE814A61E1DB30DA89CB24

Function 0036BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0036C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0036B6AE,?,?), ref: 0036C9B5
Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036C9F1
Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036CA68
Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0036BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0036BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0036BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0036C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0036C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0036C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0036C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0036C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0036C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0036C382
RegCloseKey.ADVAPI32(00000000), ref: 0036C38F

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: d71764a8f9e2ece4cb7987adbdcfbef46ee0458595c2bb21f7073213bebdc917
Instruction ID: 87d91c32c6e87b57307d6adb094bd988e0ca31c75fe86580ba70d84d8194f5e6
Opcode Fuzzy Hash: d71764a8f9e2ece4cb7987adbdcfbef46ee0458595c2bb21f7073213bebdc917
Instruction Fuzzy Hash: 20025B706142409FC715CF28C895E2ABBE5AF89308F59C49DF88ACB2A6D731EC45CF91

Function 00358195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00358257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00358267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00358273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00358310
SetCurrentDirectoryW.KERNEL32(?), ref: 00358324
SetCurrentDirectoryW.KERNEL32(?), ref: 00358356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0035838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00358395

Strings

*.*, xrefs: 0035839B

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 465886a58fbfae201371145ffe0fd97e2580e6849f149342b06c04e836f723ee
Instruction ID: 21b7ee2874c254b1579f324d65da9941650748c0045ac9a79604505d3efcdf97
Opcode Fuzzy Hash: 465886a58fbfae201371145ffe0fd97e2580e6849f149342b06c04e836f723ee
Instruction Fuzzy Hash: 9E6167765143459FCB11EF60C840DAEB3E8BF89310F44892EF99997261EB31E949CF92

Function 0034D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002E3A97,?,?,002E2E7F,?,?,?,00000000), ref: 002E3AC2

Part of subcall function 0034E199: GetFileAttributesW.KERNEL32(?,0034CF95), ref: 0034E19A

FindFirstFileW.KERNEL32(?,?), ref: 0034D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0034D1DD
MoveFileW.KERNEL32(?,?), ref: 0034D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0034D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0034D237

Part of subcall function 0034D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0034D21C,?,?), ref: 0034D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0034D253
FindClose.KERNEL32(00000000), ref: 0034D264

Strings

\*.*, xrefs: 0034D0CD, 0034D0D6, 0034D0EB

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 470933c07bb7bb21585b66306dddb318a054eedb126d34ec76c7deff76d9179e
Instruction ID: 0f180c19d197f2939f6c4f9140565406db6f361aabad0c65018cf873d1132fa0
Opcode Fuzzy Hash: 470933c07bb7bb21585b66306dddb318a054eedb126d34ec76c7deff76d9179e
Instruction Fuzzy Hash: 0D618F3184114D9FCF16EBE1C9929EDB7B9AF55300F604569E4067B1A2EB30AF49CF60

Function 0035ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0035ED91
EmptyClipboard.USER32 ref: 0035ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0035EDAC
CloseClipboard.USER32 ref: 0035EEA3

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: c2a372069e6ef790103f91cb531a93306fb6df72e131a2f4046e5616ebc83d47
Instruction ID: c5a310637014dbb825363ce7cc3041064761ef16701df694d2cd01ab766b7473
Opcode Fuzzy Hash: c2a372069e6ef790103f91cb531a93306fb6df72e131a2f4046e5616ebc83d47
Instruction Fuzzy Hash: 1141DF342142119FD726CF15D889F19BBE8EF04319F15C09DE8198BA72C731ED81CB90

Function 0034E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0034170D
Part of subcall function 003416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0034173A
Part of subcall function 003416C3: GetLastError.KERNEL32 ref: 0034174A

ExitWindowsEx.USER32(?,00000000), ref: 0034E932

Strings

SeShutdownPrivilege, xrefs: 0034E902
@, xrefs: 0034E925
, xrefs: 0034E95C
, xrefs: 0034E920

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 6fd4c30350674b21c4e0b39bd803f23214774ec82621753a9daf4803d4d58f00
Instruction ID: 2a3986e056f019083ad6ecdcf8545bc5e71e7c62f6597922412857c72579c440
Opcode Fuzzy Hash: 6fd4c30350674b21c4e0b39bd803f23214774ec82621753a9daf4803d4d58f00
Instruction Fuzzy Hash: 9001FE73620211ABEB6626B49C86FBF72DCB714751F160825FC13EE1E1D7697C808290

Function 00361204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00361276
WSAGetLastError.WSOCK32 ref: 00361283
bind.WSOCK32(00000000,?,00000010), ref: 003612BA
WSAGetLastError.WSOCK32 ref: 003612C5
closesocket.WSOCK32(00000000), ref: 003612F4
listen.WSOCK32(00000000,00000005), ref: 00361303
WSAGetLastError.WSOCK32 ref: 0036130D
closesocket.WSOCK32(00000000), ref: 0036133C

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 21e31e99ceb02cb36c7ea4cd93244f29194b13af406711414e5c45375fc58468
Instruction ID: 7f514690024f6ef844d72493eb37856260922827b5d13f006076e7da580dddf4
Opcode Fuzzy Hash: 21e31e99ceb02cb36c7ea4cd93244f29194b13af406711414e5c45375fc58468
Instruction Fuzzy Hash: 69418135600140AFD721DF64C498B2ABBE5AF46318F2DC58CD8568F29AC771EC81CBA1

Function 0031B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0031B9D4
_free.LIBCMT ref: 0031B9F8
_free.LIBCMT ref: 0031BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00383700), ref: 0031BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,003B121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0031BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,003B1270,000000FF,?,0000003F,00000000,?), ref: 0031BC36
_free.LIBCMT ref: 0031BD4B

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 6425dd0ab078283af3055cacb99c2851e0882a1f289ceb105d32e7017f071215
Instruction ID: 0df2a6b9c26354e3e72e0eb5338117fea25fcfb577d824c8e891fea4c6fce38e
Opcode Fuzzy Hash: 6425dd0ab078283af3055cacb99c2851e0882a1f289ceb105d32e7017f071215
Instruction Fuzzy Hash: FAC13671A04205AFCB2F9F68DC51AEAFBBCEF49310F15459AE591DB291E7308E81C790

Function 0034D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002E3A97,?,?,002E2E7F,?,?,?,00000000), ref: 002E3AC2

Part of subcall function 0034E199: GetFileAttributesW.KERNEL32(?,0034CF95), ref: 0034E19A

FindFirstFileW.KERNEL32(?,?), ref: 0034D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0034D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0034D481
FindClose.KERNEL32(00000000), ref: 0034D498
FindClose.KERNEL32(00000000), ref: 0034D4A1

Strings

\*.*, xrefs: 0034D3F2

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: efe15ba5181746200a30f382b6d8687e7e4e103de2084a0e2825fcc6d4a9c274
Instruction ID: 0fce609c0ff310d205f99b8737f40b9e417e4160a11e0b66142cfbd7fb66df30
Opcode Fuzzy Hash: efe15ba5181746200a30f382b6d8687e7e4e103de2084a0e2825fcc6d4a9c274
Instruction Fuzzy Hash: 923190310683859BC712EF65C8568AF77ECAE91304F844E1DF4D553292EF30AA59CB63

Function 0031E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0031E645

Strings

1#SNAN, xrefs: 0031F844
1#INF, xrefs: 0031F852
1#QNAN, xrefs: 0031F84B
1#IND, xrefs: 0031F83D

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 19cb6f698654711b231a8453db7a1317e493fecbc82e63bc97bfc1aba3666185
Instruction ID: 01b8eadf2ccfaec93173c2122f1acb297a1fa36e7faf621722ab2bf084b0c6c6
Opcode Fuzzy Hash: 19cb6f698654711b231a8453db7a1317e493fecbc82e63bc97bfc1aba3666185
Instruction Fuzzy Hash: 0EC23D71E086298FDB2ACE28DD407EAB7B9EB49305F1541EAD84DE7240D775AEC18F40

Function 0035648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003564DC
CoInitialize.OLE32(00000000), ref: 00356639
CoCreateInstance.OLE32(0037FCF8,00000000,00000001,0037FB68,?), ref: 00356650
CoUninitialize.OLE32 ref: 003568D4

Strings

.lnk, xrefs: 003564BA, 00356524, 003565E0

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 8b71a787d08a896a86380aca92bda390666610e4892f3a8ffcc6b3fc53f77c6f
Instruction ID: 7752d182a31912edf693a23ccd5834a96812037ee860606a3d7936e0ba8895cc
Opcode Fuzzy Hash: 8b71a787d08a896a86380aca92bda390666610e4892f3a8ffcc6b3fc53f77c6f
Instruction Fuzzy Hash: 12D18971558240AFC311EF24C881D6BB7E8FF99304F90496DF4958B2A1EB30EE49CB92

Function 003622DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 003622E8

Part of subcall function 0035E4EC: GetWindowRect.USER32(?,?), ref: 0035E504

GetDesktopWindow.USER32 ref: 00362312
GetWindowRect.USER32(00000000), ref: 00362319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00362355
GetCursorPos.USER32(?), ref: 00362381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003623DF

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: a6d1bafe76d67cee283ba195367408847aaeca71bef577c0d25342a2990e538b
Instruction ID: 3827df9e4fc79aa29af31c0d9532040b86602ed7ab62abc783fe2740d1a17d42
Opcode Fuzzy Hash: a6d1bafe76d67cee283ba195367408847aaeca71bef577c0d25342a2990e538b
Instruction Fuzzy Hash: 2131ED72104705AFC722DF14C848A9BBBE9FF84310F11491DF8889B281DB34EA48CB92

Function 00359B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00359B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00359C8B

Part of subcall function 00353874: GetInputState.USER32 ref: 003538CB
Part of subcall function 00353874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00353966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00359BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00359C75

Strings

*.*, xrefs: 00359B5D

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 02c3e33f2245af018833c1b4a75a5a700283e6205372e7070dec1b3815ef0da6
Instruction ID: 9dc734ad1e20171871b9cacf2b183db46f28ba25ac1045d789813aa415455e7f
Opcode Fuzzy Hash: 02c3e33f2245af018833c1b4a75a5a700283e6205372e7070dec1b3815ef0da6
Instruction Fuzzy Hash: D641607194020ADFDF16DF64C849FEE7BB8EF05311F64405AE805A61A1EB309E98CFA0

Function 002F997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 002F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002F9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 002F9A4E
GetSysColor.USER32(0000000F), ref: 002F9B23
SetBkColor.GDI32(?,00000000), ref: 002F9B36

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: f747eda9139fdf24ac56ce7de91e5e136b5b9978f4982886132083ba219da45c
Instruction ID: 84ef6097f7fc26d7296b554402868b9e811ca7f15421fcb6995f685ed157be66
Opcode Fuzzy Hash: f747eda9139fdf24ac56ce7de91e5e136b5b9978f4982886132083ba219da45c
Instruction Fuzzy Hash: 2AA15DB013844CBEE7379E2C8CD9F7B769DDB42384F11422AF712CA691CA659DA1C271

Function 00361806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0036304E: inet_addr.WSOCK32(?), ref: 0036307A
Part of subcall function 0036304E: _wcslen.LIBCMT ref: 0036309B

socket.WSOCK32(00000002,00000002,00000011), ref: 0036185D
WSAGetLastError.WSOCK32 ref: 00361884
bind.WSOCK32(00000000,?,00000010), ref: 003618DB
WSAGetLastError.WSOCK32 ref: 003618E6
closesocket.WSOCK32(00000000), ref: 00361915

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 96fb0b3ddd7d706a536b234cd8606f43d14479e0d57aec04d188de82156d5477
Instruction ID: a61adec473a85de8684b3d1910a9693d5b1a9c31de714c548b14321ce81898fc
Opcode Fuzzy Hash: 96fb0b3ddd7d706a536b234cd8606f43d14479e0d57aec04d188de82156d5477
Instruction Fuzzy Hash: 0551B371A50200AFDB11AF24C886F2AB7E5AB44718F58C49CF91A9F3D7C771AD41CBA1

Function 00371C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00371CC0
IsWindowEnabled.USER32 ref: 00371CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00371CDB
IsIconic.USER32 ref: 00371CE9
IsZoomed.USER32 ref: 00371CF7

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 340b46c412c6def4c3aaf2068887db3c56f5d6dbceb50acc9cf67278d5f8ab56
Instruction ID: b64d4bddb52c2aca2a28a20b98107a049fc0941d160a58542c0185d6bc57dacf
Opcode Fuzzy Hash: 340b46c412c6def4c3aaf2068887db3c56f5d6dbceb50acc9cf67278d5f8ab56
Instruction Fuzzy Hash: D62194327402515FD7338F5ED884B667BA9AF85315F19C05CE84D8B251CB75DC42CB90

Function 002E8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 002E813C
VUUU, xrefs: 002E83FA
VUUU, xrefs: 00325DF0
VUUU, xrefs: 002E843C
VUUU, xrefs: 002E83E8

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: b13a11ac23e7697e399f667817ea3830c0cf8087a35787fe5483d91cc1a0cf36
Instruction ID: dcbde257c539e6c4012d1583f3d881f3568bb2b516b95c1619aba9705c32c1cf
Opcode Fuzzy Hash: b13a11ac23e7697e399f667817ea3830c0cf8087a35787fe5483d91cc1a0cf36
Instruction Fuzzy Hash: 8FA2E370E5026ACBCF25CF59D8417ADB3B1FF54310F6581AAD859A7280EB709E91CF90

Function 00348298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 003482AA

Strings

(, xrefs: 003482F0
tb:, xrefs: 003484F4
|, xrefs: 003482DA

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb:$|
API String ID: 1659193697-3789105877
Opcode ID: a7128300503541e262666e20057ba48a4fbeed9833cf7e9aa30ff773e6f7c7e9
Instruction ID: 11b5c64cad60ca4d250966c161377087f511d829177638713dcebee0a8736f5a
Opcode Fuzzy Hash: a7128300503541e262666e20057ba48a4fbeed9833cf7e9aa30ff773e6f7c7e9
Instruction Fuzzy Hash: AC323679A007059FCB29CF19C481A6AB7F0FF48710B15C56EE59ADB7A1EB70E981CB40

Function 0034AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0034AAAC
SetKeyboardState.USER32(00000080), ref: 0034AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0034AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0034AB88

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: bb7d7c0a8ece4f22a5784e2036d2ee4d9e62161c71a8ed82a1bf7e350bc1eb76
Instruction ID: bae44b4669b9a507d99eef154f231bf85b3f1551d258348cb557d6a06b137a99
Opcode Fuzzy Hash: bb7d7c0a8ece4f22a5784e2036d2ee4d9e62161c71a8ed82a1bf7e350bc1eb76
Instruction Fuzzy Hash: 0B31F670AC0A48AEFF37CA658C05BFA7BEAEB44310F04421AF5855E1D1D375A981D7A2

Function 0035CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0035CE89
GetLastError.KERNEL32(?,00000000), ref: 0035CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0035CEFE

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: c16ec2c94a0ddbdd1a438e65ef69260aeae44db7bbaca7d53eb26ccdebd4ff76
Instruction ID: d5fe18fdaefcefd597010f80b7828b0d607c424e221e0f0a218ced1e567e5877
Opcode Fuzzy Hash: c16ec2c94a0ddbdd1a438e65ef69260aeae44db7bbaca7d53eb26ccdebd4ff76
Instruction Fuzzy Hash: 0921ACB15103059FEB328FA5C94AFA677FCEB0031AF10581EE946A2161E770EE488B50

Function 00355C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00355CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00355D17
FindClose.KERNEL32(?), ref: 00355D5F

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: de5e3435ff8981b37d35bf5db8c356ad6cd43b3f1f72c989e006e721002edccf
Instruction ID: a942369f19d594801f20963154e43e3336466dd795c7e6d727567534eca02dbf
Opcode Fuzzy Hash: de5e3435ff8981b37d35bf5db8c356ad6cd43b3f1f72c989e006e721002edccf
Instruction Fuzzy Hash: 56517435604A019FC715CF28C4A4E9AB7E8FF49314F15855EE95A8B3A2CB30F949CF91

Function 00312622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0031271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00312724
UnhandledExceptionFilter.KERNEL32(?), ref: 00312731

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 480045e0cf571489f169a2d6eea1c81c2241a94588abfe3bcc8b5e338c224b67
Instruction ID: 843ad76264dba931a0fa18ddd7bc7ae0ef815d0b77e61b20d310d6004255094b
Opcode Fuzzy Hash: 480045e0cf571489f169a2d6eea1c81c2241a94588abfe3bcc8b5e338c224b67
Instruction Fuzzy Hash: 8331C67491121C9BCB26DF68DC897DDB7B8AF08310F5041EAE41CA72A1E7749F918F45

Function 003551CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003551DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00355238
SetErrorMode.KERNEL32(00000000), ref: 003552A1

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 1267964b4a26c34dc01abb780e6ffdf0b8e5cf8575356f7de578f8be13fffc6b
Instruction ID: c6efbd2d5441ad4e632163d4afd0c25c9f6673ee66615a85c1804c266f516560
Opcode Fuzzy Hash: 1267964b4a26c34dc01abb780e6ffdf0b8e5cf8575356f7de578f8be13fffc6b
Instruction Fuzzy Hash: 08318E35A10508DFDB01DF94D884EADBBB4FF08314F448499E809AB362DB31E85ACF90

Function 003416C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 002FFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00300668
Part of subcall function 002FFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00300685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0034170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0034173A
GetLastError.KERNEL32 ref: 0034174A

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 7ba1d05c27f00dc39670be5a97e643d18f4415c458b8a0c038f20d508741b71a
Instruction ID: 112f6b4768b9a191f003c863007e3bb713b324f7371ef3c4652c5297ecb87024
Opcode Fuzzy Hash: 7ba1d05c27f00dc39670be5a97e643d18f4415c458b8a0c038f20d508741b71a
Instruction Fuzzy Hash: 9F11C1B2410308AFE7289F54DC86D6ABBFDFF04754B20852EE05657241EB70FC81CA60

Function 0034D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0034D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0034D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0034D650

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 32e597aa5efb022675d2d9baab3dfd4010596d07b90792b45785e436c5c3cdfe
Instruction ID: 27106054435bceea69e3b0513266e8c8ef047a52ee2fba2748f0f1cad985a64e
Opcode Fuzzy Hash: 32e597aa5efb022675d2d9baab3dfd4010596d07b90792b45785e436c5c3cdfe
Instruction Fuzzy Hash: 34118E75E01228BFDB218F98DC44FAFBBBCEB45B50F108125F908E7290C2705A018BA1

Function 00341663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0034168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003416A1
FreeSid.ADVAPI32(?), ref: 003416B1

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: ba97fbf77a9daec119a1924f5bc0ed47865990d115af1a0c4b25161acce984b0
Instruction ID: 7ffcf5865425d9c2f858cc0113e91ba23a29403b7b123ebab20e0f2069fe76c7
Opcode Fuzzy Hash: ba97fbf77a9daec119a1924f5bc0ed47865990d115af1a0c4b25161acce984b0
Instruction Fuzzy Hash: 46F0F471950309FBDB01DFE49C89EAEBBBCFB08704F504565E901E2181E774EA848BA0

Function 0031C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0031C36C

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 892b3b89f75cc4d14d220bb0e0a85139208e140fef88e7a76f14cbc0698ad5c9
Instruction ID: e8d916df47d028a38b23db890b63d40bc30ee01ac5258cdeb5774092137346a0
Opcode Fuzzy Hash: 892b3b89f75cc4d14d220bb0e0a85139208e140fef88e7a76f14cbc0698ad5c9
Instruction Fuzzy Hash: D3414776940218AFCB299FB9CC48EFB77B8EB88314F1046A9F915DB180E6309DC1CB50

Function 0033D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0033D28C

Strings

X64, xrefs: 0033D2A8

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 05af764843eb40e13c747122e09fbc4c8842751dc570fa3b016ea96aaa7c25ae
Instruction ID: dcce25237e2ee60682522b99b1a8c19f9db3b5961640be6bf3f92d7f6e7f6f6b
Opcode Fuzzy Hash: 05af764843eb40e13c747122e09fbc4c8842751dc570fa3b016ea96aaa7c25ae
Instruction Fuzzy Hash: 07D0C9B482511DEBCF91CB90ECC8DDAB37CBB04345F100559F506E2000DB7095488F10

Function 0030CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: c661685a31be2872e9cc906c8d5929f5bb0967ce17e72dd5a26a48252d9835f3
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 45022D71E112199BDF15CFA9C8906ADFBF1EF48314F25826AD819EB384D730AE41CB84

Function 002ECAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00330C40
p#;, xrefs: 002ECF7F

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#;
API String ID: 0-3772276233
Opcode ID: 812a9063b2dfc0e76cfafd7e755d98a050dbde9cb3efc0d0af2008550102585a
Instruction ID: 52ac94188f03bd30c80b49c06b00d66b0b60f490b6884dfe2c49d42076592d18
Opcode Fuzzy Hash: 812a9063b2dfc0e76cfafd7e755d98a050dbde9cb3efc0d0af2008550102585a
Instruction Fuzzy Hash: 0232CE70960258DFCF19DF91C890AEDB7B5BF05304FA4806AE806AB292C775AD56CF60

Function 003568EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00356918
FindClose.KERNEL32(00000000), ref: 00356961

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 5a6c355d3467bc8c4e4333d0bc38ca9e669c983f6ca1a8dbc3a84d3bebb1a8de
Instruction ID: 9a81723467c053437ee1609ccf9e8b2694895f6b1a6894a7299c02d07e95843f
Opcode Fuzzy Hash: 5a6c355d3467bc8c4e4333d0bc38ca9e669c983f6ca1a8dbc3a84d3bebb1a8de
Instruction Fuzzy Hash: 5A11D0316142009FCB10CF6AD485E16BBE4FF84329F55C69DE8698F6A2CB30EC45CB91

Function 003537B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00364891,?,?,00000035,?), ref: 003537E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00364891,?,?,00000035,?), ref: 003537F4

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ae23646546ee24ed993998c0ad0d4c1c33e0778edfa0385b85ed2d7de6ba0b27
Instruction ID: a90967553379dcc4f84521531fa3a7e965f0a478a8c64de2e71ea625d63781ce
Opcode Fuzzy Hash: ae23646546ee24ed993998c0ad0d4c1c33e0778edfa0385b85ed2d7de6ba0b27
Instruction Fuzzy Hash: C7F0EC706052243AE72117765C4DFDB369DEFC8761F000165F509D2291D9605944C7B0

Function 0034B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0034B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0034B270

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: dbb73685a8006a184d14475a2f3885d9047b016a12835b8ab6a0b3f13857e339
Instruction ID: 255be6c42f43da99259a0db65970af55e115a05b52d80dc3c9f00d37abcf6439
Opcode Fuzzy Hash: dbb73685a8006a184d14475a2f3885d9047b016a12835b8ab6a0b3f13857e339
Instruction Fuzzy Hash: 34F06D7080428EABDB169FA0C805BAEBBB4FF04305F008409F955A91A2C379D2019F94

Function 003410BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003411FC), ref: 003410D4
CloseHandle.KERNEL32(?,?,003411FC), ref: 003410E9

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: b6eecf04b89b40e7ba2c4bcd0514d082a5d60165d698a1ab53ea600f399c0da7
Instruction ID: 60e5908ec6b08c01eb43c435e731022a940c89d857f721da1b9ffd5c6f8b4678
Opcode Fuzzy Hash: b6eecf04b89b40e7ba2c4bcd0514d082a5d60165d698a1ab53ea600f399c0da7
Instruction Fuzzy Hash: BEE09A72024610AEF7662B51FD05E77B7A9EF04350F14882DB5A5844B1DA62ACE0DA50

Function 0031676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00316766,?,?,00000008,?,?,0031FEFE,00000000), ref: 00316998

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f7f8aafc6e9c6ce8a12d77ea875c924c777f1da13cc7587e2dd9483424ba88a0
Instruction ID: eda4d4bbe5e8ba3bcac1506e9ccfe91c04b0d5b3642cd99b8b4dd8310bd44b51
Opcode Fuzzy Hash: f7f8aafc6e9c6ce8a12d77ea875c924c777f1da13cc7587e2dd9483424ba88a0
Instruction Fuzzy Hash: 65B13D71510609DFD71ACF68C486BA57BE0FF49364F2A8658E899CF2A2C335D991CB40

Function 002FB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0033851F

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4619fa1405ad5fab39296aa4c232186cd5db9e2b15a39ffa25d7346b0dcee581
Instruction ID: 4d90899b668a794de3f7f6d2edfcb7d986e197e4b4f9161db4dbb142979366f5
Opcode Fuzzy Hash: 4619fa1405ad5fab39296aa4c232186cd5db9e2b15a39ffa25d7346b0dcee581
Instruction Fuzzy Hash: D4127F759102299FDB25CF58C9906FEB7B5FF48310F1081AAE949EB251EB709A81CF90

Function 0035EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0035EABD

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: badffc1a343a7e667ead0d44f3fc82fac2c46886ce89ded7516e7b779a0c7e04
Instruction ID: 5f3b075f159af961a5998f94cb4421919d0c5af79601d052db32a1f7b3a9efdb
Opcode Fuzzy Hash: badffc1a343a7e667ead0d44f3fc82fac2c46886ce89ded7516e7b779a0c7e04
Instruction Fuzzy Hash: 34E04F312202049FC711EF6AD844E9AF7EDBF98760F40841AFD4AC7361DB70E9458B90

Function 003009D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,003003EE), ref: 003009DA

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 359eaca76ce59ca37fb12e97dff5f92f8ff2da61fce9cc5158c9cbfaace39373
Instruction ID: 3230b14bd0285e523bdd5b6733ac8de1ab7186568c60bff5211bf615551522ad
Opcode Fuzzy Hash: 359eaca76ce59ca37fb12e97dff5f92f8ff2da61fce9cc5158c9cbfaace39373
Instruction Fuzzy Hash:

Function 0030781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0030798B

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 0d60be49666c2d48ecc3baf80eebbc6e9bf88ff7cbf29e3cc840fb7c495e48d0
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: B3515861E0F6495BDB3B8668887F7FF23899B42340F198509D886DBAC2C715FE41D362

Function 00352046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&;, xrefs: 00352053

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID: 0&;
API String ID: 0-2852083330
Opcode ID: 0cf4e3ba703912d7bd9f06c94cb620f6561128ddec410f5fb560ba7eb44d0774
Instruction ID: 18043645df1025120f020c567c49f565eac05d6a4e3aa37c034970ba8fa91175
Opcode Fuzzy Hash: 0cf4e3ba703912d7bd9f06c94cb620f6561128ddec410f5fb560ba7eb44d0774
Instruction Fuzzy Hash: 9821D5326216118BDB28CE79C822A7F73E9A754314F158A2EE4A7C77D0DE35A904CB80

Function 00316DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce62b83847241a4b35bb93e1120dfef9b55567b8b007d2100e0a56cb51f75cdb
Instruction ID: 57c68abbfbb002ef82c10cbf4410bebfface702434fe7ab6aa89cdb0a72f1865
Opcode Fuzzy Hash: ce62b83847241a4b35bb93e1120dfef9b55567b8b007d2100e0a56cb51f75cdb
Instruction Fuzzy Hash: 8F320431D29F014DD7279634D822336A69DAFBB3C5F19D737E82AB59A5EB29C4C34200

Function 002FCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7ee23ac106373627839be1d4c9ab0481e7fa8a12040afcfcc255b82d832ecd
Instruction ID: 4554813c622a49e38a04c304e315c6f23d66738472c37f103e244d1789182db5
Opcode Fuzzy Hash: 2e7ee23ac106373627839be1d4c9ab0481e7fa8a12040afcfcc255b82d832ecd
Instruction Fuzzy Hash: 03323831A2025D8BCF2ACF28C5D067DB7A1EB45340F39A17BE949AB6A1D330DD91DB40

Function 002E7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db9073feeaa1c1d8144454c5a49e346c5c5f3c1832eddc2c628563029663daff
Instruction ID: 45d5004cd7820374826ed9facbbd0a9dc568387b5cc331bf86537bf3b0b6f399
Opcode Fuzzy Hash: db9073feeaa1c1d8144454c5a49e346c5c5f3c1832eddc2c628563029663daff
Instruction Fuzzy Hash: E722D270A1465ADFDF14CF65D881AAEB3F5FF44300F604629E816EB291EB35AE60CB50

Function 002E91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6431c983c923a3ca13a58d6dd5906302861a564e29e9904b6e8d974aa9a0af7
Instruction ID: ed53c2fc56cf3f04f10976b6048bb3d347128d4b60c8f1a2ae966e624ca97547
Opcode Fuzzy Hash: c6431c983c923a3ca13a58d6dd5906302861a564e29e9904b6e8d974aa9a0af7
Instruction Fuzzy Hash: D702E7B1E10119EFDF05DF55D982AAEB7B5FF44300F518169E9069B290EB31AE60CF80

Function 00301C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 6e831b468072961b090bfd792de30864ac2f0b1fa911643a0e8d20ba47f3e896
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: CE91887220A0A34ADB6F863E857403EFFE15A923A131B079DE4F2CB5C5FE24D954D620

Function 003019B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 3219f7ac0d0d862c2a87377a316726b52a4ef92afa7f70fac8d908009361df37
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: AF91517220B0A34ADB6F427A857403EFFE55A923A231B079ED4F2CA5C1FF24C564D620

Function 00307A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77d1f0c5eb37d3c158829a7db46a74f645964bfaa6cf88abc5411e776d995a3
Instruction ID: b8fec7d5e73f975c5945fd0a4351ba3132c10aea91594fccd9fe7abc664bd46f
Opcode Fuzzy Hash: d77d1f0c5eb37d3c158829a7db46a74f645964bfaa6cf88abc5411e776d995a3
Instruction Fuzzy Hash: 0C614871F0A74966EA3B9A2C88B5BBE3398DF41710F110919E883DF7C1DA51BE42C365

Function 00307CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1be8bb3753ca5ce0b3825655bcf8f3fd4819277bf110abd2ea297e88b24cd61
Instruction ID: 0b74c7ea82c063a8e85ce97bc4abd6aaf32bbdebe6f6bb2d849ebcc21093d4a1
Opcode Fuzzy Hash: a1be8bb3753ca5ce0b3825655bcf8f3fd4819277bf110abd2ea297e88b24cd61
Instruction Fuzzy Hash: AB618A71E0B70967DE3B5A288871BBF2388EF42740F110959E982DFAC1DA12FD42C355

Function 00301706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 2214ad5120ee1f6398a26da053f7c868e8283540e1311f5a212be8d4e32acb4a
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 1F81953360A0A34ADB6F427A857443EFFE15A923A131B079DD4F2CB5C1EE24C654E660

Function 00333CD5 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29dea3643dd0fb8b84690f5c5adf524865d94afa4e701c68d2d7be5735719f05
Instruction ID: 573f467a64360fb6d1907de415edb750146b68024d5065cc458783ea7fb6d6b9
Opcode Fuzzy Hash: 29dea3643dd0fb8b84690f5c5adf524865d94afa4e701c68d2d7be5735719f05
Instruction Fuzzy Hash: 2E71A0B68182E09FCF27CF24C4E4692BFE1EF1B320B5A88EEC5855F555D270A955CB02

Function 002FD064 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1530c5c3dcf19450da0e34e8f03aba1a61c377fe8a23f1991782508ce064d52
Instruction ID: 3b1f1a94c81eb9a848a97d70294d037884ebbb556598b6df3e94ca0fbc1e973a
Opcode Fuzzy Hash: f1530c5c3dcf19450da0e34e8f03aba1a61c377fe8a23f1991782508ce064d52
Instruction Fuzzy Hash: B261FC7255EAE2DFCB139B348CE9645BFB0AE6724030949EBC0814F49BD6A49019CF97

Function 002E90B7 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b3af5a99f5d9d82605ee594352612db4675f9b2ceda83f8944519d2abe60bb9
Instruction ID: 637d3fec78f40798e373e2580207af914ad844ae4656c25767db0864a121d755
Opcode Fuzzy Hash: 5b3af5a99f5d9d82605ee594352612db4675f9b2ceda83f8944519d2abe60bb9
Instruction Fuzzy Hash: 9531416A6AD2C05ECB030B795CBA3E23FB4DE2730475C26CBD0C15E0A3C1055687CB02

Function 00362ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00362B30
DeleteObject.GDI32(00000000), ref: 00362B43
DestroyWindow.USER32 ref: 00362B52
GetDesktopWindow.USER32 ref: 00362B6D
GetWindowRect.USER32(00000000), ref: 00362B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00362CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00362CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00362CF8
GetClientRect.USER32(00000000,?), ref: 00362D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00362D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00362D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00362D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00362D80
GlobalLock.KERNEL32(00000000), ref: 00362D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00362D98
GlobalUnlock.KERNEL32(00000000), ref: 00362DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00362DA8
GlobalFree.KERNEL32(00000000), ref: 00362DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00362DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0037FC38,00000000), ref: 00362DDB
GlobalFree.KERNEL32(00000000), ref: 00362DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00362E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00362E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00362E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0036303F

Strings

, xrefs: 00362FC5
AutoIt v3, xrefs: 00362CF2
DISPLAY, xrefs: 00362EA2
static, xrefs: 00362D3A, 00362E91

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b33fcdcca76936d4bd1c04d554cfce51ca2186db3249c7b5c5c943963288129d
Instruction ID: 723e36f2ad0d44598b58e623951f6ed9b33b34651307e49ff2fddc695b1f6406
Opcode Fuzzy Hash: b33fcdcca76936d4bd1c04d554cfce51ca2186db3249c7b5c5c943963288129d
Instruction Fuzzy Hash: 98027B75910204EFDB26DF64CC89EAF7BB9EB48310F048558F919AB2A1DB74AD41CF60

Function 003770D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0037712F
GetSysColorBrush.USER32(0000000F), ref: 00377160
GetSysColor.USER32(0000000F), ref: 0037716C
SetBkColor.GDI32(?,000000FF), ref: 00377186
SelectObject.GDI32(?,?), ref: 00377195
InflateRect.USER32(?,000000FF,000000FF), ref: 003771C0
GetSysColor.USER32(00000010), ref: 003771C8
CreateSolidBrush.GDI32(00000000), ref: 003771CF
FrameRect.USER32(?,?,00000000), ref: 003771DE
DeleteObject.GDI32(00000000), ref: 003771E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00377230
FillRect.USER32(?,?,?), ref: 00377262
GetWindowLongW.USER32(?,000000F0), ref: 00377284

Part of subcall function 003773E8: GetSysColor.USER32(00000012), ref: 00377421
Part of subcall function 003773E8: SetTextColor.GDI32(?,?), ref: 00377425
Part of subcall function 003773E8: GetSysColorBrush.USER32(0000000F), ref: 0037743B
Part of subcall function 003773E8: GetSysColor.USER32(0000000F), ref: 00377446
Part of subcall function 003773E8: GetSysColor.USER32(00000011), ref: 00377463
Part of subcall function 003773E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00377471
Part of subcall function 003773E8: SelectObject.GDI32(?,00000000), ref: 00377482
Part of subcall function 003773E8: SetBkColor.GDI32(?,00000000), ref: 0037748B
Part of subcall function 003773E8: SelectObject.GDI32(?,?), ref: 00377498
Part of subcall function 003773E8: InflateRect.USER32(?,000000FF,000000FF), ref: 003774B7
Part of subcall function 003773E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003774CE
Part of subcall function 003773E8: GetWindowLongW.USER32(00000000,000000F0), ref: 003774DB

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: c245a78c326196d499f77953605aa2c84010f6999212a07c8e7fe5ad0b0078a0
Instruction ID: 5ddba88dbca71353511dd52134d6b5e23066bcc72fa17244fc0abcc3e362764f
Opcode Fuzzy Hash: c245a78c326196d499f77953605aa2c84010f6999212a07c8e7fe5ad0b0078a0
Instruction Fuzzy Hash: BCA1C272018301AFD7229F60DC48E6B7BADFF49320F105A2DF96A961E1D735E984CB91

Function 002F8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 002F8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00336AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00336AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00336F43

Part of subcall function 002F8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002F8BE8,?,00000000,?,?,?,?,002F8BBA,00000000,?), ref: 002F8FC5

SendMessageW.USER32(?,00001053), ref: 00336F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00336F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00336FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00336FB7

Strings

0, xrefs: 00336DCF

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 02d9ed5b08583494a1f6cb58b22757802129b0c35290cb36d5e034a3d83a1d64
Instruction ID: f32543cd8b2430ad30396ea3a5e37cee5c85b542e126d571202c0fd59213f5aa
Opcode Fuzzy Hash: 02d9ed5b08583494a1f6cb58b22757802129b0c35290cb36d5e034a3d83a1d64
Instruction Fuzzy Hash: EF12BA30610241AFDB26CF24C895BBAF7E9FB45304F558569F6898B261CB31ECA1CF91

Function 00362711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0036273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0036286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 003628A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 003628B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00362900
GetClientRect.USER32(00000000,?), ref: 0036290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00362955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00362964
GetStockObject.GDI32(00000011), ref: 00362974
SelectObject.GDI32(00000000,00000000), ref: 00362978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00362988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00362991
DeleteDC.GDI32(00000000), ref: 0036299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003629C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 003629DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00362A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00362A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00362A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00362A77
GetStockObject.GDI32(00000011), ref: 00362A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00362A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00362A97

Strings

msctls_progress32, xrefs: 00362A13
AutoIt v3, xrefs: 003628F8
DISPLAY, xrefs: 0036295A
static, xrefs: 0036294F, 00362A71

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: bfb71ed475e1da792aa2db26e87f16742aafeaacc3fbeb50c60d0a975bd9269f
Instruction ID: 8b58586226a8e558fa99946a860fe0688bdb239f01ee32a5106cf6fd5413c082
Opcode Fuzzy Hash: bfb71ed475e1da792aa2db26e87f16742aafeaacc3fbeb50c60d0a975bd9269f
Instruction Fuzzy Hash: 6BB16D75A50605AFEB25DF68CC45FAF7BA9EB08710F418118FA19E7290D770AD40CFA0

Function 00354ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00354AED
GetDriveTypeW.KERNEL32(?,0037CB68,?,\\.\,0037CC08), ref: 00354BCA
SetErrorMode.KERNEL32(00000000,0037CB68,?,\\.\,0037CC08), ref: 00354D36

Strings

Network, xrefs: 00354C02
SATA, xrefs: 00354CD0
SAS, xrefs: 00354CC9
CDROM, xrefs: 00354BFB
PhysicalDrive, xrefs: 00354B76
ATAPI, xrefs: 00354C91
Removable, xrefs: 00354C10, 00354C15
ATA, xrefs: 00354C98
iSCSI, xrefs: 00354CC2
Fixed, xrefs: 00354C09
SSA, xrefs: 00354CA6
Fibre, xrefs: 00354CAD
FileBackedVirtual, xrefs: 00354CEC
Unknown, xrefs: 00354BED, 00354C83
RAMDisk, xrefs: 00354BF4
1394, xrefs: 00354C9F
USB, xrefs: 00354CB4
MMC, xrefs: 00354CDE
\\.\, xrefs: 00354B3F
SCSI, xrefs: 00354C8A
SSD, xrefs: 00354C4A
RAID, xrefs: 00354CBB
Virtual, xrefs: 00354CE5

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a52a04761764a4fd45ea4c11c04b6def133ee76b423571a83c25601e70b9ca1f
Instruction ID: 1767eb61cfd77eb6f922288ca9737cd964a3870273270037b4908c346a9922c2
Opcode Fuzzy Hash: a52a04761764a4fd45ea4c11c04b6def133ee76b423571a83c25601e70b9ca1f
Instruction Fuzzy Hash: 7361C330645205BBCB0BDF24C982DAC77B4EB8534AB244015FC06AB6A6DB35EDC99F41

Function 003773E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00377421
SetTextColor.GDI32(?,?), ref: 00377425
GetSysColorBrush.USER32(0000000F), ref: 0037743B
GetSysColor.USER32(0000000F), ref: 00377446
CreateSolidBrush.GDI32(?), ref: 0037744B
GetSysColor.USER32(00000011), ref: 00377463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00377471
SelectObject.GDI32(?,00000000), ref: 00377482
SetBkColor.GDI32(?,00000000), ref: 0037748B
SelectObject.GDI32(?,?), ref: 00377498
InflateRect.USER32(?,000000FF,000000FF), ref: 003774B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003774CE
GetWindowLongW.USER32(00000000,000000F0), ref: 003774DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0037752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00377554
InflateRect.USER32(?,000000FD,000000FD), ref: 00377572
DrawFocusRect.USER32(?,?), ref: 0037757D
GetSysColor.USER32(00000011), ref: 0037758E
SetTextColor.GDI32(?,00000000), ref: 00377596
DrawTextW.USER32(?,003770F5,000000FF,?,00000000), ref: 003775A8
SelectObject.GDI32(?,?), ref: 003775BF
DeleteObject.GDI32(?), ref: 003775CA
SelectObject.GDI32(?,?), ref: 003775D0
DeleteObject.GDI32(?), ref: 003775D5
SetTextColor.GDI32(?,?), ref: 003775DB
SetBkColor.GDI32(?,?), ref: 003775E5

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 0cfe7b6fe477aee03dec6283386905a8ae0b139d85ffa536f3580531e0476f22
Instruction ID: 544b5e8e95f8bc3dae932215a454b6e2e919f015704657fb684d3350d3270666
Opcode Fuzzy Hash: 0cfe7b6fe477aee03dec6283386905a8ae0b139d85ffa536f3580531e0476f22
Instruction Fuzzy Hash: EA617472900218AFDF229FA4DC49EEE7F79EF09320F119125F919A72A1D7759980CF90

Function 00370FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00371128
GetDesktopWindow.USER32 ref: 0037113D
GetWindowRect.USER32(00000000), ref: 00371144
GetWindowLongW.USER32(?,000000F0), ref: 00371199
DestroyWindow.USER32(?), ref: 003711B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003711ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0037120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0037121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00371232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00371245
IsWindowVisible.USER32(00000000), ref: 003712A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 003712BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 003712D0
GetWindowRect.USER32(00000000,?), ref: 003712E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0037130E
GetMonitorInfoW.USER32(00000000,?), ref: 00371328
CopyRect.USER32(?,?), ref: 0037133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 003713AA

Strings

0, xrefs: 003710D3
(, xrefs: 0037131B
tooltips_class32, xrefs: 003711E6

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: bc9ec2dd076682251439e0e4c4dbcbdd854b43a6674a402a216e9f14d343b1d7
Instruction ID: 1789814d8c8bb83f14ef97f6232a42af3b94df72e7aeffd50a02fbd683446c6f
Opcode Fuzzy Hash: bc9ec2dd076682251439e0e4c4dbcbdd854b43a6674a402a216e9f14d343b1d7
Instruction Fuzzy Hash: D5B18972614341AFD721DF69C884B6ABBE8FF84310F40891DF9999B2A1CB75E844CF91

Function 00370241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003702E5
_wcslen.LIBCMT ref: 0037031F
_wcslen.LIBCMT ref: 00370389
_wcslen.LIBCMT ref: 003703F1
_wcslen.LIBCMT ref: 00370475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003704C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00370504

Part of subcall function 002FF9F2: _wcslen.LIBCMT ref: 002FF9FD

Part of subcall function 0034223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00342258
Part of subcall function 0034223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0034228A

Strings

GETSUBITEMCOUNT, xrefs: 00370384, 0037039F
SELECTCLEAR, xrefs: 0037052D
GETSELECTED, xrefs: 003705E1
GETITEMCOUNT, xrefs: 00370316, 00370337
SELECTINVERT, xrefs: 0037057E
SELECTALL, xrefs: 00370515
DESELECT, xrefs: 0037059C
ISSELECTED, xrefs: 003704DD
GETTEXT, xrefs: 003703EC, 00370407
FINDITEM, xrefs: 00370627
GETSELECTEDCOUNT, xrefs: 00370470, 0037048B
VIEWCHANGE, xrefs: 00370675
SELECT, xrefs: 00370548

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 9db1741ee577a8478c4bea418b0af2ef890af4dfe154799136208eec8a396f1e
Instruction ID: da45aa01346bae3d9d9e099d9ecae65f1f3681ffc1208f47428b0a0d6bdb4a11
Opcode Fuzzy Hash: 9db1741ee577a8478c4bea418b0af2ef890af4dfe154799136208eec8a396f1e
Instruction Fuzzy Hash: 91E1D031218240DFC72ADF25C99082AB3E5FF89314F55896CF89AAB6A1DB34ED45CB41

Function 002F8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002F8968
GetSystemMetrics.USER32(00000007), ref: 002F8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002F899B
GetSystemMetrics.USER32(00000008), ref: 002F89A3
GetSystemMetrics.USER32(00000004), ref: 002F89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002F89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002F89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002F8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002F8A3C
GetClientRect.USER32(00000000,000000FF), ref: 002F8A5A
GetStockObject.GDI32(00000011), ref: 002F8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 002F8A81

Part of subcall function 002F912D: GetCursorPos.USER32(?), ref: 002F9141
Part of subcall function 002F912D: ScreenToClient.USER32(00000000,?), ref: 002F915E
Part of subcall function 002F912D: GetAsyncKeyState.USER32(00000001), ref: 002F9183
Part of subcall function 002F912D: GetAsyncKeyState.USER32(00000002), ref: 002F919D

SetTimer.USER32(00000000,00000000,00000028,002F90FC), ref: 002F8AA8

Strings

AutoIt v3 GUI, xrefs: 002F8A20

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 081d201214a883a190b08cbdd81aa55d138d4196adad7585b94c1a00a9aa6752
Instruction ID: 52b5c465ff5c877ef25b3e0df804ac7d2e4d676ba9e6a02420121b17321c71bf
Opcode Fuzzy Hash: 081d201214a883a190b08cbdd81aa55d138d4196adad7585b94c1a00a9aa6752
Instruction Fuzzy Hash: EAB19031A10209AFDB15DF68CC96BAE7BB5FB48354F104229FA15E7290DB70E950CF50

Function 00340D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00341114
Part of subcall function 003410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00340B9B,?,?,?), ref: 00341120
Part of subcall function 003410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00340B9B,?,?,?), ref: 0034112F
Part of subcall function 003410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00340B9B,?,?,?), ref: 00341136
Part of subcall function 003410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0034114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00340DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00340E29
GetLengthSid.ADVAPI32(?), ref: 00340E40
GetAce.ADVAPI32(?,00000000,?), ref: 00340E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00340E96
GetLengthSid.ADVAPI32(?), ref: 00340EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00340EB5
HeapAlloc.KERNEL32(00000000), ref: 00340EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00340EDD
CopySid.ADVAPI32(00000000), ref: 00340EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00340F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00340F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00340F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00340F6E
HeapFree.KERNEL32(00000000), ref: 00340F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00340F7E
HeapFree.KERNEL32(00000000), ref: 00340F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00340F8E
HeapFree.KERNEL32(00000000), ref: 00340F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00340FA1
HeapFree.KERNEL32(00000000), ref: 00340FA8

Part of subcall function 00341193: GetProcessHeap.KERNEL32(00000008,00340BB1,?,00000000,?,00340BB1,?), ref: 003411A1
Part of subcall function 00341193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00340BB1,?), ref: 003411A8
Part of subcall function 00341193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00340BB1,?), ref: 003411B7

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1f787d59d0407c8c22de7fa56e1bf8b0aa2db8660b65260823193a998798ed1f
Instruction ID: f20263281ef62ba3390fa4fcc23431700419a4c5c529feda17d746d954532897
Opcode Fuzzy Hash: 1f787d59d0407c8c22de7fa56e1bf8b0aa2db8660b65260823193a998798ed1f
Instruction Fuzzy Hash: 56715071A0020AABDF269FA4DC44FAEBBBCFF05310F054129FA19AA151D775A945CB60

Function 0036C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0036C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0037CC08,00000000,?,00000000,?,?), ref: 0036C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0036C5A4
_wcslen.LIBCMT ref: 0036C5F4
_wcslen.LIBCMT ref: 0036C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0036C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0036C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0036C84D
RegCloseKey.ADVAPI32(?), ref: 0036C881
RegCloseKey.ADVAPI32(00000000), ref: 0036C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0036C960

Strings

REG_DWORD, xrefs: 0036C804
REG_BINARY, xrefs: 0036C913
REG_EXPAND_SZ, xrefs: 0036C5CD
REG_MULTI_SZ, xrefs: 0036C6F5
REG_QWORD, xrefs: 0036C8C3
REG_SZ, xrefs: 0036C644

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 8694bce03b116d6052d090d66bcdde58103573e283f67e52b95e780db0625a07
Instruction ID: 44a908d799395991fe81dfec4d4cd132dae6ef5db8b9efeb2a309b68b7e4d393
Opcode Fuzzy Hash: 8694bce03b116d6052d090d66bcdde58103573e283f67e52b95e780db0625a07
Instruction Fuzzy Hash: EB1279356142009FCB26DF15C881A2AB7E5FF88714F45889DF88A9B3A2DB31ED41CF91

Function 0037091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003709C6
_wcslen.LIBCMT ref: 00370A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00370A54
_wcslen.LIBCMT ref: 00370A8A
_wcslen.LIBCMT ref: 00370B06
_wcslen.LIBCMT ref: 00370B81

Part of subcall function 002FF9F2: _wcslen.LIBCMT ref: 002FF9FD

Part of subcall function 00342BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00342BFA

Strings

GETSELECTED, xrefs: 00370C4E
ISCHECKED, xrefs: 00370CE1
EXISTS, xrefs: 00370B7C, 00370B97
GETTEXT, xrefs: 00370C97
CHECK, xrefs: 00370A85, 00370AA0
EXPAND, xrefs: 00370BF8
GETITEMCOUNT, xrefs: 00370C1E
COLLAPSE, xrefs: 00370B01, 00370B1C
GETTOTALCOUNT, xrefs: 003709F2, 00370A17
UNCHECK, xrefs: 00370D3E
SELECT, xrefs: 00370D11

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: c430777ff0efc3bfc6ea2acfbe14c1f398e16bc925a052fc89a0fefe3cc11f8f
Instruction ID: ef7d4eb263b2197a17eeae8c72bca681ac0f80d854086dd6e89991fab79822a8
Opcode Fuzzy Hash: c430777ff0efc3bfc6ea2acfbe14c1f398e16bc925a052fc89a0fefe3cc11f8f
Instruction Fuzzy Hash: 90E1A935218341CFC72ADF24C49092AB7E1BF98314F55895CF89AAB7A2D734EE45CB81

Function 0036C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0036B6AE,?,?), ref: 0036C9B5
_wcslen.LIBCMT ref: 0036C9F1
_wcslen.LIBCMT ref: 0036CA68
_wcslen.LIBCMT ref: 0036CA9E
_wcslen.LIBCMT ref: 0036CAF9
_wcslen.LIBCMT ref: 0036CB2F
_wcslen.LIBCMT ref: 0036CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0036CA62, 0036CA67
HKU, xrefs: 0036CBF0
HKCC, xrefs: 0036CBAC
HKCR, xrefs: 0036CB29, 0036CB2E
HKLM, xrefs: 0036CA98, 0036CA9D
HKEY_CLASSES_ROOT, xrefs: 0036CAF3, 0036CAF8
HKEY_USERS, xrefs: 0036CBDF
HKEY_CURRENT_USER, xrefs: 0036CBBD
HKEY_CURRENT_CONFIG, xrefs: 0036CB79, 0036CB7E
HKCU, xrefs: 0036CBCE

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: a394f97f80a153e1c852351ee5436f987d3e9f899eb2b9dd58caa808887f7975
Instruction ID: 88cbbfa3493bec0d7687337be27277e4e94243197215d18a4335f97d7e6c0954
Opcode Fuzzy Hash: a394f97f80a153e1c852351ee5436f987d3e9f899eb2b9dd58caa808887f7975
Instruction Fuzzy Hash: 9371263263016A8BCB22DEBCCD515BF3395AF61754F56A128FCD69B288E631CD41C7A0

Function 0037833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0037835A
_wcslen.LIBCMT ref: 0037836E
_wcslen.LIBCMT ref: 00378391
_wcslen.LIBCMT ref: 003783B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003783F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00375BF2), ref: 0037844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00378487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003784CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00378501
FreeLibrary.KERNEL32(?), ref: 0037850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0037851D
DestroyIcon.USER32(?,?,?,?,?,00375BF2), ref: 0037852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00378549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00378555

Strings

.icl, xrefs: 00378368
.exe, xrefs: 00378388
.dll, xrefs: 003783AB

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 8125548486208b70348437d2a5e48322d8c394d4629ae465a0f3c868e4706036
Instruction ID: dd061970c99d7a3d0d6076e214fa8d367d6d299d234900999403bbfd9f9e2a82
Opcode Fuzzy Hash: 8125548486208b70348437d2a5e48322d8c394d4629ae465a0f3c868e4706036
Instruction Fuzzy Hash: 32610371580205BEEB26DF65CC85FBE77ACFB04720F108509F919DA0D1DBB89A90CBA0

Function 002E7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

', xrefs: 00325169
#comments-start, xrefs: 002E785F, 002E78B1
Unterminated group of comments, xrefs: 0032528C
Cannot parse #include, xrefs: 00325279
#include-once, xrefs: 002E782F
#include, xrefs: 002E7847
#notrayicon, xrefs: 002E77E7
#requireadmin, xrefs: 002E77FF
#pragma compile, xrefs: 002E77D3
#OnAutoItStartRegister, xrefs: 002E7817
#ce, xrefs: 002E78ED
#cs, xrefs: 002E7873, 002E78C5
Bad directive syntax error, xrefs: 0032519A
", xrefs: 00325153
#comments-end, xrefs: 002E78D9

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: d3d71ed84de4b5bd27a373135c6b67c14e8cbf8bcf1bb4a32f370d00fb70d3b7
Instruction ID: bb3338de90263c0ba3ca075365d96dd18a52e8c8f0c70618ccfac46426a1fb34
Opcode Fuzzy Hash: d3d71ed84de4b5bd27a373135c6b67c14e8cbf8bcf1bb4a32f370d00fb70d3b7
Instruction Fuzzy Hash: E481F8716A4215BBDF22AF61DC42FBF77A8AF15300F444025F905AB1D2EB70DA61CBA1

Function 00353E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00353EF8
_wcslen.LIBCMT ref: 00353F03
_wcslen.LIBCMT ref: 00353F5A
_wcslen.LIBCMT ref: 00353F98
GetDriveTypeW.KERNEL32(?), ref: 00353FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0035401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00354059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00354087

Strings

open , xrefs: 00353FE5
set cd door , xrefs: 00354028
close, xrefs: 00353EFE, 00353F18
type cdaudio alias cd wait, xrefs: 00354001
open, xrefs: 00353F54, 00353F59
wait, xrefs: 00354044
closed, xrefs: 00353F08, 00353F2D, 00353F46, 00353F7E, 00353F97
close cd wait, xrefs: 00354072

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: d5ee053e7a41c6cd32a7f09f0765db463cd93678077c5e244fa215e14e471130
Instruction ID: 16889d73147678ddace5f683904a3e4d4b25f6ba4b71c7cfa2ce84a9ff377581
Opcode Fuzzy Hash: d5ee053e7a41c6cd32a7f09f0765db463cd93678077c5e244fa215e14e471130
Instruction Fuzzy Hash: 877102326043019FC711EF25C88186EB7F4EF947A8F51492DF895972A1EB30EE89CB91

Function 00345A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00345A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00345A40
SetWindowTextW.USER32(?,?), ref: 00345A57
GetDlgItem.USER32(?,000003EA), ref: 00345A6C
SetWindowTextW.USER32(00000000,?), ref: 00345A72
GetDlgItem.USER32(?,000003E9), ref: 00345A82
SetWindowTextW.USER32(00000000,?), ref: 00345A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00345AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00345AC3
GetWindowRect.USER32(?,?), ref: 00345ACC
_wcslen.LIBCMT ref: 00345B33
SetWindowTextW.USER32(?,?), ref: 00345B6F
GetDesktopWindow.USER32 ref: 00345B75
GetWindowRect.USER32(00000000), ref: 00345B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00345BD3
GetClientRect.USER32(?,?), ref: 00345BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00345C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00345C2F

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 5a9c3ef589854d653bb5d09a10aab3babe7cea23c8fcc341a613f2c80e57ae52
Instruction ID: 2abe063d047738199af7b0e23898faf02d7dc2304fbaa442a6e64229601178e8
Opcode Fuzzy Hash: 5a9c3ef589854d653bb5d09a10aab3babe7cea23c8fcc341a613f2c80e57ae52
Instruction Fuzzy Hash: E7718C31900B09AFDB22DFA8CE85AAEBBF9FF48704F10451CE546AA5A1D775F940CB50

Function 0035FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0035FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0035FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0035FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0035FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0035FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0035FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0035FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0035FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0035FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0035FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0035FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0035FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0035FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0035FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0035FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0035FECC
GetCursorInfo.USER32(?), ref: 0035FEDC
GetLastError.KERNEL32 ref: 0035FF1E

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 1fb80d3a94a9d1c9a50bb553275702ed22e6efb44c81cd8c88fd72b8f4f45f91
Instruction ID: 93bafb0354baf6f2e1f190b30cdbf75f3756e4404fe9d61c756967f501737acc
Opcode Fuzzy Hash: 1fb80d3a94a9d1c9a50bb553275702ed22e6efb44c81cd8c88fd72b8f4f45f91
Instruction Fuzzy Hash: E84172B0D083196EDB109FBA8C89C5EBFE8FF04754B50452AE51DE7691DB78A901CF90

Function 003430F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0034318D
_wcslen.LIBCMT ref: 003431F8

Strings

[:, xrefs: 0034339A
REGEXPCLASS, xrefs: 00343255, 00343266
CLASS, xrefs: 00343188, 003431A5
INSTANCE, xrefs: 00343453
NAME, xrefs: 00343335, 00343346
CLASSNN, xrefs: 003431F3, 00343204
TEXT, xrefs: 0034347C

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[:
API String ID: 176396367-640847564
Opcode ID: 03eb708a0e4695450c643c045c9d05ba162228381b2ae40498bfc6861f6a48b4
Instruction ID: e1ac92fecdb0023fa575eb8fd3712f7f02422474fcf834939ab361aa16d7ed88
Opcode Fuzzy Hash: 03eb708a0e4695450c643c045c9d05ba162228381b2ae40498bfc6861f6a48b4
Instruction Fuzzy Hash: 7FE1E332A00516ABCB1ADFA8C4516FDBBF4FF45710F558129E456AB280DB30BE958BA0

Function 003000C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003000C6

Part of subcall function 003000ED: InitializeCriticalSectionAndSpinCount.KERNEL32(003B070C,00000FA0,00DA36BC,?,?,?,?,003223B3,000000FF), ref: 0030011C
Part of subcall function 003000ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003223B3,000000FF), ref: 00300127
Part of subcall function 003000ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003223B3,000000FF), ref: 00300138
Part of subcall function 003000ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0030014E
Part of subcall function 003000ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0030015C
Part of subcall function 003000ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0030016A
Part of subcall function 003000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00300195
Part of subcall function 003000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003001A0

___scrt_fastfail.LIBCMT ref: 003000E7

Part of subcall function 003000A3: __onexit.LIBCMT ref: 003000A9

Strings

SleepConditionVariableCS, xrefs: 00300154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00300122
kernel32.dll, xrefs: 00300133
WakeAllConditionVariable, xrefs: 00300162
InitializeConditionVariable, xrefs: 00300148

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 42154a223dac3135d84eb3a6d6e5a4b91cb35649c4f6f6ef18198fa0b859ceca
Instruction ID: 6a25d21fb586114d9a0eec4775880916dbdcee9d5731f44173770a6951b16d74
Opcode Fuzzy Hash: 42154a223dac3135d84eb3a6d6e5a4b91cb35649c4f6f6ef18198fa0b859ceca
Instruction Fuzzy Hash: 4F212636A567106FE73F5B74AC1ABAA7398EB05B90F01413EF909A66D1DF7498008A90

Function 003544C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0037CC08), ref: 00354527
_wcslen.LIBCMT ref: 0035453B
_wcslen.LIBCMT ref: 00354599
_wcslen.LIBCMT ref: 003545F4
_wcslen.LIBCMT ref: 0035463F
_wcslen.LIBCMT ref: 003546A7

Part of subcall function 002FF9F2: _wcslen.LIBCMT ref: 002FF9FD

GetDriveTypeW.KERNEL32(?,003A6BF0,00000061), ref: 00354743

Strings

removable, xrefs: 003545EA, 003545EF
cdrom, xrefs: 0035458F, 00354594
unknown, xrefs: 00354708
ramdisk, xrefs: 003546F1
network, xrefs: 0035469D, 003546A2
all, xrefs: 00354531, 00354536
fixed, xrefs: 00354635, 0035463A

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 7e0199c498102ad8df97593464d0c544881112fa5f6d66be84e4e5e3c2549065
Instruction ID: 8203ce80d4b1dd9ce4def2a078e2f1baa77c81961cc46626cfb76433c998283b
Opcode Fuzzy Hash: 7e0199c498102ad8df97593464d0c544881112fa5f6d66be84e4e5e3c2549065
Instruction Fuzzy Hash: D6B127315083029FC719DF28C890E6AB7E4EFA6759F51491DF896C72A1E730D988CB52

Function 0037911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 002F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002F9BB2

DragQueryPoint.SHELL32(?,?), ref: 00379147

Part of subcall function 00377674: ClientToScreen.USER32(?,?), ref: 0037769A
Part of subcall function 00377674: GetWindowRect.USER32(?,?), ref: 00377710
Part of subcall function 00377674: PtInRect.USER32(?,?,00378B89), ref: 00377720

SendMessageW.USER32(?,000000B0,?,?), ref: 003791B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003791BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003791DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00379225
SendMessageW.USER32(?,000000B0,?,?), ref: 0037923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00379255
SendMessageW.USER32(?,000000B1,?,?), ref: 00379277
DragFinish.SHELL32(?), ref: 0037927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00379371

Strings

@GUI_DROPID, xrefs: 0037929E
p#;, xrefs: 003792BB
@GUI_DRAGFILE, xrefs: 00379320
@GUI_DRAGID, xrefs: 003792E9

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#;
API String ID: 221274066-3242378617
Opcode ID: 41a4bf916d6778091e937363b2106f4b1735871ca8d958642e690802d3504ab7
Instruction ID: 7eaaca7736d032d501e60c93a94b89a69d58a0d096530fed5a088ae464206ee3
Opcode Fuzzy Hash: 41a4bf916d6778091e937363b2106f4b1735871ca8d958642e690802d3504ab7
Instruction Fuzzy Hash: 2F619C71108340AFC712EF65CC85EAFBBE8FF89750F400A1EF595921A1DB309A99CB52

Function 002E326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(003B1990), ref: 00322F8D
GetMenuItemCount.USER32(003B1990), ref: 0032303D
GetCursorPos.USER32(?), ref: 00323081
SetForegroundWindow.USER32(00000000), ref: 0032308A
TrackPopupMenuEx.USER32(003B1990,00000000,?,00000000,00000000,00000000), ref: 0032309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003230A9

Strings

0, xrefs: 002E327D

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: b179aeca8054f638a6a26362c3b13be29f809a5a6e5f96f5e8f24459f1ede003
Instruction ID: 8917715fbc3123dd1cdb86070ab8e1e8587f970523c5930e0e78601645bbe7f9
Opcode Fuzzy Hash: b179aeca8054f638a6a26362c3b13be29f809a5a6e5f96f5e8f24459f1ede003
Instruction Fuzzy Hash: 10712B70644255BEEB328F25DD89F9ABF78FF05324F204216FA196A1E0C7B1AD50DB50

Function 00376CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00376DEB

Part of subcall function 002E6B57: _wcslen.LIBCMT ref: 002E6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00376E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00376E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00376E94
DestroyWindow.USER32(?), ref: 00376EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,002E0000,00000000), ref: 00376EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00376EFD
GetDesktopWindow.USER32 ref: 00376F16
GetWindowRect.USER32(00000000), ref: 00376F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00376F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00376F4D

Part of subcall function 002F9944: GetWindowLongW.USER32(?,000000EB), ref: 002F9952

Strings

0, xrefs: 00376D98
tooltips_class32, xrefs: 00376E58, 00376EDD

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 78e4d5c2a4cc42f55735f8ed499f9668ed57977aec4f967d5cc90f80e7336471
Instruction ID: 12bf4193ea20dd9773715480de94d6f64727fefc85b4bda1eab5ac0eb5c31c80
Opcode Fuzzy Hash: 78e4d5c2a4cc42f55735f8ed499f9668ed57977aec4f967d5cc90f80e7336471
Instruction Fuzzy Hash: 2071A870100280AFDB22DF28DCA9FBABBF9FB89304F54451DF98987261C774A949CB11

Function 0035C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0035C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0035C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0035C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0035C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0035C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0035C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0035C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0035C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0035C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0035C5F0
InternetCloseHandle.WININET(00000000), ref: 0035C5FB

Strings

, xrefs: 0035C575

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 9e6b0ce0862a1a98668de0e928c1047f9f147634e4ec0f633f2895cfefbef536
Instruction ID: 8f1446e8997928da7428093ab3bf3565c7c9b7608b6156cdfffdbb0e3b55bc11
Opcode Fuzzy Hash: 9e6b0ce0862a1a98668de0e928c1047f9f147634e4ec0f633f2895cfefbef536
Instruction Fuzzy Hash: 37515FB0510304BFDB228FA5C988EAB7BBCFF09749F01541DF94596560EB34EA48DB60

Function 0037856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00378592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003785A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003785AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003785BA
GlobalLock.KERNEL32(00000000), ref: 003785C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003785D7
GlobalUnlock.KERNEL32(00000000), ref: 003785E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003785E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003785F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0037FC38,?), ref: 00378611
GlobalFree.KERNEL32(00000000), ref: 00378621
GetObjectW.GDI32(?,00000018,?), ref: 00378641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00378671
DeleteObject.GDI32(?), ref: 00378699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003786AF

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: f5adbcec2ccbed5591a32da30c5edb2d3403b433ec1d27042e84c97cc9e1097a
Instruction ID: ad8fc7170268acb66c4aaba91f3e5adfc3294b0940d6084317e19b5e95d8f7d5
Opcode Fuzzy Hash: f5adbcec2ccbed5591a32da30c5edb2d3403b433ec1d27042e84c97cc9e1097a
Instruction Fuzzy Hash: 39411975640209BFDB229FA5CC8CEAA7BBCFF89711F148458F909E7260DB349941DB60

Function 003514BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00351502
VariantCopy.OLEAUT32(?,?), ref: 0035150B
VariantClear.OLEAUT32(?), ref: 00351517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 003515FB
VarR8FromDec.OLEAUT32(?,?), ref: 00351657
VariantInit.OLEAUT32(?), ref: 00351708
SysFreeString.OLEAUT32(?), ref: 0035178C
VariantClear.OLEAUT32(?), ref: 003517D8
VariantClear.OLEAUT32(?), ref: 003517E7
VariantInit.OLEAUT32(00000000), ref: 00351823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00351625
Default, xrefs: 003516AF

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 43d9a68badd0084c3d55f1094e6dfc173873ae0bfa8fb5ae31442066d464305e
Instruction ID: c94a39d894a373584991701fb50f530c12dc7a193e0a686d80d4a639bc925da8
Opcode Fuzzy Hash: 43d9a68badd0084c3d55f1094e6dfc173873ae0bfa8fb5ae31442066d464305e
Instruction Fuzzy Hash: 1CD13472A00105DBCB12AF65D885F7DB7B8BF46701F10886AFC06AB5A0EB34DC59DB61

Function 0036B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

Part of subcall function 0036C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0036B6AE,?,?), ref: 0036C9B5
Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036C9F1
Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036CA68
Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0036B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0036B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0036B80A
RegCloseKey.ADVAPI32(?), ref: 0036B87E
RegCloseKey.ADVAPI32(?), ref: 0036B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0036B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0036B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0036B922
FreeLibrary.KERNEL32(00000000), ref: 0036B983
RegCloseKey.ADVAPI32(00000000), ref: 0036B994

Strings

advapi32.dll, xrefs: 0036B8ED
RegDeleteKeyExW, xrefs: 0036B8FE

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: f674889662c05a8695d1157b501f9c6c9ca0a632d6e706b99ff266806940702a
Instruction ID: 99ceb515c5f7d756fa3ca9eadf9830ce672f5764fca5e4a87bb15322f6b9dfa9
Opcode Fuzzy Hash: f674889662c05a8695d1157b501f9c6c9ca0a632d6e706b99ff266806940702a
Instruction Fuzzy Hash: F5C17B30218241AFD725DF15C495F2ABBE5BF84308F55C49CE59A8B6A2CB31EC86CF91

Function 0036255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003625D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003625E8
CreateCompatibleDC.GDI32(?), ref: 003625F4
SelectObject.GDI32(00000000,?), ref: 00362601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0036266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 003626AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 003626D0
SelectObject.GDI32(?,?), ref: 003626D8
DeleteObject.GDI32(?), ref: 003626E1
DeleteDC.GDI32(?), ref: 003626E8
ReleaseDC.USER32(00000000,?), ref: 003626F3

Strings

(, xrefs: 0036268D

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: c6ef43a55b3b256fd8adcf0d66394a280154a274b9ae64fc3dce9e4ecd64c38a
Instruction ID: bc6a732c38f9c11174b71c6ae18cceba9754d4daaad49288df58cb7052ef5c04
Opcode Fuzzy Hash: c6ef43a55b3b256fd8adcf0d66394a280154a274b9ae64fc3dce9e4ecd64c38a
Instruction Fuzzy Hash: 4B61E3B5D10219EFCF15CFA4D884EAEBBB9FF48310F208529E959A7250D770A951CFA0

Function 0031DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0031DAA1

Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D659
Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D66B
Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D67D
Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D68F
Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D6A1
Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D6B3
Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D6C5
Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D6D7
Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D6E9
Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D6FB
Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D70D
Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D71F
Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D731

_free.LIBCMT ref: 0031DA96

Part of subcall function 003129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000), ref: 003129DE
Part of subcall function 003129C8: GetLastError.KERNEL32(00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000,00000000), ref: 003129F0

_free.LIBCMT ref: 0031DAB8
_free.LIBCMT ref: 0031DACD
_free.LIBCMT ref: 0031DAD8
_free.LIBCMT ref: 0031DAFA
_free.LIBCMT ref: 0031DB0D
_free.LIBCMT ref: 0031DB1B
_free.LIBCMT ref: 0031DB26
_free.LIBCMT ref: 0031DB5E
_free.LIBCMT ref: 0031DB65
_free.LIBCMT ref: 0031DB82
_free.LIBCMT ref: 0031DB9A

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: a428218b89eec92f462104db61a213d922ba771a0d8aca7e5ea35ae768ea3674
Instruction ID: 2c7955dde759002af074e260ad6234a5ef2b0a04e56e065f51216858bfc21b08
Opcode Fuzzy Hash: a428218b89eec92f462104db61a213d922ba771a0d8aca7e5ea35ae768ea3674
Instruction Fuzzy Hash: 11313D326047059FEB2BAA39E845BD777E9FF0A320F168419E449DB191DF35ACE08720

Function 0034365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0034369C
_wcslen.LIBCMT ref: 003436A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00343797
GetClassNameW.USER32(?,?,00000400), ref: 0034380C
GetDlgCtrlID.USER32(?), ref: 0034385D
GetWindowRect.USER32(?,?), ref: 00343882
GetParent.USER32(?), ref: 003438A0
ScreenToClient.USER32(00000000), ref: 003438A7
GetClassNameW.USER32(?,?,00000100), ref: 00343921
GetWindowTextW.USER32(?,?,00000400), ref: 0034395D

Strings

%s%u, xrefs: 00343734

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 03f3de456d5442d06fb814350f1d0eef69418e721f324d2bead45da94b2f809e
Instruction ID: b230b2ea5e18d28d32a5559f051f9ebe354fd5b0937265453da758a3ceb469e3
Opcode Fuzzy Hash: 03f3de456d5442d06fb814350f1d0eef69418e721f324d2bead45da94b2f809e
Instruction Fuzzy Hash: D091AF71204606AFD71ADF24C885BAAF7E8FF44350F108629F999DB190DB30FA59CB91

Function 00344954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00344994
GetWindowTextW.USER32(?,?,00000400), ref: 003449DA
_wcslen.LIBCMT ref: 003449EB
CharUpperBuffW.USER32(?,00000000), ref: 003449F7
_wcsstr.LIBVCRUNTIME ref: 00344A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00344A64
GetWindowTextW.USER32(?,?,00000400), ref: 00344A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00344AE6
GetClassNameW.USER32(?,?,00000400), ref: 00344B20
GetWindowRect.USER32(?,?), ref: 00344B8B

Strings

ThumbnailClass, xrefs: 00344A6F, 00344AF1

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: cef1388160b8f0e1c1eccbd7cab66bf62dff3da7eed372e5a8a6f61359363c17
Instruction ID: 2a5f88751de956a9c29b0f611bcda197d05ab027f03ed3ae27a9ba6de3c0a065
Opcode Fuzzy Hash: cef1388160b8f0e1c1eccbd7cab66bf62dff3da7eed372e5a8a6f61359363c17
Instruction Fuzzy Hash: 2E91AB71008205AFDB16DF14C985BAA77E8FF84314F08847AFD899E196EB30ED45CBA1

Function 00378D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002F9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00378D5A
GetFocus.USER32 ref: 00378D6A
GetDlgCtrlID.USER32(00000000), ref: 00378D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00378E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00378ECF
GetMenuItemCount.USER32(?), ref: 00378EEC
GetMenuItemID.USER32(?,00000000), ref: 00378EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00378F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00378F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00378FA1

Strings

0, xrefs: 00378E9F

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: d579b9ce8c66c41c33add2bb7906a45597742c56358ebcd992fe360c09ea79c4
Instruction ID: b75fa41eeb54bc0b85dc9b8beed1927e94df1d9de92d5c31adef80cb362ce26b
Opcode Fuzzy Hash: d579b9ce8c66c41c33add2bb7906a45597742c56358ebcd992fe360c09ea79c4
Instruction Fuzzy Hash: 1881CE715483019FD732CF24D888AABBBE9FB89354F15891DF98C97291DB34D940CBA2

Function 0034DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0034DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0034DC46
_wcslen.LIBCMT ref: 0034DC50
_wcsstr.LIBVCRUNTIME ref: 0034DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0034DCBC

Strings

%u.%u.%u.%u, xrefs: 0034DD9A
\VarFileInfo\Translation, xrefs: 0034DCB4
DefaultLangCodepage, xrefs: 0034DD1F
StringFileInfo\, xrefs: 0034DC8F
04090000, xrefs: 0034DCF2

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 3e0b31e0436126388fab66eabbd780df8c3413ad75aa7d20a6cbd6df0bf277c7
Instruction ID: 974f7874ead48ab7c0bf35b8df7e97765ed45407631abfcfcb09a9cfbbf66d76
Opcode Fuzzy Hash: 3e0b31e0436126388fab66eabbd780df8c3413ad75aa7d20a6cbd6df0bf277c7
Instruction Fuzzy Hash: D8414932940204BADB17A774CC43FFF77ACEF46750F10406AF904AA1C2EB34A9108BA4

Function 0036CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0036CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0036CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0036CD48

Part of subcall function 0036CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0036CCAA
Part of subcall function 0036CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0036CCBD
Part of subcall function 0036CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0036CCCF
Part of subcall function 0036CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0036CD05
Part of subcall function 0036CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0036CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0036CCF3

Strings

advapi32.dll, xrefs: 0036CCB8
RegDeleteKeyExW, xrefs: 0036CCC9

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 78db4b1c7979c58bf2311547560883653b9652055cb82a726c5286854eaa4c7a
Instruction ID: 60e69c44c8e202979d30e4630e24dc74d643b1636f6cdcc9aeba05533866a9bc
Opcode Fuzzy Hash: 78db4b1c7979c58bf2311547560883653b9652055cb82a726c5286854eaa4c7a
Instruction Fuzzy Hash: 48318071911128BBD7329B50DC88EFFBB7CEF05740F015169E94AE2144D7349A85DAF0

Function 00353D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00353D40
_wcslen.LIBCMT ref: 00353D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00353D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00353DBE
RemoveDirectoryW.KERNEL32(?), ref: 00353DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00353E55
CloseHandle.KERNEL32(00000000), ref: 00353E60
CloseHandle.KERNEL32(00000000), ref: 00353E6B

Strings

\??\%s, xrefs: 00353D5B
:, xrefs: 00353D82
\, xrefs: 00353D77

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 738770518dce96ef75038977364d28841d2cc994e9fdbd77304ee4160a6b521e
Instruction ID: 16e2a65d3f1055eb8e1e9e039bf634cd92f63305d892e44393a908a3d37363be
Opcode Fuzzy Hash: 738770518dce96ef75038977364d28841d2cc994e9fdbd77304ee4160a6b521e
Instruction Fuzzy Hash: 7A31C676910109ABDB229FA0DC49FEF37BCEF88741F1141B9FA09D6060E77497888B24

Function 0034E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0034E6B4

Part of subcall function 002FE551: timeGetTime.WINMM(?,?,0034E6D4), ref: 002FE555

Sleep.KERNEL32(0000000A), ref: 0034E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0034E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0034E727
SetActiveWindow.USER32 ref: 0034E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0034E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0034E773
Sleep.KERNEL32(000000FA), ref: 0034E77E
IsWindow.USER32 ref: 0034E78A
EndDialog.USER32(00000000), ref: 0034E79B

Strings

BUTTON, xrefs: 0034E719

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 5b9318b071a6079a5a2faf59e7a6bf64bf2006438c1046dc2a69a2122f3ae77a
Instruction ID: 816cab8fa0c53676797d893311b85a77c23dc1ce0a218a1858276ce14bb010a8
Opcode Fuzzy Hash: 5b9318b071a6079a5a2faf59e7a6bf64bf2006438c1046dc2a69a2122f3ae77a
Instruction Fuzzy Hash: AD218470710204AFEB135F60ECCAB267BADF75539DF152629F6498A1B1DBB2BC408B14

Function 0034E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0034EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0034EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0034EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0034EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0034EAA7

Strings

open , xrefs: 0034EA0C
close PlayMe, xrefs: 0034EA6E, 0034EA9B
alias PlayMe, xrefs: 0034EA36
play PlayMe wait, xrefs: 0034EA91
play PlayMe, xrefs: 0034EAA2
status PlayMe mode, xrefs: 0034EA58

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 2157a0565d342246364307ae530ea09d0bc05ccc34f61cbcb2d1c0ec76ac242e
Instruction ID: 85cdcc1d2221326de91b7a780b0ce963121de021738105fec294847ee1bfa1d6
Opcode Fuzzy Hash: 2157a0565d342246364307ae530ea09d0bc05ccc34f61cbcb2d1c0ec76ac242e
Instruction Fuzzy Hash: 03117331AA029979D721E7A2DC4ADFF6BBCFBD2B00F450429B811A60D1EF705D55C9B0

Function 00345CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00345CE2
GetWindowRect.USER32(00000000,?), ref: 00345CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00345D59
GetDlgItem.USER32(?,00000002), ref: 00345D69
GetWindowRect.USER32(00000000,?), ref: 00345D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00345DCF
GetDlgItem.USER32(?,000003E9), ref: 00345DDD
GetWindowRect.USER32(00000000,?), ref: 00345DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00345E31
GetDlgItem.USER32(?,000003EA), ref: 00345E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00345E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00345E67

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 55e3c52883d721229c88747a6addc7bcc7490cfdbf2f9f591d119218b38d7d3d
Instruction ID: 45a8498341f873c14e544d579ea6caac2fbc8676baf5631d2e4b66ed2b2994b3
Opcode Fuzzy Hash: 55e3c52883d721229c88747a6addc7bcc7490cfdbf2f9f591d119218b38d7d3d
Instruction Fuzzy Hash: 51511C71F10609AFDB19CF68CD89AAEBBF9EF48300F148129F519E6291D770AE40CB50

Function 002F8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 002F8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002F8BE8,?,00000000,?,?,?,?,002F8BBA,00000000,?), ref: 002F8FC5

DestroyWindow.USER32(?), ref: 002F8C81
KillTimer.USER32(00000000,?,?,?,?,002F8BBA,00000000,?), ref: 002F8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00336973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,002F8BBA,00000000,?), ref: 003369A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,002F8BBA,00000000,?), ref: 003369B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,002F8BBA,00000000), ref: 003369D4
DeleteObject.GDI32(00000000), ref: 003369E6

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 46d67374a7e5d7da085e1ed7e77fc6b1e16e7b53052be6d7d25cde9ffbaf0513
Instruction ID: db424a24332b05bfb68498aa0764afe16b1936e60ce6052cf67bc8a7f1e9eefc
Opcode Fuzzy Hash: 46d67374a7e5d7da085e1ed7e77fc6b1e16e7b53052be6d7d25cde9ffbaf0513
Instruction Fuzzy Hash: 9061AE31121608EFDB3A8F14C999B35F7F5FB40356F54862DE2469A560CB71A9A0CF90

Function 002F9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 002F9944: GetWindowLongW.USER32(?,000000EB), ref: 002F9952

GetSysColor.USER32(0000000F), ref: 002F9862

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 588417b7c3256a80e4c036d31cf061006ce46a55bc161f8df8a71a2b2c752ef3
Instruction ID: d2310d954357b114e8fc2352fc17e7dd05d95144b4181fa7616766fb0ffcedd9
Opcode Fuzzy Hash: 588417b7c3256a80e4c036d31cf061006ce46a55bc161f8df8a71a2b2c752ef3
Instruction Fuzzy Hash: 2941F631120648AFDB325F389C88BB97B69EB473B0F154629FAA6871E1C7719CD1DB10

Function 00318D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.0, xrefs: 0031903A, 00318FD0, 00318FF2

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID: .0
API String ID: 0-2407493218
Opcode ID: b5a6fdbf075e85bda95997bb63dafc3b60069edb5f47921f89fd57a9c854d408
Instruction ID: f71239aed469a5acae1829692e55a57e71ea226bb3ff83a613ec6bfae609624f
Opcode Fuzzy Hash: b5a6fdbf075e85bda95997bb63dafc3b60069edb5f47921f89fd57a9c854d408
Instruction Fuzzy Hash: CFC1E674E042499FDB2BDFA8D851BEDBBB8BF0D310F15415AE514AB392C7319982CB60

Function 003496E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0032F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00349717
LoadStringW.USER32(00000000,?,0032F7F8,00000001), ref: 00349720

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0032F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00349742
LoadStringW.USER32(00000000,?,0032F7F8,00000001), ref: 00349745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00349866

Strings

Line %d (File "%s"):, xrefs: 0034978F
%s (%d) : ==> %s: %s %s, xrefs: 0034984A
Line %d:, xrefs: 003497A0
^ ERROR, xrefs: 003497FB
Error: , xrefs: 0034981D

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: d412565847456145230682238858dc4c83bb0acbd1076b7ea3bd2b85916198b2
Instruction ID: 4ebe8768257239830f5e252ed681cd7447de8df2b0af11f388243cf6b4088813
Opcode Fuzzy Hash: d412565847456145230682238858dc4c83bb0acbd1076b7ea3bd2b85916198b2
Instruction Fuzzy Hash: 43417F72850149AACB15EBE1CD46EEE7778EF15340FA00066F60576092EB356F98CF60

Function 003406DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 002E6B57: _wcslen.LIBCMT ref: 002E6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003407A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003407BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003407DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00340804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0034082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00340837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0034083C

Strings

SOFTWARE\Classes\, xrefs: 0034070E
\CLSID, xrefs: 00340724
\IPC$, xrefs: 00340784

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 87d2001e91e6dfe84b8063e7d6e18cae0fdab2e0adfd09cb604eea4f08beacaa
Instruction ID: 313f05975c18ad3808817eb74d6765d91bf7b2a0a214f6bcf9123c85b1c8c1f6
Opcode Fuzzy Hash: 87d2001e91e6dfe84b8063e7d6e18cae0fdab2e0adfd09cb604eea4f08beacaa
Instruction Fuzzy Hash: E6414C71D20128ABCF26EBA4DC85CEDB7B8FF44350F454129E905A7161EB30AE54CFA0

Function 00363C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00363C5C
CoInitialize.OLE32(00000000), ref: 00363C8A
CoUninitialize.OLE32 ref: 00363C94
_wcslen.LIBCMT ref: 00363D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00363DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00363ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00363F0E
CoGetObject.OLE32(?,00000000,0037FB98,?), ref: 00363F2D
SetErrorMode.KERNEL32(00000000), ref: 00363F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00363FC4
VariantClear.OLEAUT32(?), ref: 00363FD8

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 07df02f700026b69b8426dae7b21f576683a6be0ca17bf2fa94f573d95922a49
Instruction ID: b88408d52300ac1c75637a7ffdcdb0d054d3bec99448b47972f50cdd639aaffe
Opcode Fuzzy Hash: 07df02f700026b69b8426dae7b21f576683a6be0ca17bf2fa94f573d95922a49
Instruction Fuzzy Hash: 4AC16771608305AFC712DF68C88492BBBE9FF89744F10891DF98A9B251D731EE45CB62

Function 00357A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00357AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00357B8F
SHGetDesktopFolder.SHELL32(?), ref: 00357BA3
CoCreateInstance.OLE32(0037FD08,00000000,00000001,003A6E6C,?), ref: 00357BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00357C74
CoTaskMemFree.OLE32(?,?), ref: 00357CCC
SHBrowseForFolderW.SHELL32(?), ref: 00357D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00357D7A
CoTaskMemFree.OLE32(00000000), ref: 00357D81
CoTaskMemFree.OLE32(00000000), ref: 00357DD6
CoUninitialize.OLE32 ref: 00357DDC

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 303b3047839b7ab87aadbac5de9f2c32439d529d0ba39f15c929f064e9f46e43
Instruction ID: f9f7407219c718444fae34691d69e8ef21779312ab7af9035cbe9edb4ff7cc5b
Opcode Fuzzy Hash: 303b3047839b7ab87aadbac5de9f2c32439d529d0ba39f15c929f064e9f46e43
Instruction Fuzzy Hash: C8C14A75A10109AFCB15DFA4D884DAEBBF9FF48305B148099E81A9B261D730EE85CF90

Function 0037541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00375504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00375515
CharNextW.USER32(00000158), ref: 00375544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00375585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0037559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003755AC

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 56a27bf449c2411ec6f37fb0ee41fbb919e3850677b3810c361c8abd54e9e6e6
Instruction ID: aed7e0a04aba274d3f53466e712743ecc5bc23d63a8fe29a469b23004ddd99e9
Opcode Fuzzy Hash: 56a27bf449c2411ec6f37fb0ee41fbb919e3850677b3810c361c8abd54e9e6e6
Instruction Fuzzy Hash: 3161B430904608EFDF368F51CC849FE7BB9EB06721F118149F619A7290D7B89A80DB60

Function 0033FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0033FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0033FB08
VariantInit.OLEAUT32(?), ref: 0033FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0033FB3A
VariantCopy.OLEAUT32(?,?), ref: 0033FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0033FBA1
VariantClear.OLEAUT32(?), ref: 0033FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0033FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0033FBCC
VariantClear.OLEAUT32(?), ref: 0033FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0033FBE9

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 4f391b017525942490146cb650c21762743c0390e07a6f564442901cffe1df58
Instruction ID: 840da2565c6b888c5ef388eb914c59ec780cc397643b2e4105e69e1319eee3c6
Opcode Fuzzy Hash: 4f391b017525942490146cb650c21762743c0390e07a6f564442901cffe1df58
Instruction Fuzzy Hash: 92417075E102199FCF16DFA5D898DAEBBB9FF08344F408069E909A7261CB30A945CF90

Function 00349C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00349CA1
GetAsyncKeyState.USER32(000000A0), ref: 00349D22
GetKeyState.USER32(000000A0), ref: 00349D3D
GetAsyncKeyState.USER32(000000A1), ref: 00349D57
GetKeyState.USER32(000000A1), ref: 00349D6C
GetAsyncKeyState.USER32(00000011), ref: 00349D84
GetKeyState.USER32(00000011), ref: 00349D96
GetAsyncKeyState.USER32(00000012), ref: 00349DAE
GetKeyState.USER32(00000012), ref: 00349DC0
GetAsyncKeyState.USER32(0000005B), ref: 00349DD8
GetKeyState.USER32(0000005B), ref: 00349DEA

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a8aadf946669c2328d2697ecfcacab3f9a95caa2c481c0f6e7c60f610a0662f4
Instruction ID: 62663de102a24aa0cf7eb6b94e0bef5a971fef430ca42ac9118d2a73486b5a6a
Opcode Fuzzy Hash: a8aadf946669c2328d2697ecfcacab3f9a95caa2c481c0f6e7c60f610a0662f4
Instruction Fuzzy Hash: B741A5349047C96DFF339A6488447A7BEE0AB12344F09805FDAC65E5C2DBA5BDC8C792

Function 0036055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003605BC
inet_addr.WSOCK32(?), ref: 0036061C
gethostbyname.WSOCK32(?), ref: 00360628
IcmpCreateFile.IPHLPAPI ref: 00360636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003606C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003606E5
IcmpCloseHandle.IPHLPAPI(?), ref: 003607B9
WSACleanup.WSOCK32 ref: 003607BF

Strings

Ping, xrefs: 00360676

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 3d4e315638fd35b5b41dc9a2556c2e3cd82d8e4299ec819e40ccb7d0f72244dc
Instruction ID: d95c7a0bdf22157298d01a37d43c50127eda6a9912b146eb6db0012c5c509bd2
Opcode Fuzzy Hash: 3d4e315638fd35b5b41dc9a2556c2e3cd82d8e4299ec819e40ccb7d0f72244dc
Instruction Fuzzy Hash: F3918C356082419FD326CF15D48AF1ABBE4EF44318F15C5A9E56A8B6A2C730ED81CF91

Function 00368CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00368CF3

Part of subcall function 00348E54: _wcslen.LIBCMT ref: 00348E77

_wcslen.LIBCMT ref: 00368D4E
_wcslen.LIBCMT ref: 00368D9C
_wcslen.LIBCMT ref: 00368DDC
_wcslen.LIBCMT ref: 00368E6E

Strings

stdcall, xrefs: 00368DD6, 00368DDB
none, xrefs: 00368E65, 00368E6A
winapi, xrefs: 00368D96, 00368D9B
cdecl, xrefs: 00368D48, 00368D4D

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 8ce24f884c6a52f3eb53e6da3a0eef01c62c25cde5293647c439a74637d0acb9
Instruction ID: ce1010c5e2ef1e034912c4d1099acdd100a8e128c360e98727896b9524921de7
Opcode Fuzzy Hash: 8ce24f884c6a52f3eb53e6da3a0eef01c62c25cde5293647c439a74637d0acb9
Instruction Fuzzy Hash: BF51D571A001169BCF25DF6CC8508BEB7A5BF69324B618329E926E72C8DB31DD40C790

Function 0036372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00363774
CoUninitialize.OLE32 ref: 0036377F
CoCreateInstance.OLE32(?,00000000,00000017,0037FB78,?), ref: 003637D9
IIDFromString.OLE32(?,?), ref: 0036384C
VariantInit.OLEAUT32(?), ref: 003638E4
VariantClear.OLEAUT32(?), ref: 00363936

Strings

Failed to create object, xrefs: 003637E4, 0036389A
NULL Pointer assignment, xrefs: 0036381E
Invalid parameter, xrefs: 00363865

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: ba0266bcde7485030140137ffadc3998c0f9edca6d05fdc6efb20a8dbb70d443
Instruction ID: 1063518ab92e83f7298dd51b2f6be42bdc1b44d2b52e74f6681f33328928bc7e
Opcode Fuzzy Hash: ba0266bcde7485030140137ffadc3998c0f9edca6d05fdc6efb20a8dbb70d443
Instruction Fuzzy Hash: 6D61B371608311AFD312DF54D889FAABBE8EF49714F10881DF9859B291D770EE48CB92

Function 00378B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002F9BB2

Part of subcall function 002F912D: GetCursorPos.USER32(?), ref: 002F9141
Part of subcall function 002F912D: ScreenToClient.USER32(00000000,?), ref: 002F915E
Part of subcall function 002F912D: GetAsyncKeyState.USER32(00000001), ref: 002F9183
Part of subcall function 002F912D: GetAsyncKeyState.USER32(00000002), ref: 002F919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00378B6B
ImageList_EndDrag.COMCTL32 ref: 00378B71
ReleaseCapture.USER32 ref: 00378B77
SetWindowTextW.USER32(?,00000000), ref: 00378C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00378C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00378CFF

Strings

@GUI_DROPID, xrefs: 00378C51
@GUI_DRAGFILE, xrefs: 00378C9A
p#;, xrefs: 00378C71

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#;
API String ID: 1924731296-3448554761
Opcode ID: 67b98b6bb45785c5a835950bff5eb1a9294d383551a142612b006cea845469ff
Instruction ID: 6f6b07004c1a6c649fdddc8e41749211062e3f6069658c025b6bea61705dc673
Opcode Fuzzy Hash: 67b98b6bb45785c5a835950bff5eb1a9294d383551a142612b006cea845469ff
Instruction Fuzzy Hash: 9251BF70114344AFD712DF14CC9AFAAB7E8FB88714F40062DF95A972E1CB359954CBA2

Function 00353388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 003533CF

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003533F0

Strings

Line %d (File "%s"):, xrefs: 00353443, 0035345C
"%s" (%d) : ==> %s:, xrefs: 00353522
^ ERROR , xrefs: 0035349E
Incorrect parameters to object property !, xrefs: 003534AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00353504
Error: , xrefs: 003534D1

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 3c3006bbda19f3353193408575f488418c5bfa9db8f6426f26add742c106cdd0
Instruction ID: 3d4ae99b58119870a39fb63fcf33a0afcfba76f46c552c3faa73094285e4f14b
Opcode Fuzzy Hash: 3c3006bbda19f3353193408575f488418c5bfa9db8f6426f26add742c106cdd0
Instruction Fuzzy Hash: ED51E571840249AADF16EBE1CD46EEEB7B8EF14341F644166F50572062EB312FA8CF60

Function 0034B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0034B5FC
_wcslen.LIBCMT ref: 0034B608
_wcslen.LIBCMT ref: 0034B64D
_wcslen.LIBCMT ref: 0034B68C
_wcslen.LIBCMT ref: 0034B6C7

Strings

APPEND, xrefs: 0034B6C1, 0034B6C6
REMOVE, xrefs: 0034B602, 0034B607
EXISTS, xrefs: 0034B686, 0034B68B
KEYS, xrefs: 0034B647, 0034B64C

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 6a7fe85242313d9eb10d05743741326ebf9ea6ab052137b365200ee956854568
Instruction ID: a4321328c181db9bdeb193520c2a01992970b9a221501bf8664fed2bc7e1bca6
Opcode Fuzzy Hash: 6a7fe85242313d9eb10d05743741326ebf9ea6ab052137b365200ee956854568
Instruction Fuzzy Hash: DC41F632A010269BCB219F7DC8905BEF7E5EFA1754B274129E921DF284E739ED81C790

Function 00355393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003553A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00355416
GetLastError.KERNEL32 ref: 00355420
SetErrorMode.KERNEL32(00000000,READY), ref: 003554A7

Strings

READY, xrefs: 00355460, 00355468
UNKNOWN, xrefs: 00355444
INVALID, xrefs: 00355459
READONLY, xrefs: 00355452
NOTREADY, xrefs: 0035544B

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 12c9a1357e9af777a386d455eee362da1aea4656d0297e62217c646667cb6e41
Instruction ID: 3cbcbbee25499e8b59a1fff62a96cdb94615b16f548ad76fa2d1c632e49c9154
Opcode Fuzzy Hash: 12c9a1357e9af777a386d455eee362da1aea4656d0297e62217c646667cb6e41
Instruction Fuzzy Hash: FB31D875A00504DFD712DF69C495EA97BB8EF05306F598069E805CF2A2D731ED8ACB90

Function 00373C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00373C79
SetMenu.USER32(?,00000000), ref: 00373C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00373D10
IsMenu.USER32(?), ref: 00373D24
CreatePopupMenu.USER32 ref: 00373D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00373D5B
DrawMenuBar.USER32 ref: 00373D63

Strings

0, xrefs: 00373C54
F, xrefs: 00373D4E

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: c8c47599913edb6c19559e3d5e0c485991a2c12a7999043cf880e728a5b8dd62
Instruction ID: b2a2acf15276de35a62fd5368173440ed7149e806c72a9d16aece84d2d30261d
Opcode Fuzzy Hash: c8c47599913edb6c19559e3d5e0c485991a2c12a7999043cf880e728a5b8dd62
Instruction Fuzzy Hash: 0A418B74A01209EFDB36CF64D844AAA7BB9FF49310F15402CFA4AA7360D775AA10DF90

Function 00373A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00373A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00373AA0
GetWindowLongW.USER32(?,000000F0), ref: 00373AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00373AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00373B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00373BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00373BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00373BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00373BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00373C13

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 610061f720cbffe814e266635588d1bd18ded99f0111f10165014bdf5bd19e7e
Instruction ID: 8c6b522e465eda0eaafa0424895077110533db40aa3d20c0f8f44da7bf3666b4
Opcode Fuzzy Hash: 610061f720cbffe814e266635588d1bd18ded99f0111f10165014bdf5bd19e7e
Instruction Fuzzy Hash: FC615C75900248AFDB22DFA8CC81EEE77F8EB09704F104199FA19AB291D774AE45DF50

Function 0034B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0034B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0034A1E1,?,00000001), ref: 0034B165
GetWindowThreadProcessId.USER32(00000000), ref: 0034B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0034A1E1,?,00000001), ref: 0034B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0034B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0034A1E1,?,00000001), ref: 0034B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0034A1E1,?,00000001), ref: 0034B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0034A1E1,?,00000001), ref: 0034B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0034A1E1,?,00000001), ref: 0034B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0034A1E1,?,00000001), ref: 0034B21D

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: cbbf19c10f7b454246bd9e7afcc1307208e09703d2b1eb20d5b22150d2fa6494
Instruction ID: 9fc9c3444e743e9232af5afaff8c89bebeafa45a47034cb7c6936b3906f243ee
Opcode Fuzzy Hash: cbbf19c10f7b454246bd9e7afcc1307208e09703d2b1eb20d5b22150d2fa6494
Instruction Fuzzy Hash: 8031CC71550218BFDB23AF24DC88BADBBEDBF50315F154509FA06DA190D7B4EA808F60

Function 00312C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00312C94

Part of subcall function 003129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000), ref: 003129DE
Part of subcall function 003129C8: GetLastError.KERNEL32(00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000,00000000), ref: 003129F0

_free.LIBCMT ref: 00312CA0
_free.LIBCMT ref: 00312CAB
_free.LIBCMT ref: 00312CB6
_free.LIBCMT ref: 00312CC1
_free.LIBCMT ref: 00312CCC
_free.LIBCMT ref: 00312CD7
_free.LIBCMT ref: 00312CE2
_free.LIBCMT ref: 00312CED
_free.LIBCMT ref: 00312CFB

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: abf8cddbdf1c08dd0c6fc3ced910277b505062ddcdf0cfe0213478d07370acd1
Instruction ID: 7a9546618e18f4f3c3a3a312906a4b743c128fd43103f030ae2f895dedd8c453
Opcode Fuzzy Hash: abf8cddbdf1c08dd0c6fc3ced910277b505062ddcdf0cfe0213478d07370acd1
Instruction Fuzzy Hash: 16114676510108AFCB0BEF59D942CDE3BA5FF0A360F5145A5FA485F222D731EAB09B90

Function 00357DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00357FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00357FC1
GetFileAttributesW.KERNEL32(?), ref: 00357FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00358005
SetCurrentDirectoryW.KERNEL32(?), ref: 00358017
SetCurrentDirectoryW.KERNEL32(?), ref: 00358060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003580B0

Strings

*.*, xrefs: 00358066

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: b0765674fa7719bce90ed35461390e1d1c438516055f6c2bc8735a0200037fef
Instruction ID: 569d5cf27cd2642c20cddd93c251858a585f3f6ef4f4f00eab6c1483fa716343
Opcode Fuzzy Hash: b0765674fa7719bce90ed35461390e1d1c438516055f6c2bc8735a0200037fef
Instruction Fuzzy Hash: 4881B0715183419BCB22EF14D846DAAB3E8BF88312F55485EFC85DB260EB34DD498B52

Function 002E5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 002E5C7A

Part of subcall function 002E5D0A: GetClientRect.USER32(?,?), ref: 002E5D30
Part of subcall function 002E5D0A: GetWindowRect.USER32(?,?), ref: 002E5D71
Part of subcall function 002E5D0A: ScreenToClient.USER32(?,?), ref: 002E5D99

GetDC.USER32 ref: 003246F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00324708
SelectObject.GDI32(00000000,00000000), ref: 00324716
SelectObject.GDI32(00000000,00000000), ref: 0032472B
ReleaseDC.USER32(?,00000000), ref: 00324733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003247C4

Strings

U, xrefs: 00324693

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: ba48aa45cf608d73bff001dcaca2e0999be87456c614e94d546331d395e44538
Instruction ID: 79c8d70f2b177be8eddf8d1f47b887f1d9218246bd01e190a98150c35506500e
Opcode Fuzzy Hash: ba48aa45cf608d73bff001dcaca2e0999be87456c614e94d546331d395e44538
Instruction Fuzzy Hash: 9D712130510215DFCF238F68D984ABA7BB5FF4A324F28426AED655A1A6C331CC91DF50

Function 0035359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003535E4

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

LoadStringW.USER32(003B2390,?,00000FFF,?), ref: 0035360A

Strings

Line %d (File "%s"):, xrefs: 0035366B
"%s" (%d) : ==> %s:, xrefs: 00353742
^ ERROR, xrefs: 003536C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00353724
Error: , xrefs: 003536EF

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: ffd3b7544b81f3b13c2d9ec54ecc8733f836e1a18bb9c8e326f3d1bee99ef1c2
Instruction ID: 1dd5871dbc01b374c343bf608f0e6a2aa754332b4258ae7612152bd776b18bc8
Opcode Fuzzy Hash: ffd3b7544b81f3b13c2d9ec54ecc8733f836e1a18bb9c8e326f3d1bee99ef1c2
Instruction Fuzzy Hash: BF519F71C50249BACF16EBA1CC52EEEBB78EF04341F944165F505720A1EB302AE9DFA0

Function 0035C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0035C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0035C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0035C2CA
GetLastError.KERNEL32 ref: 0035C322
SetEvent.KERNEL32(?), ref: 0035C336
InternetCloseHandle.WININET(00000000), ref: 0035C341

Strings

, xrefs: 0035C2BB

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: ae152e8509bb3104dbee99e5d119f7aab3c64ee391e6bd54af8d681023bff4d7
Instruction ID: 35b64ffc02d51c964c57a76d8e6f6b56711d4f936f583f4b9aeff352498ba051
Opcode Fuzzy Hash: ae152e8509bb3104dbee99e5d119f7aab3c64ee391e6bd54af8d681023bff4d7
Instruction Fuzzy Hash: CC318FB5510348AFDB229F648C88EAB7AFCEB49749F14951DF84696220DB34DD488B60

Function 0034989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00323AAF,?,?,Bad directive syntax error,0037CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 003498BC
LoadStringW.USER32(00000000,?,00323AAF,?), ref: 003498C3

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00349987

Strings

Line %d (File "%s"):, xrefs: 0034992D
., xrefs: 0034996D
Line %d:, xrefs: 00349912
%s (%d) : ==> %s.: %s %s, xrefs: 003498F1
Error: , xrefs: 00349955

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 57b6609c4fd1eaf2b89b75ec6a2a5ae57aacb99c5fea1791edc60652ebbb70d4
Instruction ID: f3b11a74dbcd31c23d453fcd58af95b1e69e898a87ec7981724533cd8a9f0641
Opcode Fuzzy Hash: 57b6609c4fd1eaf2b89b75ec6a2a5ae57aacb99c5fea1791edc60652ebbb70d4
Instruction Fuzzy Hash: FD21823185025EABCF16EF90CC0AEEE7779FF18300F44446AF515660A1EB71AAA8CF50

Function 0034209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003420AB
GetClassNameW.USER32(00000000,?,00000100), ref: 003420C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0034214D

Strings

smallicons, xrefs: 00342115
largeicons, xrefs: 003420E1
SHELLDLL_DefView, xrefs: 003420CC
list, xrefs: 0034212F
details, xrefs: 003420FB

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 7823d1752eb60ecc326dfca9a0f0196da5e2890fecb3a441544feab17d5e6270
Instruction ID: 7e915a81ba3d949e0249ae93eaebf492773625ac86bed8470c67232a8f1c1e84
Opcode Fuzzy Hash: 7823d1752eb60ecc326dfca9a0f0196da5e2890fecb3a441544feab17d5e6270
Instruction Fuzzy Hash: 0211367A288306B9FA132224DC06DE773DCDB05325F61001AFB04BC0D2EAA578515624

Function 0031CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0031CEB7
_free.LIBCMT ref: 0031CF22
_free.LIBCMT ref: 0031CF48
_free.LIBCMT ref: 0031CF71
_free.LIBCMT ref: 0031CFA9
_free.LIBCMT ref: 0031CFDA
_free.LIBCMT ref: 0031D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0031D09C
_free.LIBCMT ref: 0031D0B5

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: b8f4385088b2ff7871e37d3b2945f29ea85ef5cb1fbf001a7664a1723ffe5571
Instruction ID: 201ca2cae8014e8cca358df3fe3bc7c66de71d279dd7d541ddecd951e14cad3a
Opcode Fuzzy Hash: b8f4385088b2ff7871e37d3b2945f29ea85ef5cb1fbf001a7664a1723ffe5571
Instruction Fuzzy Hash: 01613971954300AFDB2FAFB49881AEA7BA9EF0E324F05416DF9449B281D7319DD2C790

Function 002F8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00336890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003368A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003368B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 003368D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003368F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002F8874,00000000,00000000,00000000,000000FF,00000000), ref: 00336901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0033691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002F8874,00000000,00000000,00000000,000000FF,00000000), ref: 0033692D

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: d16bd2095d56976a5fa9a8e15a461cc6499d6aa19f3b40bdbbdd6d0423ee5b66
Instruction ID: 698d9f1e6eb8fd9fc45b2ac3d9881b8ec7c5fc28998cbba087dd72c8dbc53f7e
Opcode Fuzzy Hash: d16bd2095d56976a5fa9a8e15a461cc6499d6aa19f3b40bdbbdd6d0423ee5b66
Instruction Fuzzy Hash: F2517070610209AFDB21CF25CC96FAABBB5FB58754F104528FA16D7290DB70E9A0DB50

Function 0035C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0035C182
GetLastError.KERNEL32 ref: 0035C195
SetEvent.KERNEL32(?), ref: 0035C1A9

Part of subcall function 0035C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0035C272
Part of subcall function 0035C253: GetLastError.KERNEL32 ref: 0035C322
Part of subcall function 0035C253: SetEvent.KERNEL32(?), ref: 0035C336
Part of subcall function 0035C253: InternetCloseHandle.WININET(00000000), ref: 0035C341

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 84ccbbdde4bd7ec3fde5ce4086576192eb567a6bf1354797ffabb7ca37de9334
Instruction ID: 08a6375eb34f923d8a751a8da473836c86a081ca4c9ffc2af27a4f957a358071
Opcode Fuzzy Hash: 84ccbbdde4bd7ec3fde5ce4086576192eb567a6bf1354797ffabb7ca37de9334
Instruction Fuzzy Hash: C231BE70120704AFDB228FA4DC44E66BBECFF18306F00681DF94A86621CB30E858DBA0

Function 003425A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00343A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00343A57
Part of subcall function 00343A3D: GetCurrentThreadId.KERNEL32 ref: 00343A5E
Part of subcall function 00343A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003425B3), ref: 00343A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 003425BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003425DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 003425DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 003425E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00342601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00342605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0034260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00342623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00342627

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6247743c77996a6b5fd47191c57d20ae256380d45ad0f7e06dd0f21847bb7ec8
Instruction ID: b2569a63ea56e77cfec86e2d24ddfc18b064e5b311823e4ae00a0e0f719554e0
Opcode Fuzzy Hash: 6247743c77996a6b5fd47191c57d20ae256380d45ad0f7e06dd0f21847bb7ec8
Instruction Fuzzy Hash: 6801D830390210BBFB2167689C8AF597F9DDF4EB11F501019F358AF0D1C9E12484CA6A

Function 00341803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00341449,?,?,00000000), ref: 0034180C
HeapAlloc.KERNEL32(00000000,?,00341449,?,?,00000000), ref: 00341813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00341449,?,?,00000000), ref: 00341828
GetCurrentProcess.KERNEL32(?,00000000,?,00341449,?,?,00000000), ref: 00341830
DuplicateHandle.KERNEL32(00000000,?,00341449,?,?,00000000), ref: 00341833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00341449,?,?,00000000), ref: 00341843
GetCurrentProcess.KERNEL32(00341449,00000000,?,00341449,?,?,00000000), ref: 0034184B
DuplicateHandle.KERNEL32(00000000,?,00341449,?,?,00000000), ref: 0034184E
CreateThread.KERNEL32(00000000,00000000,00341874,00000000,00000000,00000000), ref: 00341868

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 0a23e03c9382c931060646799669e31519a3d5c44f76b3b848888583575fc392
Instruction ID: ebab691d5b0af223e94459269e192820c4b2616885333537e5998070ad1d66b8
Opcode Fuzzy Hash: 0a23e03c9382c931060646799669e31519a3d5c44f76b3b848888583575fc392
Instruction Fuzzy Hash: 7A01CDB5250308BFE721AFB5DC4DF6B3BACEB89B11F405425FA09DB1A1CA749840CB20

Function 00313E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00313F0B
__alldvrm.LIBCMT ref: 0031410C
__alldvrm.LIBCMT ref: 0031412E

Strings

}}0, xrefs: 00313E8A
}}0, xrefs: 00313E96, 00313EF1, 00313F0A, 00314090
}}0, xrefs: 003140CD

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}0$}}0$}}0
API String ID: 1036877536-1519972161
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 9ce12ef112f4759bcb91a2ccd71754d42e7ba63206f057b06b82ce8a844b4617
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: EDA12672D00386AFDB2BCE18C8917EAFBE5EF6D350F1941ADE5859B281C23489C2C750

Function 0036A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0034D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0034D501
Part of subcall function 0034D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0034D50F
Part of subcall function 0034D4DC: CloseHandle.KERNELBASE(00000000), ref: 0034D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0036A16D
GetLastError.KERNEL32 ref: 0036A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0036A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0036A268
GetLastError.KERNEL32(00000000), ref: 0036A273
CloseHandle.KERNEL32(00000000), ref: 0036A2C4

Strings

SeDebugPrivilege, xrefs: 0036A18F

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e86f69733a65a5ca3bfd24c2821a7328c28918d6b116ffa3783f3dcc28d0d1f4
Instruction ID: 16331c902682d7e9a36cd96584005dc3b174f202546b0e571ad3a30b7d45e1ba
Opcode Fuzzy Hash: e86f69733a65a5ca3bfd24c2821a7328c28918d6b116ffa3783f3dcc28d0d1f4
Instruction Fuzzy Hash: 7861BA302046429FD721DF19C494F16BBE5AF44308F59C49CE46A9BBA2C772EC85CF92

Function 00373886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00373925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0037393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00373954
_wcslen.LIBCMT ref: 00373999
SendMessageW.USER32(?,00001057,00000000,?), ref: 003739C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 003739F4

Strings

SysListView32, xrefs: 003738F7

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 803da561df8d33da4863bc60ef135aee556ac8a82e0d0e36fba558a7aceba733
Instruction ID: 8467e84bb7a5f02d6fc685ac99243a8454a44767b4309487d06b760432c24402
Opcode Fuzzy Hash: 803da561df8d33da4863bc60ef135aee556ac8a82e0d0e36fba558a7aceba733
Instruction Fuzzy Hash: 6B41D371A00218BBDB329F64CC49BEA77A9FF08350F11412AF958E7281D3759A84DB90

Function 0034BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0034BCFD
IsMenu.USER32(00000000), ref: 0034BD1D
CreatePopupMenu.USER32 ref: 0034BD53
GetMenuItemCount.USER32(018F6270), ref: 0034BDA4
InsertMenuItemW.USER32(018F6270,?,00000001,00000030), ref: 0034BDCC

Strings

0, xrefs: 0034BCA8
2, xrefs: 0034BD37

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: cbe89ee62a5caf1b210dadee1a68357ec85e17ceef59711c4b07e248dc3701cf
Instruction ID: 8254c034418a411a97b3243b833f6b6d6637561533315a92a94e1e42f41b9bbc
Opcode Fuzzy Hash: cbe89ee62a5caf1b210dadee1a68357ec85e17ceef59711c4b07e248dc3701cf
Instruction Fuzzy Hash: D351AD70A002059BDF22CFA9D8C4BAEFBF8AF46324F144199E415AF2A0D770F945CB61

Function 00302D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00302D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00302D53
_ValidateLocalCookies.LIBCMT ref: 00302DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00302E0C
_ValidateLocalCookies.LIBCMT ref: 00302E61

Strings

csm, xrefs: 00302DF6
&H0, xrefs: 00302DFE, 00302E07, 00302E18

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H0$csm
API String ID: 1170836740-4157724386
Opcode ID: 447938d8e5887466db99ea48a18724c5162a00f33a024961e7af171ca35c78ac
Instruction ID: ad3e8581103c8648e81eaf21feee8fef337f01709cb81794fa4b547749951251
Opcode Fuzzy Hash: 447938d8e5887466db99ea48a18724c5162a00f33a024961e7af171ca35c78ac
Instruction Fuzzy Hash: 98419534A02209EBCF12DF68C869A9FBBB9BF45314F158195E8246B3D2D731DE05CB90

Function 0034C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0034C913

Strings

question, xrefs: 0034C8CC
info, xrefs: 0034C8B4
stop, xrefs: 0034C8E4
warning, xrefs: 0034C8FC
blank, xrefs: 0034C895

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 201bd3c4ff175b584082a50baf1b7ee1411d2aeb363e1fe251193cf00ac339e7
Instruction ID: 3eeafbf16e17f6f08c63a0e72684ae85a81864657c36eb66fbdd19c63246a41a
Opcode Fuzzy Hash: 201bd3c4ff175b584082a50baf1b7ee1411d2aeb363e1fe251193cf00ac339e7
Instruction Fuzzy Hash: A1110A327AB306BAE707AB549C83CEA77DCDF16354B21102EF500AE1C2EBB57E405264

Function 0034DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0034DE42
gethostname.WSOCK32(?,00000100), ref: 0034DE5C
gethostbyname.WSOCK32(?), ref: 0034DE69
inet_ntoa.WSOCK32(?), ref: 0034DEAB
_strcat.LIBCMT ref: 0034DEB9
WSACleanup.WSOCK32 ref: 0034DEDE

Strings

0.0.0.0, xrefs: 0034DE87

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: fe46c85aa356b1ad775b40456ea5a04faea168c3d91a651b0a8816960864ca6c
Instruction ID: 785849b1ecdb5a4b2f43909e588e797c46eb0757de8c63466b42aa2edfcd263c
Opcode Fuzzy Hash: fe46c85aa356b1ad775b40456ea5a04faea168c3d91a651b0a8816960864ca6c
Instruction Fuzzy Hash: 5B11EE71914109AFCB36AB60DC4AEEE77ACDF11710F0101ADF549AE091EF70AAC18AA1

Function 0034ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0034ED2A
_wcslen.LIBCMT ref: 0034ED3B
_wcslen.LIBCMT ref: 0034ED79
_wcslen.LIBCMT ref: 0034EDAF
_wcslen.LIBCMT ref: 0034EDDF
_wcslen.LIBCMT ref: 0034EDEF
_wcslen.LIBCMT ref: 0034EE2B
_wcslen.LIBCMT ref: 0034EE5A

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 42a1988afb51a0d88100579c39d1cdca91ae8bc515e7f6cbea25203f7e776b45
Instruction ID: f0b981eb14380bda08e2d24e2e337901ee7cb0243655b4d2acb7ba626d739f77
Opcode Fuzzy Hash: 42a1988afb51a0d88100579c39d1cdca91ae8bc515e7f6cbea25203f7e776b45
Instruction Fuzzy Hash: C0419165C1121875CB12EBF4C88AACFB7ACAF45710F508862E918EB162FB34E355C3E5

Function 002FF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0033682C,00000004,00000000,00000000), ref: 002FF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0033682C,00000004,00000000,00000000), ref: 0033F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0033682C,00000004,00000000,00000000), ref: 0033F454

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 07843ac0d7b14eb67dd9561310dc98100e48d386b4b1f06cb620156f30dd9397
Instruction ID: c37097f404f400acde0aa55e770194293df1ae4eae28ec01420aee7487f3701b
Opcode Fuzzy Hash: 07843ac0d7b14eb67dd9561310dc98100e48d386b4b1f06cb620156f30dd9397
Instruction Fuzzy Hash: 4F413C316346C8BEC7BA8F298AC8B36FB956F46354F94443CE24752560C6F19890CB10

Function 00372D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00372D1B
GetDC.USER32(00000000), ref: 00372D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00372D2E
ReleaseDC.USER32(00000000,00000000), ref: 00372D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00372D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00372D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00375A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00372DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00372DE1

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: f42d991b6d578277fde02d2a18146eab1815644f9229313c9b2ee37d3373cd5b
Instruction ID: 91bf9baeb4010e0f26300f2234f665db09061bd7912706fb52257db189ddb76a
Opcode Fuzzy Hash: f42d991b6d578277fde02d2a18146eab1815644f9229313c9b2ee37d3373cd5b
Instruction Fuzzy Hash: 9B316D72211214BFEB324F508C89FEB3BADEB09715F044059FE0C9A291D6759C90C7A4

Function 00345622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00345637
_memcmp.LIBVCRUNTIME ref: 00345659
_memcmp.LIBVCRUNTIME ref: 00345671
_memcmp.LIBVCRUNTIME ref: 00345684
_memcmp.LIBVCRUNTIME ref: 0034569E
_memcmp.LIBVCRUNTIME ref: 003456B1
_memcmp.LIBVCRUNTIME ref: 003456C9
_memcmp.LIBVCRUNTIME ref: 003456E4

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9f305511d0c904e751a1fbce341e08e6509d0b52f191a0279d06cd50bc255a4a
Instruction ID: 9edbffa9dd05818c7b0f22ba3135279a3b1fddc2749eec38f376aca65f4fa8e8
Opcode Fuzzy Hash: 9f305511d0c904e751a1fbce341e08e6509d0b52f191a0279d06cd50bc255a4a
Instruction Fuzzy Hash: F7219565E41A097BD22755208E92FFA33DCBE21785F564034FD089EA82F728FD1185A5

Function 00364FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00365007
NULL Pointer assignment, xrefs: 0036502E, 00365383

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: ffce91405e99c63438708e1f361e33cfd156935fcebfaab0d6eb33cfde839133
Instruction ID: 1eb579ce7bdf111792609b70ebdd8470368fd7a3765bc6545d8f79b9da1dd043
Opcode Fuzzy Hash: ffce91405e99c63438708e1f361e33cfd156935fcebfaab0d6eb33cfde839133
Instruction Fuzzy Hash: 24D1D175A0060AAFDF11CFA8C880BAEB7B5BF48344F15C479E915AB285E770DD41CB90

Function 00321522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,003217FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 003215CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00321651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,003217FB,?,003217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003216E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003216FB

Part of subcall function 00313820: RtlAllocateHeap.NTDLL(00000000,?,003B1444,?,002FFDF5,?,?,002EA976,00000010,003B1440,002E13FC,?,002E13C6,?,002E1129), ref: 00313852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,003217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00321777
__freea.LIBCMT ref: 003217A2
__freea.LIBCMT ref: 003217AE

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2d360adbba5e33399d30054f6484400e752437d199dbe14a07fc8477cdc71e38
Instruction ID: f0f2ddb152b07c635fd7e35a93949f3166203c77e4b102acd243a6b7afd4f9de
Opcode Fuzzy Hash: 2d360adbba5e33399d30054f6484400e752437d199dbe14a07fc8477cdc71e38
Instruction Fuzzy Hash: 0991F871E102269EDF228E78EE41AEE7BF9AFA9310F290569E805E7140D735CD40C7A0

Function 00364523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00364648
VariantInit.OLEAUT32(?), ref: 00364749
VariantClear.OLEAUT32(?), ref: 00364753
VariantClear.OLEAUT32(?), ref: 003647B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 003645D8, 00364706, 003647BE
Incorrect Object type in FOR..IN loop, xrefs: 0036472C

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 0dba3e403ec68bb718323ad5a1358ce44d52213c021cb43906437e4cc8a649ef
Instruction ID: 15e3d8981aa0c9c9ae507b943da8b7b3d401e6997b73385e332a809488d4b73a
Opcode Fuzzy Hash: 0dba3e403ec68bb718323ad5a1358ce44d52213c021cb43906437e4cc8a649ef
Instruction Fuzzy Hash: E9917871E00219ABDF26CFA5C888FAEBBB8EF46710F108559F515AB284D7709945CFA0

Function 00351187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0035125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00351284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 003512A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003512D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0035135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003513C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00351430

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: d8189fb69bde158f5b031301b5a444d562aca4ed7c3d02fd483387dfeebcc8c9
Instruction ID: 7818718f14847fbde2c2dd3e7eaed10fab5fb8c976c8c827da44446955adf341
Opcode Fuzzy Hash: d8189fb69bde158f5b031301b5a444d562aca4ed7c3d02fd483387dfeebcc8c9
Instruction Fuzzy Hash: 67910375A00208AFDB02DF95C885FBEB7B9FF45316F114429ED10EB2A1D774A949CB90

Function 002F948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 77266ceb4c2e1da3e58644068c885e09ad4591732098604491de77f7335e61f3
Instruction ID: 6e174b584b0f9f84af5e746b294ea0de298a593ef914a6f226ca9aed45aea70d
Opcode Fuzzy Hash: 77266ceb4c2e1da3e58644068c885e09ad4591732098604491de77f7335e61f3
Instruction Fuzzy Hash: DB913571D1021AEFCB15CFA9C884AEEBBB8FF49320F148459E615B7251D374A991CBA0

Function 00363947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0036396B
CharUpperBuffW.USER32(?,?), ref: 00363A7A
_wcslen.LIBCMT ref: 00363A8A
VariantClear.OLEAUT32(?), ref: 00363C1F

Part of subcall function 00350CDF: VariantInit.OLEAUT32(00000000), ref: 00350D1F
Part of subcall function 00350CDF: VariantCopy.OLEAUT32(?,?), ref: 00350D28
Part of subcall function 00350CDF: VariantClear.OLEAUT32(?), ref: 00350D34

Strings

Incorrect Parameter format, xrefs: 003639A6, 00363BA1
AUTOIT.ERROR, xrefs: 00363A80, 00363A85

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 001c8a92843774fbcc612a12f82954d5ab1e21c5d4908ea10b822fe179e3e183
Instruction ID: 66cf2111e45f7e4ffec54f72a5852c0b0ab67e7c74caa7ab993f1ee631f51f23
Opcode Fuzzy Hash: 001c8a92843774fbcc612a12f82954d5ab1e21c5d4908ea10b822fe179e3e183
Instruction Fuzzy Hash: 799132756183459FC711EF28C48196AB7E8BF89314F14882EF88A9B351DB30EE45CB92

Function 00364BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0034000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0033FF41,80070057,?,?,?,0034035E), ref: 0034002B
Part of subcall function 0034000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0033FF41,80070057,?,?), ref: 00340046
Part of subcall function 0034000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0033FF41,80070057,?,?), ref: 00340054
Part of subcall function 0034000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0033FF41,80070057,?), ref: 00340064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00364C51
_wcslen.LIBCMT ref: 00364D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00364DCF
CoTaskMemFree.OLE32(?), ref: 00364DDA

Strings

NULL Pointer assignment, xrefs: 00364E23, 00364E52

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 99731fe3c49e593b415c00b8b587b39b8bac6784a9008ce3318b3946c0b14ac6
Instruction ID: ef9f7a7f8f8fedc4a4a04b1833b45de38d6c87d54ff92caa03aa7221d75f1fd2
Opcode Fuzzy Hash: 99731fe3c49e593b415c00b8b587b39b8bac6784a9008ce3318b3946c0b14ac6
Instruction Fuzzy Hash: F3912871D0021DAFDF25DFA4D891AEEB7B9BF08300F50816AE915AB251DB34AE54CF60

Function 003720FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00372183
GetMenuItemCount.USER32(00000000), ref: 003721B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003721DD
_wcslen.LIBCMT ref: 00372213
GetMenuItemID.USER32(?,?), ref: 0037224D
GetSubMenu.USER32(?,?), ref: 0037225B

Part of subcall function 00343A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00343A57
Part of subcall function 00343A3D: GetCurrentThreadId.KERNEL32 ref: 00343A5E
Part of subcall function 00343A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003425B3), ref: 00343A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003722E3

Part of subcall function 0034E97B: Sleep.KERNEL32 ref: 0034E9F3

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 1c0f6d6652bb8de07f6431b987ad79e7e601ccacab6ac168b1e044bee2c91b70
Instruction ID: 630e9efb74939cc876f7c2cefc18b98d0e677c0f19ea38973b99256833644a26
Opcode Fuzzy Hash: 1c0f6d6652bb8de07f6431b987ad79e7e601ccacab6ac168b1e044bee2c91b70
Instruction Fuzzy Hash: A871B175A00205AFCB22DF65C881AAEB7F5FF48310F158459E81AEB351DB38EE418F90

Function 00377E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(018F6248), ref: 00377F37
IsWindowEnabled.USER32(018F6248), ref: 00377F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0037801E
SendMessageW.USER32(018F6248,000000B0,?,?), ref: 00378051
IsDlgButtonChecked.USER32(?,?), ref: 00378089
GetWindowLongW.USER32(018F6248,000000EC), ref: 003780AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 003780C3

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: dc58a3a08dd09cb8c8262f95fe444e978a4e8bd57a2d80d061468c2e93cf1671
Instruction ID: 218f2e82185ae1a2df34987d589b4986f0693fecd2074fbfbc9afef588e794e1
Opcode Fuzzy Hash: dc58a3a08dd09cb8c8262f95fe444e978a4e8bd57a2d80d061468c2e93cf1671
Instruction Fuzzy Hash: 43719034648244EFEB329F64C998FAABBB9EF09300F158459E94D97261CB39A845CB50

Function 0034AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0034AEF9
GetKeyboardState.USER32(?), ref: 0034AF0E
SetKeyboardState.USER32(?), ref: 0034AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0034AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0034AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0034AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0034B020

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5074e22ad7b5417adc77258940e0d8ed37f6edca1b434ea9ee3916dfbd38ad10
Instruction ID: e17e0d78dc6d802fca1b80fdcd4f5921cc3f870deb6f364fee4d504fc4f27dfd
Opcode Fuzzy Hash: 5074e22ad7b5417adc77258940e0d8ed37f6edca1b434ea9ee3916dfbd38ad10
Instruction Fuzzy Hash: 0651BDA0644AD53DFB3782348C45BBBBEE95B06304F098889E1E94D8C2C3D8F9C8D751

Function 0034ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0034AD19
GetKeyboardState.USER32(?), ref: 0034AD2E
SetKeyboardState.USER32(?), ref: 0034AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0034ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0034ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0034AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0034AE38

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5281f471154f607ee1f789d790ae258f89e50ab259bb5300c2b9ec9ce8213e1a
Instruction ID: 867f6390c68d7633490bf19c235fdc9b69b3d94395f86814d5a31a82dd7b97d6
Opcode Fuzzy Hash: 5281f471154f607ee1f789d790ae258f89e50ab259bb5300c2b9ec9ce8213e1a
Instruction Fuzzy Hash: C251D6A1988BD53DFB3783348C95B7ABED85B46300F098489E1E54E8C2D294FDC4E752

Function 0031542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00323CD6,?,?,?,?,?,?,?,?,00315BA3,?,?,00323CD6,?,?), ref: 00315470
__fassign.LIBCMT ref: 003154EB
__fassign.LIBCMT ref: 00315506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00323CD6,00000005,00000000,00000000), ref: 0031552C
WriteFile.KERNEL32(?,00323CD6,00000000,00315BA3,00000000,?,?,?,?,?,?,?,?,?,00315BA3,?), ref: 0031554B
WriteFile.KERNEL32(?,?,00000001,00315BA3,00000000,?,?,?,?,?,?,?,?,?,00315BA3,?), ref: 00315584

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: fe0658cc12ade7cf58fae1d34fcc8bf86c3b3e4287b984f143e9d5233326da31
Instruction ID: 5b431e24aedf582b0ef9fe5b7aaf5382825d7804f85ed74e301b67fb41cc493c
Opcode Fuzzy Hash: fe0658cc12ade7cf58fae1d34fcc8bf86c3b3e4287b984f143e9d5233326da31
Instruction Fuzzy Hash: 6C51B471A00649DFDB16CFA8D885AEEBBFAEF4D300F14411AF556E7291D7309A81CB60

Function 003610B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0036304E: inet_addr.WSOCK32(?), ref: 0036307A
Part of subcall function 0036304E: _wcslen.LIBCMT ref: 0036309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00361112
WSAGetLastError.WSOCK32 ref: 00361121
WSAGetLastError.WSOCK32 ref: 003611C9
closesocket.WSOCK32(00000000), ref: 003611F9

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 4c38fbe742ff354056f39e4daef47fdf02008bb095f74b8860abc95e26e0c80b
Instruction ID: 8386c9fd63465b7096ebd9cd76d9589fcaba4007fb7a8caa54e0c833086c92b0
Opcode Fuzzy Hash: 4c38fbe742ff354056f39e4daef47fdf02008bb095f74b8860abc95e26e0c80b
Instruction Fuzzy Hash: F541E731610204AFDB229F54C845BAAB7E9EF46324F18C059FD199B295C774ED81CBE1

Function 0034CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0034DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0034CF22,?), ref: 0034DDFD

Part of subcall function 0034DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0034CF22,?), ref: 0034DE16

lstrcmpiW.KERNEL32(?,?), ref: 0034CF45
MoveFileW.KERNEL32(?,?), ref: 0034CF7F
_wcslen.LIBCMT ref: 0034D005
_wcslen.LIBCMT ref: 0034D01B
SHFileOperationW.SHELL32(?), ref: 0034D061

Strings

\*.*, xrefs: 0034CFF3

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 2da4c3f7bda9bd690dab736d6cdfa4918b7d418f84da30cbe49efbbce51fc294
Instruction ID: a1c240eca4581caf9e13bfe08e2ac30095d4f6e5f5ef309f62949cb1b8eb8d00
Opcode Fuzzy Hash: 2da4c3f7bda9bd690dab736d6cdfa4918b7d418f84da30cbe49efbbce51fc294
Instruction Fuzzy Hash: C64143719462189EDF13EBA4C981ADEB7FCAF08740F1000A6E505EF142EA35B688CB50

Function 00372DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00372E1C
GetWindowLongW.USER32(?,000000F0), ref: 00372E4F
GetWindowLongW.USER32(?,000000F0), ref: 00372E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00372EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00372EE0
GetWindowLongW.USER32(?,000000F0), ref: 00372EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00372F0B

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 1936313513cbf1c281d223bee8023b42feb2594bc3720dea5bfe41568e5b8074
Instruction ID: b563c0437eca7eeb862f500e6059a591ad16f9a69babfb909cdbaf69dc8b5747
Opcode Fuzzy Hash: 1936313513cbf1c281d223bee8023b42feb2594bc3720dea5bfe41568e5b8074
Instruction Fuzzy Hash: A03126306041409FDB32CF18DC94F6677E8FB4A710F1A5168FA488F6B1CB75A880DB81

Function 00347726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00347769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0034778F
SysAllocString.OLEAUT32(00000000), ref: 00347792
SysAllocString.OLEAUT32(?), ref: 003477B0
SysFreeString.OLEAUT32(?), ref: 003477B9
StringFromGUID2.OLE32(?,?,00000028), ref: 003477DE
SysAllocString.OLEAUT32(?), ref: 003477EC

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 14de287dcd1a666d225a4a5badd0d0a3ff67d92de1ba9649ad791a57f22e136c
Instruction ID: 090c0f079f2c95d0b02bbfe6c1dfc0fbde7a4aab7d534bd117b04b4015756555
Opcode Fuzzy Hash: 14de287dcd1a666d225a4a5badd0d0a3ff67d92de1ba9649ad791a57f22e136c
Instruction Fuzzy Hash: A321B576604219AFDB12DFA8CC88DBB77ECEB09764B408025FA15DB150D770EC418760

Function 003477FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00347842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00347868
SysAllocString.OLEAUT32(00000000), ref: 0034786B
SysAllocString.OLEAUT32 ref: 0034788C
SysFreeString.OLEAUT32 ref: 00347895
StringFromGUID2.OLE32(?,?,00000028), ref: 003478AF
SysAllocString.OLEAUT32(?), ref: 003478BD

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1aa79935888d91575faac59a88b9c88e8e22efe6fd50f9fc438c574bdc60d5ab
Instruction ID: bc558074d0ed2a47c4c4cfc02f415e77b2a4c3a55aae028f9cb0b301464880a9
Opcode Fuzzy Hash: 1aa79935888d91575faac59a88b9c88e8e22efe6fd50f9fc438c574bdc60d5ab
Instruction Fuzzy Hash: 46217131608208AFDB129FA9DC8DDBA77ECEB09760B118125F915DB2A1D774EC81CB64

Function 003504D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 003504F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0035052E

Strings

nul, xrefs: 00350567

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f8126aac04e32556d07b7230efdce9fbe81b1933fb065996baac6793487488f9
Instruction ID: 3732f4f5140d5bfcd04156d5bf93fe2df31e799fd5757407975829b8d0d5a790
Opcode Fuzzy Hash: f8126aac04e32556d07b7230efdce9fbe81b1933fb065996baac6793487488f9
Instruction Fuzzy Hash: A8218075504305ABDF268F29DC05E9A77B8AF46725F204E19FCA1E62F0E7719948CF20

Function 003505A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 003505C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00350601

Strings

nul, xrefs: 00350639

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 8e9067010044757061e3cb94368f2ce1ba8f4b79251befb664cc518dd5ac06d9
Instruction ID: bc899ba776e03340897a91791405083a0623b4bd31b86fa3a9fc61bf5207196b
Opcode Fuzzy Hash: 8e9067010044757061e3cb94368f2ce1ba8f4b79251befb664cc518dd5ac06d9
Instruction Fuzzy Hash: 9521B2755003069BDB268F68CC04E9A77E8FF85721F200A19FCA1E72F0D77299A4CB50

Function 003740AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002E600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002E604C
Part of subcall function 002E600E: GetStockObject.GDI32(00000011), ref: 002E6060
Part of subcall function 002E600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 002E606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00374112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0037411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0037412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00374139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00374145

Strings

Msctls_Progress32, xrefs: 003740E3

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 50a18b080d592800ee33fab56d46947c1cd926a3144b683e913664e3fb65b739
Instruction ID: 1067c3f45b9c9432c8dd73536249e9d034100655e955b8e311e7ddf93b81177d
Opcode Fuzzy Hash: 50a18b080d592800ee33fab56d46947c1cd926a3144b683e913664e3fb65b739
Instruction Fuzzy Hash: 4D11B2B2150219BEEF229F64CC85EE7BF9DEF08798F018110FB18A6150C7769C61DBA4

Function 0031D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0031D7A3: _free.LIBCMT ref: 0031D7CC

_free.LIBCMT ref: 0031D82D

Part of subcall function 003129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000), ref: 003129DE
Part of subcall function 003129C8: GetLastError.KERNEL32(00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000,00000000), ref: 003129F0

_free.LIBCMT ref: 0031D838
_free.LIBCMT ref: 0031D843
_free.LIBCMT ref: 0031D897
_free.LIBCMT ref: 0031D8A2
_free.LIBCMT ref: 0031D8AD
_free.LIBCMT ref: 0031D8B8

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 55700d6211750c2c29ac01741a244f369aa5c4173404b3e514211ddccef8a0db
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 1B115171540B04AAD527BFB0CC47FCB7BDC6F0A710F440825B299AE0D2DBA6B5A54650

Function 0034DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0034DA74
LoadStringW.USER32(00000000), ref: 0034DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0034DA91
LoadStringW.USER32(00000000), ref: 0034DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0034DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0034DAB9

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 7aed6702ffaa08dfde390c1a03bac1e3d59d65ace578f1b23f792ded40682590
Instruction ID: 45da5028b17ab52d8670086b55eb24d5474d2440435eab4c7e50ba6e65b7c5b7
Opcode Fuzzy Hash: 7aed6702ffaa08dfde390c1a03bac1e3d59d65ace578f1b23f792ded40682590
Instruction Fuzzy Hash: 1F018BF65102087FE712ABA49D89EE7376CD708701F405459F749E6041E6749DC44F74

Function 0035096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(018F3458,018F3458), ref: 0035097B
EnterCriticalSection.KERNEL32(018F3438,00000000), ref: 0035098D
TerminateThread.KERNEL32(?,000001F6), ref: 0035099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 003509A9
CloseHandle.KERNEL32(?), ref: 003509B8
InterlockedExchange.KERNEL32(018F3458,000001F6), ref: 003509C8
LeaveCriticalSection.KERNEL32(018F3438), ref: 003509CF

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 1ee7217f6692b93caaf0f2165d3c64cd4c3fec12584e627da01e23b9df20955c
Instruction ID: fa4b005fdfd1d68b02fb57284976148e501113dd689812e4ecdae40693a95d61
Opcode Fuzzy Hash: 1ee7217f6692b93caaf0f2165d3c64cd4c3fec12584e627da01e23b9df20955c
Instruction Fuzzy Hash: 10F03132452502BBDB675F94EE8CBD6BB39FF01702F402429F205608B5C77594A5CF90

Function 00361C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00361DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00361DE1
WSAGetLastError.WSOCK32 ref: 00361DF2
htons.WSOCK32(?), ref: 00361EDB
inet_ntoa.WSOCK32(?), ref: 00361E8C

Part of subcall function 003439E8: _strlen.LIBCMT ref: 003439F2

Part of subcall function 00363224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0035EC0C), ref: 00363240

_strlen.LIBCMT ref: 00361F35

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: b5e07a22f7de5faf00697904185a7b1a8cccb2cee0693f117d4b258659ac9b73
Instruction ID: de8cc03d7c5fb0afe45bf6a24ee07fe4f0acda36d50b48cf9d16aa708b981a49
Opcode Fuzzy Hash: b5e07a22f7de5faf00697904185a7b1a8cccb2cee0693f117d4b258659ac9b73
Instruction Fuzzy Hash: 9CB1F431604340AFC325DF24C895E2ABBE5AF84318F998A5CF5565F2E2CB71ED42CB91

Function 002E5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 002E5D30
GetWindowRect.USER32(?,?), ref: 002E5D71
ScreenToClient.USER32(?,?), ref: 002E5D99
GetClientRect.USER32(?,?), ref: 002E5ED7
GetWindowRect.USER32(?,?), ref: 002E5EF8

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 32427e32db50026b72e9a0aa4ef28369d501faa99b26c7d24a066b94dd754ce1
Instruction ID: aac3a4a18203d3f08d9a978078385a6155728b581beb65d1c5129c4412b54138
Opcode Fuzzy Hash: 32427e32db50026b72e9a0aa4ef28369d501faa99b26c7d24a066b94dd754ce1
Instruction Fuzzy Hash: 2FB18B34A2079ADBDB10CFA9C4807EEB7F1FF48314F14941AE8A9D7250DB30AA51DB50

Function 003101B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 003100BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003100D6
__allrem.LIBCMT ref: 003100ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0031010B
__allrem.LIBCMT ref: 00310122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00310140

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 37928d6f6e00668700003f9ca32d26de42ab0ee475a4aadcf0df69d3b5c7220b
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 46812875A01706AFE72E9E28CC41BABB3E8AF49720F254639F451DA6C1E7B4D9C08750

Function 003161FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003082D9,003082D9,?,?,?,0031644F,00000001,00000001,8BE85006), ref: 00316258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0031644F,00000001,00000001,8BE85006,?,?,?), ref: 003162DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003163D8
__freea.LIBCMT ref: 003163E5

Part of subcall function 00313820: RtlAllocateHeap.NTDLL(00000000,?,003B1444,?,002FFDF5,?,?,002EA976,00000010,003B1440,002E13FC,?,002E13C6,?,002E1129), ref: 00313852

__freea.LIBCMT ref: 003163EE
__freea.LIBCMT ref: 00316413

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 66f209247d9a82882c6cf664ffadfec36d3f438611a0771737820977a2f6b33c
Instruction ID: e1c7aefc67049b42dfaf0df9488053cd716eef4f70de0fd07402ca658cefa4ad
Opcode Fuzzy Hash: 66f209247d9a82882c6cf664ffadfec36d3f438611a0771737820977a2f6b33c
Instruction Fuzzy Hash: 0051E472600216ABDB2F8FA4CC82EEF77A9EB48710F164A29FC15DA150DB34DCD0C660

Function 0036BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

Part of subcall function 0036C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0036B6AE,?,?), ref: 0036C9B5
Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036C9F1
Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036CA68
Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0036BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0036BD25
RegCloseKey.ADVAPI32(00000000), ref: 0036BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0036BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0036BDF3
RegCloseKey.ADVAPI32(?), ref: 0036BDFF

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 39d78561967fc0e0ab88f546b8e2bee5b85265b54f332e5c5a8a28b1b5f64497
Instruction ID: 204cb3931ab1ee0aca63379515d8c7f8c0274dfdf20b015889b436dae819d830
Opcode Fuzzy Hash: 39d78561967fc0e0ab88f546b8e2bee5b85265b54f332e5c5a8a28b1b5f64497
Instruction Fuzzy Hash: 80818F30218241AFD715DF24C885E2ABBE9FF84308F54856DF5598B2A2DB31ED85CF92

Function 0033F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0033F7B9
SysAllocString.OLEAUT32(00000001), ref: 0033F860
VariantCopy.OLEAUT32(0033FA64,00000000), ref: 0033F889
VariantClear.OLEAUT32(0033FA64), ref: 0033F8AD
VariantCopy.OLEAUT32(0033FA64,00000000), ref: 0033F8B1
VariantClear.OLEAUT32(?), ref: 0033F8BB

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 017967df536c83c15c0f04bafb2c761e0d890b652a7a81f4fd1611a727a5e867
Instruction ID: 11a72c47ea701804fd76f331b205393a18c6b7469b89dbf7ab42b1ccccac6b48
Opcode Fuzzy Hash: 017967df536c83c15c0f04bafb2c761e0d890b652a7a81f4fd1611a727a5e867
Instruction Fuzzy Hash: 5F51D431E10314BFCF26AB65D8D5B29B3A8EF45310FA4946BE906DF291DB708C50CB96

Function 0035910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 002E7620: _wcslen.LIBCMT ref: 002E7625

Part of subcall function 002E6B57: _wcslen.LIBCMT ref: 002E6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 003594E5
_wcslen.LIBCMT ref: 00359506
_wcslen.LIBCMT ref: 0035952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00359585

Strings

X, xrefs: 00359412

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 52632df8c83aef2f5f39d11e4926ff5fc790fc2e7cc40c1c79953342940e7577
Instruction ID: 878430680dff64cd307a3df3eb9a5e3736d971a8eb66726c1de01b938c36d024
Opcode Fuzzy Hash: 52632df8c83aef2f5f39d11e4926ff5fc790fc2e7cc40c1c79953342940e7577
Instruction Fuzzy Hash: 06E1BF31514340CFC725EF25C881F6AB7E4BF85314F55896EE8899B2A2EB30DD49CB92

Function 002F920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 002F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002F9BB2

BeginPaint.USER32(?,?,?), ref: 002F9241
GetWindowRect.USER32(?,?), ref: 002F92A5
ScreenToClient.USER32(?,?), ref: 002F92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002F92D3
EndPaint.USER32(?,?,?,?,?), ref: 002F9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003371EA

Part of subcall function 002F9339: BeginPath.GDI32(00000000), ref: 002F9357

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: e2208715bbf483f7fee951465712bb0e4c5c0a89196dd16a5649ba3986eeec77
Instruction ID: c68da743acb766a65fde2d8ae90052f74beae0e3231eee203fa549dc28eaec17
Opcode Fuzzy Hash: e2208715bbf483f7fee951465712bb0e4c5c0a89196dd16a5649ba3986eeec77
Instruction Fuzzy Hash: 7841EE71524205AFD722DF24CCD4FBABBA8EB49364F040269FAA4872A1C7309895CB61

Function 003507EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0035080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00350847
EnterCriticalSection.KERNEL32(?), ref: 00350863
LeaveCriticalSection.KERNEL32(?), ref: 003508DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 003508F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00350921

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 31c0fcbe33709c8942244fc8099c930b73583507919a516a12fda48818924de1
Instruction ID: d33c7db9226d7213bdb57c034d681e98f0cface28d60c0187f1c3f22360641d9
Opcode Fuzzy Hash: 31c0fcbe33709c8942244fc8099c930b73583507919a516a12fda48818924de1
Instruction Fuzzy Hash: C8417C71910205EBDF1A9F54DC85A6AB7B8FF04300F1440B9ED04AE2A7D731DE64DBA0

Function 003781DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0033F3AB,00000000,?,?,00000000,?,0033682C,00000004,00000000,00000000), ref: 0037824C
EnableWindow.USER32(?,00000000), ref: 00378272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 003782D1
ShowWindow.USER32(?,00000004), ref: 003782E5
EnableWindow.USER32(?,00000001), ref: 0037830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0037832F

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 6bc05477e8ff081f8ebabe25ba3e6fb1996b53bed9971cba7c55acb0a5872ccd
Instruction ID: 16fa251b7d9f4b030aea8172f424a0c4f53dbf626811f8821d2931a3e49aca7b
Opcode Fuzzy Hash: 6bc05477e8ff081f8ebabe25ba3e6fb1996b53bed9971cba7c55acb0a5872ccd
Instruction Fuzzy Hash: F841A338641644AFDB37CF14D89DBA47BF4BB0A715F199269E60C4B263CB35A841CB90

Function 00344C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00344C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00344CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00344CEA
_wcslen.LIBCMT ref: 00344D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00344D10
_wcsstr.LIBVCRUNTIME ref: 00344D1A

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 2eebaa9529f66f8c718b2b2eab9f9886fd67ffd29049838f2fc181ed348c94da
Instruction ID: c259fafba66dfff24e0b31960ca5cb938d5c300611046e3621c260ecb55bb7cb
Opcode Fuzzy Hash: 2eebaa9529f66f8c718b2b2eab9f9886fd67ffd29049838f2fc181ed348c94da
Instruction Fuzzy Hash: C021F9716042047BEB275B35AC89F7BBBDCDF46750F15803DF909CE192EA61EC4096A0

Function 0035581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 002E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002E3A97,?,?,002E2E7F,?,?,?,00000000), ref: 002E3AC2

_wcslen.LIBCMT ref: 0035587B
CoInitialize.OLE32(00000000), ref: 00355995
CoCreateInstance.OLE32(0037FCF8,00000000,00000001,0037FB68,?), ref: 003559AE
CoUninitialize.OLE32 ref: 003559CC

Strings

.lnk, xrefs: 00355876, 003558C1, 00355985

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 31fd56e16794ad489a56e8152434dfaedc0b67fedc158145581a93229103f119
Instruction ID: d35eae5a4df7468ac19f27cedd3b7a3e502c17c7bb35d01373a5c35af9418c1d
Opcode Fuzzy Hash: 31fd56e16794ad489a56e8152434dfaedc0b67fedc158145581a93229103f119
Instruction Fuzzy Hash: 1BD161706087019FCB15DF25C4A4E2ABBE5EF89311F55885DF88A9B361CB31EC49CB92

Function 0034175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00340FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00340FCA
Part of subcall function 00340FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00340FD6
Part of subcall function 00340FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00340FE5
Part of subcall function 00340FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00340FEC
Part of subcall function 00340FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00341002

GetLengthSid.ADVAPI32(?,00000000,00341335), ref: 003417AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003417BA
HeapAlloc.KERNEL32(00000000), ref: 003417C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 003417DA
GetProcessHeap.KERNEL32(00000000,00000000,00341335), ref: 003417EE
HeapFree.KERNEL32(00000000), ref: 003417F5

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: dfe7e762d6ea1d93c2e3992276913a3a595152d5d4eb08b5d0b774289a575b84
Instruction ID: 536f9bb3b8af4fc220f95facd0d2956b8a13289179e686eb767c8e7098b561b7
Opcode Fuzzy Hash: dfe7e762d6ea1d93c2e3992276913a3a595152d5d4eb08b5d0b774289a575b84
Instruction Fuzzy Hash: 33118E71620605FFDB269FA4CC49BAE7BFDEB45355F11402CF4459B210D736A984CB60

Function 003414CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003414FF
OpenProcessToken.ADVAPI32(00000000), ref: 00341506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00341515
CloseHandle.KERNEL32(00000004), ref: 00341520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0034154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00341563

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: fc720729cf24c0de2d98d339b562992d152c387ce36d7846203ce67a4a5d0ab5
Instruction ID: 71a752d6044b492d4039dbd308740720b2f6b54cc99a3ab4311b5e2ff038d7b5
Opcode Fuzzy Hash: fc720729cf24c0de2d98d339b562992d152c387ce36d7846203ce67a4a5d0ab5
Instruction Fuzzy Hash: 04115972500209AFDF228F98DD49BDE7BADEF49704F054058FA09A6160C375DEA0DB60

Function 00303382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00303379,00302FE5), ref: 00303390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0030339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003033B7
SetLastError.KERNEL32(00000000,?,00303379,00302FE5), ref: 00303409

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0ce46c49cfcc332f95445b126fabd4a52f2582913aead8a2fdcbd07d11371868
Instruction ID: 1698c32cdc93a4daaefc2896289d23a5c53f7a3ea0c5bed72ada6bd4c2b6822d
Opcode Fuzzy Hash: 0ce46c49cfcc332f95445b126fabd4a52f2582913aead8a2fdcbd07d11371868
Instruction Fuzzy Hash: 7101D43662B311BEE62B27757CE56672A9CEB06379B20122DF610891F0FF228E515644

Function 00312D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00315686,00323CD6,?,00000000,?,00315B6A,?,?,?,?,?,0030E6D1,?,003A8A48), ref: 00312D78
_free.LIBCMT ref: 00312DAB
_free.LIBCMT ref: 00312DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0030E6D1,?,003A8A48,00000010,002E4F4A,?,?,00000000,00323CD6), ref: 00312DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0030E6D1,?,003A8A48,00000010,002E4F4A,?,?,00000000,00323CD6), ref: 00312DEC
_abort.LIBCMT ref: 00312DF2

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: b14fcca9f422b8bb6190fb750f81a46979e1648155c26ce6382870c3d42c6a7b
Instruction ID: 60df125185e962f49a797777fd8665101b31c7ed21612a3cf94e587ecd714ef9
Opcode Fuzzy Hash: b14fcca9f422b8bb6190fb750f81a46979e1648155c26ce6382870c3d42c6a7b
Instruction Fuzzy Hash: CAF0A4365446006BD62F3738FC06ADB255DABCE7B1F26441CF8389A1D2EF2488F24260

Function 00378A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 002F9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002F9693
Part of subcall function 002F9639: SelectObject.GDI32(?,00000000), ref: 002F96A2
Part of subcall function 002F9639: BeginPath.GDI32(?), ref: 002F96B9
Part of subcall function 002F9639: SelectObject.GDI32(?,00000000), ref: 002F96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00378A4E
LineTo.GDI32(?,00000003,00000000), ref: 00378A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00378A70
LineTo.GDI32(?,00000000,00000003), ref: 00378A80
EndPath.GDI32(?), ref: 00378A90
StrokePath.GDI32(?), ref: 00378AA0

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: ac955de24baa9e49a06894c045e9d362a4263307648087d451a2ccf751933b1d
Instruction ID: d6cc3b6ce040c8a8cb26e1e884f3a7852a83805fe2d9d66b57bfe46b12f4143b
Opcode Fuzzy Hash: ac955de24baa9e49a06894c045e9d362a4263307648087d451a2ccf751933b1d
Instruction Fuzzy Hash: E3111B7604014CFFDF229F90DC88EEA7F6DEB08354F008026BA199A1A1C7719D95DFA0

Function 003451FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00345218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00345229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00345230
ReleaseDC.USER32(00000000,00000000), ref: 00345238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0034524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00345261

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: f4e514e6264fdba66fbdad836feb0c8756c08b2354667f5309a8c47e54ca43d4
Instruction ID: 5b4580b06d5c1f9181ce4d2be6d2ca6b82d9b1479cd118a0a201b27e52946ccd
Opcode Fuzzy Hash: f4e514e6264fdba66fbdad836feb0c8756c08b2354667f5309a8c47e54ca43d4
Instruction Fuzzy Hash: 43016275E01718BBEB119BA59C49E5EBFBCFF48751F04446AFA08AB291D6709C00CFA0

Function 002E1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 002E1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 002E1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 002E1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 002E1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 002E1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 002E1C22

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8ac9898f6f9a262462f2c72613c0d0003c101fd12e22fd10f5aaaa33da726b9d
Instruction ID: 5a25086deed785fdcdbf3b2c9e6ad601073fbbb54a60922dd97870b0ca00811f
Opcode Fuzzy Hash: 8ac9898f6f9a262462f2c72613c0d0003c101fd12e22fd10f5aaaa33da726b9d
Instruction Fuzzy Hash: 08016CB09027597DE3008F5A8C85B52FFA8FF19754F04411F915C47941C7F5A864CBE5

Function 0034EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0034EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0034EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0034EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0034EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0034EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0034EB75

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 4ce100c876d9b0610d675d665246fd061141747d2547aeea3ad849a5f45beff8
Instruction ID: c7798ca7482ed94ecd18eb28e3aa9356b19d307c7b9a59e708fc8bf38a1d07ad
Opcode Fuzzy Hash: 4ce100c876d9b0610d675d665246fd061141747d2547aeea3ad849a5f45beff8
Instruction Fuzzy Hash: CDF05E72250158BBE7325B629C4EEEF7E7CEFCAB11F00116CF605E1191D7A05A41CAB5

Function 00337439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00337452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00337469
GetWindowDC.USER32(?), ref: 00337475
GetPixel.GDI32(00000000,?,?), ref: 00337484
ReleaseDC.USER32(?,00000000), ref: 00337496
GetSysColor.USER32(00000005), ref: 003374B0

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: d15a87b4753037280546186b6aa5fbe14aebdce9e4691cfbbbc9854f698f663e
Instruction ID: 010c691b720b25abd91270ba72f99f3e1dee47bb5dae68c328a1cd96ce360770
Opcode Fuzzy Hash: d15a87b4753037280546186b6aa5fbe14aebdce9e4691cfbbbc9854f698f663e
Instruction Fuzzy Hash: EB01AD31410205EFDB625F65DC48BEABBB9FF04321F551168FA1AA20A0CB312E91EB10

Function 00341874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0034187F
UnloadUserProfile.USERENV(?,?), ref: 0034188B
CloseHandle.KERNEL32(?), ref: 00341894
CloseHandle.KERNEL32(?), ref: 0034189C
GetProcessHeap.KERNEL32(00000000,?), ref: 003418A5
HeapFree.KERNEL32(00000000), ref: 003418AC

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: d5a77c500c2bbf7b0f5c01628c47b64af3424d758ed07a06a6fa134214bea07e
Instruction ID: a4e9f6e409264342d7d30ea05dcdea7079296f8d2b96113fa06ae1370f4d9f9c
Opcode Fuzzy Hash: d5a77c500c2bbf7b0f5c01628c47b64af3424d758ed07a06a6fa134214bea07e
Instruction Fuzzy Hash: 9CE0E536014101BFEB125FA1ED0CA0ABF3DFF49B22F509228F22991470CB3294A0DF50

Function 002EBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002EBEB3

Strings

D%;, xrefs: 002EBCA2
D%;, xrefs: 002EBDED, 002EBD91, 002EBD1B
D%;D%;, xrefs: 002EBCA5
D%;, xrefs: 002EBE9A

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%;$D%;$D%;$D%;D%;
API String ID: 1385522511-674813006
Opcode ID: ca718a65326429a5698784d5b9a942512279bcdf8b68d46644938d0e5b141f5a
Instruction ID: cd4f443052ff53fcd08b7170fca0911013a209a06665cf6002de7e9bc56191f2
Opcode Fuzzy Hash: ca718a65326429a5698784d5b9a942512279bcdf8b68d46644938d0e5b141f5a
Instruction Fuzzy Hash: 7291BB75A5024ACFCB19CF5AC4906ABB7F1FF59304FA4816ADA41AB340D731ED91CB90

Function 00367B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00300242: EnterCriticalSection.KERNEL32(003B070C,003B1884,?,?,002F198B,003B2518,?,?,?,002E12F9,00000000), ref: 0030024D
Part of subcall function 00300242: LeaveCriticalSection.KERNEL32(003B070C,?,002F198B,003B2518,?,?,?,002E12F9,00000000), ref: 0030028A

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

Part of subcall function 003000A3: __onexit.LIBCMT ref: 003000A9

__Init_thread_footer.LIBCMT ref: 00367BFB

Part of subcall function 003001F8: EnterCriticalSection.KERNEL32(003B070C,?,?,002F8747,003B2514), ref: 00300202
Part of subcall function 003001F8: LeaveCriticalSection.KERNEL32(003B070C,?,002F8747,003B2514), ref: 00300235

Strings

G, xrefs: 00367C7F
Variable must be of type 'Object'., xrefs: 00367C3A
+T3, xrefs: 00367E2E
5, xrefs: 00367C78

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T3$5$G$Variable must be of type 'Object'.
API String ID: 535116098-603792018
Opcode ID: 7f71f1c65ad3efddd5c528707bf5fa0b85225000833aab827d22a3d4f2519727
Instruction ID: bd6aebdca05d4b6aaa665a5706667b1bb38aa337efdfb4f7ce72c823f902e8fd
Opcode Fuzzy Hash: 7f71f1c65ad3efddd5c528707bf5fa0b85225000833aab827d22a3d4f2519727
Instruction Fuzzy Hash: 7191AA74A04209EFCB16EF54C891DBDB7B5FF49308F908459F806AB296DB31AE41CB51

Function 0034C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002E7620: _wcslen.LIBCMT ref: 002E7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0034C6EE
_wcslen.LIBCMT ref: 0034C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0034C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0034C7CA

Strings

0, xrefs: 0034C6AF

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: c4fc95e30ad2a4ef4c5068773b7c4abb2b535a29873bb92787c0b3e37429451a
Instruction ID: 6fc7f1d7720ea19531ff7ecc83d346db4b2459c734575971301efc96a5c2e0d0
Opcode Fuzzy Hash: c4fc95e30ad2a4ef4c5068773b7c4abb2b535a29873bb92787c0b3e37429451a
Instruction Fuzzy Hash: B45133716263009FD3929F28C894A6BBBE8AF45314F052A2DF995DB1A0DB70E804CF52

Function 0036AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0036AEA3

Part of subcall function 002E7620: _wcslen.LIBCMT ref: 002E7625

GetProcessId.KERNEL32(00000000), ref: 0036AF38
CloseHandle.KERNEL32(00000000), ref: 0036AF67

Strings

@, xrefs: 0036AE72
<, xrefs: 0036AE6B

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 885744a01a4423953d083608ab50450b7d2ddd5cbde58c06bd4f2d97fd388770
Instruction ID: b34c2c70473c4164b364a81bcd9500de95c26623c2fb31d386ddd234df15a5eb
Opcode Fuzzy Hash: 885744a01a4423953d083608ab50450b7d2ddd5cbde58c06bd4f2d97fd388770
Instruction Fuzzy Hash: 6C718770A10A58DFCB15DF55C484A9EBBF0BF08300F448499E81AAB3A2C735ED51CFA1

Function 0034719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00347206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0034723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0034724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003472CF

Strings

DllGetClassObject, xrefs: 00347242

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 0c6c97e06a7e73671535de01ea396908756bc357c03c0788f943e335cb0d6e52
Instruction ID: 9af84b700ffba35d8b84f38e925393caacd9c278bfd22c2b5916236d918de31e
Opcode Fuzzy Hash: 0c6c97e06a7e73671535de01ea396908756bc357c03c0788f943e335cb0d6e52
Instruction Fuzzy Hash: 1A414F71A04204EFDB26CF64C885A9A7BE9EF45310F1584ADBD099F20AD7F5E944CBA0

Function 00373D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00373E35
IsMenu.USER32(?), ref: 00373E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00373E92
DrawMenuBar.USER32 ref: 00373EA5

Strings

0, xrefs: 00373D89

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 81ad0c2026c7d7c2dad9d8772dd115317524dc2e6107874c5ff9521e6893277f
Instruction ID: 3fea6b35344ae5b1d11c889aec66feab6138a9b71bc0ef68603740c84106ea3f
Opcode Fuzzy Hash: 81ad0c2026c7d7c2dad9d8772dd115317524dc2e6107874c5ff9521e6893277f
Instruction Fuzzy Hash: 7D418B76A01209EFDB21DF50D884EAABBB9FF49354F048129F909A7650C334EE40DF90

Function 00341DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

Part of subcall function 00343CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00343CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00341E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00341E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00341EA9

Part of subcall function 002E6B57: _wcslen.LIBCMT ref: 002E6B6A

Strings

ComboBox, xrefs: 00341DF0
ListBox, xrefs: 00341E25

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: e7e474717347a953a548b2a1541a915339e087e629cbf0321ae4a35476336240
Instruction ID: 71e943c59985b64c7a6d7605ed9eaa1e55c9479a99c0f7a814d6eb9a159da115
Opcode Fuzzy Hash: e7e474717347a953a548b2a1541a915339e087e629cbf0321ae4a35476336240
Instruction Fuzzy Hash: 11213775A40104BADB16AB61CC85CFFB7FCDF45350B54411DF815AB1E1DB345DDA8A20

Function 00372F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00372F8D
LoadLibraryW.KERNEL32(?), ref: 00372F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00372FA9
DestroyWindow.USER32(?), ref: 00372FB1

Strings

SysAnimate32, xrefs: 00372F68

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: f35bdf09abae30a3a5b7513d16e94587c52c35b4f2b82320d37820bec8131ed7
Instruction ID: 6ef17cedcaf65efbc23f9c02952f875ec7d96b38f0dd37f51385976a31c81302
Opcode Fuzzy Hash: f35bdf09abae30a3a5b7513d16e94587c52c35b4f2b82320d37820bec8131ed7
Instruction Fuzzy Hash: B521FD72200205ABEF324F64DC80EBB77BDEB59364F118618FA18D6090D335DC919B60

Function 00304D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00304D1E,003128E9,?,00304CBE,003128E9,003A88B8,0000000C,00304E15,003128E9,00000002), ref: 00304D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00304DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00304D1E,003128E9,?,00304CBE,003128E9,003A88B8,0000000C,00304E15,003128E9,00000002,00000000), ref: 00304DC3

Strings

CorExitProcess, xrefs: 00304D98
mscoree.dll, xrefs: 00304D86

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3cb1d2f4c84d3a31c152a387af7b3a7b6ed1d8fb50a7b3f02fca198019f92984
Instruction ID: d044da1e80cb7994ca083d9bc4063071784d46b87ade0c05dd618127f5f443ce
Opcode Fuzzy Hash: 3cb1d2f4c84d3a31c152a387af7b3a7b6ed1d8fb50a7b3f02fca198019f92984
Instruction Fuzzy Hash: D5F04474651208BBDB169F90DC59BDDBBB9EF44751F4500A8F909A2191CB305A80CB91

Function 002E4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,002E4EDD,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002E4EAE
FreeLibrary.KERNEL32(00000000,?,?,002E4EDD,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4EC0

Strings

kernel32.dll, xrefs: 002E4E94
Wow64DisableWow64FsRedirection, xrefs: 002E4EA8

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 832a663faafc56cdbabbfb08c4ff9bb3dace32736319efda88f79f10a44a8385
Instruction ID: 43caef7dc8762e7c5d544b080dde374244e26d9eca756922e7bdd3f85955475c
Opcode Fuzzy Hash: 832a663faafc56cdbabbfb08c4ff9bb3dace32736319efda88f79f10a44a8385
Instruction Fuzzy Hash: 5AE0CD35E615635BD2332F266C18B9FA69CAFC2F62F490129FC09D2100DB64CD4185A0

Function 002E4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00323CDE,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002E4E74
FreeLibrary.KERNEL32(00000000,?,?,00323CDE,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4E87

Strings

kernel32.dll, xrefs: 002E4E5B
Wow64RevertWow64FsRedirection, xrefs: 002E4E6E

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 06b7e8d0ecc36e352e3f81f18ff185ed0fdb9b8e0fe3b3968d6590c6c879833a
Instruction ID: 9458a07ed78adbb75c63f7b5daccb2b466b267f5ca646fb41b126d1b99bfa7b2
Opcode Fuzzy Hash: 06b7e8d0ecc36e352e3f81f18ff185ed0fdb9b8e0fe3b3968d6590c6c879833a
Instruction Fuzzy Hash: DED0C2319626625746332F266C08DCFAA1CAF8AB1178D0128F809A2110CF30CD51C5D0

Function 00352947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00352C05
DeleteFileW.KERNEL32(?), ref: 00352C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00352C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00352CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00352CC0

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: cbbf546c5ebd2164402e75b8ea6c3401fb5bbbaa2774d76556bb3f859627b8b6
Instruction ID: add5e810674846bc54f65e60645dfc1d18f2dbc1dd0fbead6a55bae3e8c1b5bd
Opcode Fuzzy Hash: cbbf546c5ebd2164402e75b8ea6c3401fb5bbbaa2774d76556bb3f859627b8b6
Instruction Fuzzy Hash: 6CB16071D11129ABDF22DBA5CC85EDFB7BDEF09350F1040A6F909E6151EB309A488F61

Function 0036A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0036A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0036A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0036A468
CloseHandle.KERNEL32(?), ref: 0036A63D

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 64319eadcbaedeeb19b1df1c39d1c3b04495039ae22db23937ed0f1ac920db3b
Instruction ID: ef02f88d1928897dc181cb9617a4a018dc421b794a1a883b61104b792da70106
Opcode Fuzzy Hash: 64319eadcbaedeeb19b1df1c39d1c3b04495039ae22db23937ed0f1ac920db3b
Instruction Fuzzy Hash: 77A1E0716047009FD721DF24C886F2AB7E5AF84714F54881DFA9A9B392CBB0EC418F92

Function 0031BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00383700), ref: 0031BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,003B121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0031BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,003B1270,000000FF,?,0000003F,00000000,?), ref: 0031BC36
_free.LIBCMT ref: 0031BB7F

Part of subcall function 003129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000), ref: 003129DE
Part of subcall function 003129C8: GetLastError.KERNEL32(00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000,00000000), ref: 003129F0

_free.LIBCMT ref: 0031BD4B

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 7af70819150537515a9c77dee428f8d4160a6c9653f0fd19f55c4382a8bef170
Instruction ID: 76eddbfde9a1e0451ca52080949b6fca18aca5485d6c30afa67de6baba27aa4e
Opcode Fuzzy Hash: 7af70819150537515a9c77dee428f8d4160a6c9653f0fd19f55c4382a8bef170
Instruction Fuzzy Hash: 8D512B71900209AFCB1BEF65DC819EEF7BCEF49310F51466AE564DB291DB309D908B90

Function 0034E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0034DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0034CF22,?), ref: 0034DDFD

Part of subcall function 0034DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0034CF22,?), ref: 0034DE16

Part of subcall function 0034E199: GetFileAttributesW.KERNEL32(?,0034CF95), ref: 0034E19A

lstrcmpiW.KERNEL32(?,?), ref: 0034E473
MoveFileW.KERNEL32(?,?), ref: 0034E4AC
_wcslen.LIBCMT ref: 0034E5EB
_wcslen.LIBCMT ref: 0034E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0034E650

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: c2d0db89a2130684c606b05aac5c6d98610a72f80c993c6e7ffccd569837b712
Instruction ID: c2ee4f7240f8899b75792b6ef106d3309c98f2f9148664a43a0a19c7449616d3
Opcode Fuzzy Hash: c2d0db89a2130684c606b05aac5c6d98610a72f80c993c6e7ffccd569837b712
Instruction Fuzzy Hash: 9F5163B24083859BC736EB90DC919DB73DCAF85340F40491EF589DB191EF74B6888B66

Function 0036B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

Part of subcall function 0036C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0036B6AE,?,?), ref: 0036C9B5
Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036C9F1
Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036CA68
Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0036BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0036BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0036BB63
RegCloseKey.ADVAPI32(?,?), ref: 0036BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0036BBB3

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 999038dc3735d529f94571fc89445233ac9362d11c37d3eeabbc4d0f420402f0
Instruction ID: 67f310e2e704548c19edebf20a04be0553742bed56c63511280087ee763b9c1a
Opcode Fuzzy Hash: 999038dc3735d529f94571fc89445233ac9362d11c37d3eeabbc4d0f420402f0
Instruction Fuzzy Hash: 4B61AF31218241AFD315DF64C490E2ABBE9FF84308F54895DF4998B2A6DB31ED85CF92

Function 00348BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00348BCD
VariantClear.OLEAUT32 ref: 00348C3E
VariantClear.OLEAUT32 ref: 00348C9D
VariantClear.OLEAUT32(?), ref: 00348D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00348D3B

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: b7f98f7f1eba8b7af1f3d53e7206e32bd75e729e23d2169c013c4987da651865
Instruction ID: 6bf3e25994aeea9d2c357281e9aa44e24c5c044a7baeeefc6fa9b64d590f19d8
Opcode Fuzzy Hash: b7f98f7f1eba8b7af1f3d53e7206e32bd75e729e23d2169c013c4987da651865
Instruction Fuzzy Hash: 375167B5A01219EFCB15CF68C894AAAB7F8FF89314F158569E909DB350E730E911CF90

Function 00358AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00358BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00358BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00358C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00358C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00358C5F

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: a9f4fcf3b23d6e78c33e9899a0b8ad60545276cec0db5046a656d063904bcf43
Instruction ID: a0d9e61681b59ee5e188374c3f50970b595e55b88251acab4e6f45b76f592cf0
Opcode Fuzzy Hash: a9f4fcf3b23d6e78c33e9899a0b8ad60545276cec0db5046a656d063904bcf43
Instruction Fuzzy Hash: 65515735A10218AFCB11DF65C880E6ABBF5BF48314F088458E849AB372CB31ED51CFA0

Function 00368EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00368F40
GetProcAddress.KERNEL32(00000000,?), ref: 00368FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00368FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00369032
FreeLibrary.KERNEL32(00000000), ref: 00369052

Part of subcall function 002FF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00351043,?,7529E610), ref: 002FF6E6
Part of subcall function 002FF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0033FA64,00000000,00000000,?,?,00351043,?,7529E610,?,0033FA64), ref: 002FF70D

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 0d78e2d92a321996107bbc7fe2e9b5ead1d1c444cbfc72a636638c206010e2b8
Instruction ID: 225db10d858dd20376c145c14e3041bc9933a1dc99f8b49c79943e72122b3bb0
Opcode Fuzzy Hash: 0d78e2d92a321996107bbc7fe2e9b5ead1d1c444cbfc72a636638c206010e2b8
Instruction Fuzzy Hash: 34514834600245DFCB12DF68C4849ADBBF5FF49314B4581A9E80AAB366DB31ED85CF90

Function 00376B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00376C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00376C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00376C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0035AB79,00000000,00000000), ref: 00376C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00376CC7

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: c3282c47778147b799804722ba3378a78d8be76a65fd78a15d6af09eb63ce2ef
Instruction ID: b8d6a150930c2e3e0b7e8f850097c24519bea9cc4d3b53b744564c8ff3751925
Opcode Fuzzy Hash: c3282c47778147b799804722ba3378a78d8be76a65fd78a15d6af09eb63ce2ef
Instruction Fuzzy Hash: B341E735600505AFD737CF39CCA6FA97BA8EB09350F158268F95DA72E0C375AD40CA40

Function 00312051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003120C3
_free.LIBCMT ref: 003120E3

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ae0108eb8626652dee3f839088bde1f83dda90d048af1fa2b5fadb1e423714a7
Instruction ID: 74009a09450b28e043edaff2e464ab063ed7a4763ffe47cd5426495ede1bdc45
Opcode Fuzzy Hash: ae0108eb8626652dee3f839088bde1f83dda90d048af1fa2b5fadb1e423714a7
Instruction Fuzzy Hash: F041D432A00204AFDB29DF78C981A9EB7A5EF8D314F164568E615EB351DB31ED51CB80

Function 002F912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002F9141
ScreenToClient.USER32(00000000,?), ref: 002F915E
GetAsyncKeyState.USER32(00000001), ref: 002F9183
GetAsyncKeyState.USER32(00000002), ref: 002F919D

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: ce4ee2ba2ded62ebd4d0e0225bed7c3c52bb141d248b6c55b7982599b6643d18
Instruction ID: c7fc1867d918544a95b4c19b58d8eb127aa56f99821a0cc05b8c4f2031278251
Opcode Fuzzy Hash: ce4ee2ba2ded62ebd4d0e0225bed7c3c52bb141d248b6c55b7982599b6643d18
Instruction Fuzzy Hash: E841607190850BFBDF269F64C884BFEF774FB05364F208229E529A7290C7746990DB91

Function 00353874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003538CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00353922
TranslateMessage.USER32(?), ref: 0035394B
DispatchMessageW.USER32(?), ref: 00353955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00353966

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: cdd2c4afbc0b2861ec83794c3810c9494a4ae1e24969a6e9e23c2d93c016bfdf
Instruction ID: 28f74cc5dd51f0cca14de1b0c51a3ba8f58d164f25597fb1f2df72a70ffac44e
Opcode Fuzzy Hash: cdd2c4afbc0b2861ec83794c3810c9494a4ae1e24969a6e9e23c2d93c016bfdf
Instruction Fuzzy Hash: D031D8B05083859EEB37CB349858FB677ECAB02386F45055DE956C24B0E7B0968CCB11

Function 0035CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0035C21E,00000000), ref: 0035CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0035CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0035C21E,00000000), ref: 0035CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0035C21E,00000000), ref: 0035CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0035C21E,00000000), ref: 0035CFF2

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 1ff40d69d653041841ddc770c7a818d89b1d7a3f0542a777cacfa4ccb291b800
Instruction ID: 6a1b2e5fab1db2ec1b99e0446b05b34d4fca9fec51ea89d12eb05ae71098a202
Opcode Fuzzy Hash: 1ff40d69d653041841ddc770c7a818d89b1d7a3f0542a777cacfa4ccb291b800
Instruction Fuzzy Hash: A4316D71624305AFDB25DFA5C884DAABBFDEF0435AB10542EF906D2121DB30AD449B60

Function 00341901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00341915
PostMessageW.USER32(00000001,00000201,00000001), ref: 003419C1
Sleep.KERNEL32(00000000,?,?,?), ref: 003419C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 003419DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 003419E2

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: dd0a72189901978b40b97dd65e13847de1162d1257cef1dbda97d4049a8ba6a0
Instruction ID: 1911f37750da885b2e45d180440631bf11c34d07e1fb0fb14f73244b51c3ed1e
Opcode Fuzzy Hash: dd0a72189901978b40b97dd65e13847de1162d1257cef1dbda97d4049a8ba6a0
Instruction Fuzzy Hash: 9731D471A10219EFCB15CFA8CD99ADE7BB5FB04315F104229F925AB2D1C770AD84CB90

Function 00375706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00375745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0037579D
_wcslen.LIBCMT ref: 003757AF
_wcslen.LIBCMT ref: 003757BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00375816

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: cf9f7c494f51b55289812b16b50b501b28f49bda6651cf1c163dbcd9cc5e0115
Instruction ID: 2f20589832b1ac417f9e26a3ce5cc5b03e0d276d6867556f91d8d868890b3e3c
Opcode Fuzzy Hash: cf9f7c494f51b55289812b16b50b501b28f49bda6651cf1c163dbcd9cc5e0115
Instruction Fuzzy Hash: F02185719046189ADB369F65CC85AEEB7BCFF04724F10C21AEA1DEA1C0D7B49985CF50

Function 00360930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00360951
GetForegroundWindow.USER32 ref: 00360968
GetDC.USER32(00000000), ref: 003609A4
GetPixel.GDI32(00000000,?,00000003), ref: 003609B0
ReleaseDC.USER32(00000000,00000003), ref: 003609E8

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b8cc0f5ce6a8da41230577aaa7ae8c733cc8328e657fd646ffbaecb0975c0580
Instruction ID: 3f5f6a0a6090aa2b8acb2adaea7b3d8d150e41e8b3957864f459f94ab8cf4da2
Opcode Fuzzy Hash: b8cc0f5ce6a8da41230577aaa7ae8c733cc8328e657fd646ffbaecb0975c0580
Instruction Fuzzy Hash: 8221AE35610204AFD719EF65C885AAFBBE9EF48701F04842CE84AA7762CB70AD44CB50

Function 0031CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0031CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0031CDE9

Part of subcall function 00313820: RtlAllocateHeap.NTDLL(00000000,?,003B1444,?,002FFDF5,?,?,002EA976,00000010,003B1440,002E13FC,?,002E13C6,?,002E1129), ref: 00313852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0031CE0F
_free.LIBCMT ref: 0031CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0031CE31

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: decabb8bdad628b1091fbbb41544f29d3d5caa1282970722659a755507f07b62
Instruction ID: 897ca1e4a7b163a651e12bd2cd46cdebdceb73a68a40edcb31307955bedca5ec
Opcode Fuzzy Hash: decabb8bdad628b1091fbbb41544f29d3d5caa1282970722659a755507f07b62
Instruction Fuzzy Hash: 6A01D8726512157F632716B66C88CBF696DDFCEBA2315212DF905C7200DA608D9181B0

Function 002F9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002F9693
SelectObject.GDI32(?,00000000), ref: 002F96A2
BeginPath.GDI32(?), ref: 002F96B9
SelectObject.GDI32(?,00000000), ref: 002F96E2

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 868c9df911718a82605f07db4106277d14a7384d3f1a61c9c0af4a24276e1045
Instruction ID: e37d553a47f2aef68b441b812e50d0090eeceeff9ccbf40acbf1891d8c598868
Opcode Fuzzy Hash: 868c9df911718a82605f07db4106277d14a7384d3f1a61c9c0af4a24276e1045
Instruction Fuzzy Hash: B021607182134AEBDB229F24DC247B9BBACBB00399F500329F614A61A0D37098E1CFD4

Function 00345711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00345726
_memcmp.LIBVCRUNTIME ref: 00345744
_memcmp.LIBVCRUNTIME ref: 00345757
_memcmp.LIBVCRUNTIME ref: 0034576F
_memcmp.LIBVCRUNTIME ref: 00345787

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 612d49ee8861b0a0e85c78278d550add46e4b23856c11f0189cba4c3cd6a5f8b
Instruction ID: b69b631e850a4229372abb6b61369a3dc23c55c904d0de509632c7bccec7922a
Opcode Fuzzy Hash: 612d49ee8861b0a0e85c78278d550add46e4b23856c11f0189cba4c3cd6a5f8b
Instruction Fuzzy Hash: FB01B9A5A42605BFE21B55109E52FFB779CAB31394F008031FD089E682F764FD11C6B1

Function 00312DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0030F2DE,00313863,003B1444,?,002FFDF5,?,?,002EA976,00000010,003B1440,002E13FC,?,002E13C6), ref: 00312DFD
_free.LIBCMT ref: 00312E32
_free.LIBCMT ref: 00312E59
SetLastError.KERNEL32(00000000,002E1129), ref: 00312E66
SetLastError.KERNEL32(00000000,002E1129), ref: 00312E6F

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 049ef1e4cfee25768045b2832478a856505ece3a9697e0798a0cb9cd38b4cd82
Instruction ID: f8e44285dacb73fb4e7eba2c5327c3a8f290483274b05ff4dc0cc86c1f38e894
Opcode Fuzzy Hash: 049ef1e4cfee25768045b2832478a856505ece3a9697e0798a0cb9cd38b4cd82
Instruction Fuzzy Hash: 1001F4362456006BD62F27346C85DEB265DABCE3B5F26442CF829A61D2EB348CF14030

Function 0034000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0033FF41,80070057,?,?,?,0034035E), ref: 0034002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0033FF41,80070057,?,?), ref: 00340046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0033FF41,80070057,?,?), ref: 00340054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0033FF41,80070057,?), ref: 00340064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0033FF41,80070057,?,?), ref: 00340070

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: e65e122b1cfb603d2c522fe9861fe984960378c901f93368e954542cb4d5fde4
Instruction ID: 6dd3cf1c0d68e3731140de9d2c4f3685c59dee987cb584ce15f7bd08796d27e9
Opcode Fuzzy Hash: e65e122b1cfb603d2c522fe9861fe984960378c901f93368e954542cb4d5fde4
Instruction Fuzzy Hash: C2018F76710204BFDB264F68DC04BAE7AEDEB44751F145128FE09DA210D775EE808BA0

Function 0034E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0034E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0034E9A5
Sleep.KERNEL32(00000000), ref: 0034E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0034E9B7
Sleep.KERNEL32 ref: 0034E9F3

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 8e7b1595139e5de155e45b154ef2bd99dd53780143faf13300e08428ebe3b6a5
Instruction ID: 08bb9f24f2ae7c4daed7da61a2138d8c4511268240bcf30c20814d5bf8068513
Opcode Fuzzy Hash: 8e7b1595139e5de155e45b154ef2bd99dd53780143faf13300e08428ebe3b6a5
Instruction Fuzzy Hash: 26016931C11629DBCF12AFE4DC49AEDBBBCFF08310F41055AE502B6281CB38A590CBA1

Function 003410F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00341114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00340B9B,?,?,?), ref: 00341120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00340B9B,?,?,?), ref: 0034112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00340B9B,?,?,?), ref: 00341136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0034114D

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 3b7eefe6cab9493e4b8f247c47937a4112b64c2b6b047d54aee160f2daeccc8c
Instruction ID: daa41479aa2d4c21e2437e4ee1b479554971de9e7ea68921c7ce42444b6078ee
Opcode Fuzzy Hash: 3b7eefe6cab9493e4b8f247c47937a4112b64c2b6b047d54aee160f2daeccc8c
Instruction Fuzzy Hash: 5E018175100605BFDB224F64DC49E6A3FAEEF89361F110428FA45C7350DB31DC80CA60

Function 00340FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00340FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00340FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00340FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00340FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00341002

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c2b02319a58f10913099a30519a82dfd7c785661c6693ea7e565a4f2b5de0742
Instruction ID: 2c84b372c7feeb47978edd90d04f4f934783bf1f98e34d00179a6fb44c93a63b
Opcode Fuzzy Hash: c2b02319a58f10913099a30519a82dfd7c785661c6693ea7e565a4f2b5de0742
Instruction Fuzzy Hash: A8F06D39210701EBDB224FA4EC4DF563FADEF89762F514428FA49DB251CA70EC808A60

Function 00341014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0034102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00341036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00341045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0034104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00341062

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8b2f18b7974d720c6f9454d8abd3ae3e55ea3b0646af8044c1d0b1d4c927bf42
Instruction ID: 24118a56bf5752a42f8f291a18c280b04d17df0d2b193e315ff58697da5d76b6
Opcode Fuzzy Hash: 8b2f18b7974d720c6f9454d8abd3ae3e55ea3b0646af8044c1d0b1d4c927bf42
Instruction Fuzzy Hash: 76F06D39210701EBDB235FA4EC49F563BADEF89761F110428FA49DB260CA70E8908A60

Function 0035030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0035017D,?,003532FC,?,00000001,00322592,?), ref: 00350324
CloseHandle.KERNEL32(?,?,?,?,0035017D,?,003532FC,?,00000001,00322592,?), ref: 00350331
CloseHandle.KERNEL32(?,?,?,?,0035017D,?,003532FC,?,00000001,00322592,?), ref: 0035033E
CloseHandle.KERNEL32(?,?,?,?,0035017D,?,003532FC,?,00000001,00322592,?), ref: 0035034B
CloseHandle.KERNEL32(?,?,?,?,0035017D,?,003532FC,?,00000001,00322592,?), ref: 00350358
CloseHandle.KERNEL32(?,?,?,?,0035017D,?,003532FC,?,00000001,00322592,?), ref: 00350365

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6ec9c36572974b26240f34efaef307a9a0e41b3354167e581255882157b5a2d1
Instruction ID: b562b646f7a4fcf7ba52bdb5ea24a3424e03d50fbe1bf39b3cf0cb53d042df19
Opcode Fuzzy Hash: 6ec9c36572974b26240f34efaef307a9a0e41b3354167e581255882157b5a2d1
Instruction Fuzzy Hash: 1901A276800B159FC7369F66D880816F7F9BF503163168A3FD19652931C372A958CF80

Function 0031D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0031D752

Part of subcall function 003129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000), ref: 003129DE
Part of subcall function 003129C8: GetLastError.KERNEL32(00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000,00000000), ref: 003129F0

_free.LIBCMT ref: 0031D764
_free.LIBCMT ref: 0031D776
_free.LIBCMT ref: 0031D788
_free.LIBCMT ref: 0031D79A

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a65de244a2963f22eb9faef8e510b760f4b94ff15f8be3665617485bb5b80ed1
Instruction ID: a379690ab40aad581f66db80e2faa38db39bb69d14ceca69470a2a400226bb6d
Opcode Fuzzy Hash: a65de244a2963f22eb9faef8e510b760f4b94ff15f8be3665617485bb5b80ed1
Instruction Fuzzy Hash: 2EF0FF32554214ABC62BEF68F9C5C9777DDBB4E720B951809F048DB541CB24FCE086A4

Function 00345C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00345C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00345C6F
MessageBeep.USER32(00000000), ref: 00345C87
KillTimer.USER32(?,0000040A), ref: 00345CA3
EndDialog.USER32(?,00000001), ref: 00345CBD

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 4dc2b6c0ffab22735619c8867bc29652641dfec40e47a084dd753daba0ea479c
Instruction ID: 32f9f04312c4e3b4db17017e88965cab15a668b2ae71ce1ad22341310ac5cf92
Opcode Fuzzy Hash: 4dc2b6c0ffab22735619c8867bc29652641dfec40e47a084dd753daba0ea479c
Instruction Fuzzy Hash: 28018130910B04ABEB325B10DDCEFA67BFCBB00B06F04155DA587A54E2DBF4AD848B91

Function 003122A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003122BE

Part of subcall function 003129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000), ref: 003129DE
Part of subcall function 003129C8: GetLastError.KERNEL32(00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000,00000000), ref: 003129F0

_free.LIBCMT ref: 003122D0
_free.LIBCMT ref: 003122E3
_free.LIBCMT ref: 003122F4
_free.LIBCMT ref: 00312305

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d858ebe5630f00ed999b26766ff03259773b205620cdc032b0a1c5f77593ff7b
Instruction ID: e3cd55ff419511e1bae95254a6d156e2948a46de31399e41138ea1c07ec8de43
Opcode Fuzzy Hash: d858ebe5630f00ed999b26766ff03259773b205620cdc032b0a1c5f77593ff7b
Instruction Fuzzy Hash: 71F05E759101248B862BAF58BC018AE3B6CF71E764F451B0AF510DE3B1C73548B1AFE5

Function 002F95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002F95D4
StrokeAndFillPath.GDI32(?,?,003371F7,00000000,?,?,?), ref: 002F95F0
SelectObject.GDI32(?,00000000), ref: 002F9603
DeleteObject.GDI32 ref: 002F9616
StrokePath.GDI32(?), ref: 002F9631

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 28fe92ec5ea58e8a92c4f00aed98c5ccd3de701672733b92a6d44b024c1cba0d
Instruction ID: 7a02b65d253dd9586a92475c62cd972cae7d2bd17813cdab9858dcd1ce174b35
Opcode Fuzzy Hash: 28fe92ec5ea58e8a92c4f00aed98c5ccd3de701672733b92a6d44b024c1cba0d
Instruction Fuzzy Hash: 1DF01931025249EBDB235F65ED287A43B6DAB0036AF948328F629950F0C73089E1DFA0

Function 00310F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 003110F9
__freea.LIBCMT ref: 00311117

Part of subcall function 00311537: _free.LIBCMT ref: 0031154F

Strings

am/pm, xrefs: 0031117A
a/p, xrefs: 003111DE

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 270acd24ec2f7dce4ba4f50c3d96d220e80cabfdfbf9f1f56e601c811b6f2d2f
Instruction ID: 5adb8e63a346e705c2359aec1c5df27f8ba2298e7df781fb204a7c63385203f0
Opcode Fuzzy Hash: 270acd24ec2f7dce4ba4f50c3d96d220e80cabfdfbf9f1f56e601c811b6f2d2f
Instruction Fuzzy Hash: 05D11239900206DACB2F9F68C845BFAB7B5EF0D300F290569EB119BA58D3759DC1CB91

Function 003661D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00300242: EnterCriticalSection.KERNEL32(003B070C,003B1884,?,?,002F198B,003B2518,?,?,?,002E12F9,00000000), ref: 0030024D
Part of subcall function 00300242: LeaveCriticalSection.KERNEL32(003B070C,?,002F198B,003B2518,?,?,?,002E12F9,00000000), ref: 0030028A

Part of subcall function 003000A3: __onexit.LIBCMT ref: 003000A9

__Init_thread_footer.LIBCMT ref: 00366238

Part of subcall function 003001F8: EnterCriticalSection.KERNEL32(003B070C,?,?,002F8747,003B2514), ref: 00300202
Part of subcall function 003001F8: LeaveCriticalSection.KERNEL32(003B070C,?,002F8747,003B2514), ref: 00300235

Part of subcall function 0035359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003535E4
Part of subcall function 0035359C: LoadStringW.USER32(003B2390,?,00000FFF,?), ref: 0035360A

Strings

x#;, xrefs: 0036633A
x#;, xrefs: 0036636F
x#;, xrefs: 00366353

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#;$x#;$x#;
API String ID: 1072379062-2819258285
Opcode ID: 339802f6d18f9ed51a1550d3791fd51216fb76de2091397ad8b7f80adf83711a
Instruction ID: b976e71dd6e26d2c3b1bf06ca327d20db5b27c52c9b3b317f4cff0036d6d9e5c
Opcode Fuzzy Hash: 339802f6d18f9ed51a1550d3791fd51216fb76de2091397ad8b7f80adf83711a
Instruction Fuzzy Hash: DDC1A371A00109AFCB16DF58C892EBEB7B9FF49340F11846AFA059B295DB70ED45CB90

Function 00315AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO., xrefs: 00315BA8, 00315C6C

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID: JO.
API String ID: 0-695963393
Opcode ID: 2cbfc9488cdbb3d2a468a617e6e80fd150953b8e30b4470d39dfc43c8046cd17
Instruction ID: 781b457d2bb7183adfb9e32ab1340c2ecceeed7a98659db8a1792a970e68954c
Opcode Fuzzy Hash: 2cbfc9488cdbb3d2a468a617e6e80fd150953b8e30b4470d39dfc43c8046cd17
Instruction Fuzzy Hash: AE51E075E05609DFCB2B9FA4C845FEEBBB8AF8D310F15001AF405AB291D7719981CBA1

Function 00318A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00318B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00318B7A
__dosmaperr.LIBCMT ref: 00318B81

Strings

.0, xrefs: 00318A63

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .0
API String ID: 2434981716-2407493218
Opcode ID: a624466c89467df41ff884fd61862ef5ef503ccace8f52f29af9203d31a14349
Instruction ID: 866c39b7c19d1d775dc77ff6fbfbffd056024c941e959f6a3c47dada23b7d0e2
Opcode Fuzzy Hash: a624466c89467df41ff884fd61862ef5ef503ccace8f52f29af9203d31a14349
Instruction Fuzzy Hash: E7416070608145AFDB2F9F14CC90AF97FA9DF4D304F198569F44587542DE318C839758

Function 00342716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0034B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003421D0,?,?,00000034,00000800,?,00000034), ref: 0034B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00342760

Part of subcall function 0034B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003421FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0034B3F8

Part of subcall function 0034B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0034B355
Part of subcall function 0034B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00342194,00000034,?,?,00001004,00000000,00000000), ref: 0034B365
Part of subcall function 0034B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00342194,00000034,?,?,00001004,00000000,00000000), ref: 0034B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003427CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0034281A

Strings

@, xrefs: 00342832

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 6f3535a2f1345b059c19d196b0b1ad528b1cb86ed14b30aa4c0eba2b69b105f6
Instruction ID: f019f0ab06eb3d33f3c6eb6453d45e53fa539086e1c524ecf94f3d409b92d93f
Opcode Fuzzy Hash: 6f3535a2f1345b059c19d196b0b1ad528b1cb86ed14b30aa4c0eba2b69b105f6
Instruction Fuzzy Hash: 8E411F76900218AFDB11DFA4CD85ADEBBB8EF05700F104099FA55BB181DB71BE85CB61

Function 0031172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00311769
_free.LIBCMT ref: 00311834
_free.LIBCMT ref: 0031183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00311760, 00311767, 00311796, 003117CE

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: f14776f28874aa32b5f2d4bac75c2a696572d0debbc4c2eb6285ac406b3d9ba6
Instruction ID: 72abb55e937e858beb15e063078c17482032c0a03007b971e454194484dbc758
Opcode Fuzzy Hash: f14776f28874aa32b5f2d4bac75c2a696572d0debbc4c2eb6285ac406b3d9ba6
Instruction Fuzzy Hash: AB318D75A00218AFDB2BDF999881DDEBBBCEB89310F514166EA049B251D6708A80CB90

Function 0034C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0034C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0034C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003B1990,018F6270), ref: 0034C395

Strings

0, xrefs: 0034C2DF

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 03d02ea923e08de50b9f965ba9af029a7e645d4078ece5618530d49ecd023b95
Instruction ID: c6c40f6ebdde31107dc80bb08c8fc1075868981b79b5efe0d8317ee06accd1e6
Opcode Fuzzy Hash: 03d02ea923e08de50b9f965ba9af029a7e645d4078ece5618530d49ecd023b95
Instruction Fuzzy Hash: 3C41D2392163019FD722DF25D844B1ABBE8AF85320F009A5DF9A59B2D1D734FC04CB62

Function 00374416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0037CC08,00000000,?,?,?,?), ref: 003744AA
GetWindowLongW.USER32 ref: 003744C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003744D7

Strings

SysTreeView32, xrefs: 0037447C

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b509c85a03f157e87b6c51fc22bf67a5728623d3e642640d6c7cdc0d04b6f2d2
Instruction ID: d8e005b53836267b4b0ceaff4379186bd8b8f7b3959b360f87d652a905e5d319
Opcode Fuzzy Hash: b509c85a03f157e87b6c51fc22bf67a5728623d3e642640d6c7cdc0d04b6f2d2
Instruction Fuzzy Hash: 0B31A231210209AFDF228F39DC45BEA77A9EB09334F218719F979921E0DB75EC909B50

Function 00346E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00346EED
VariantCopyInd.OLEAUT32(?,?), ref: 00346F08
VariantClear.OLEAUT32(?), ref: 00346F12

Strings

*j4, xrefs: 00346E8B, 00346E90, 00346EF8

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j4
API String ID: 2173805711-1950182844
Opcode ID: 7e1284701b6ed37ecda8590f1792dda893cb2d2c6752af2d325e2a3ddeca7010
Instruction ID: 4f1e69ba6593ab4059f36999774cb30473041cabff6407f657c1167d752ad70e
Opcode Fuzzy Hash: 7e1284701b6ed37ecda8590f1792dda893cb2d2c6752af2d325e2a3ddeca7010
Instruction Fuzzy Hash: 1E31B371614245DFCB07AF65E8929BE37B9EF46304B5014A8F9824F2A1C730A925DBD2

Function 0036304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0036335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00363077,?,?), ref: 00363378

inet_addr.WSOCK32(?), ref: 0036307A
_wcslen.LIBCMT ref: 0036309B
htons.WSOCK32(00000000), ref: 00363106

Strings

255.255.255.255, xrefs: 00363095, 0036309A

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 31ffcc805e5b4cf924e1d14e49084dbbc061596542c434d0eb26f73d5ff170c7
Instruction ID: f514cc81a17e5e53cf309e60c50cd44073d38b020e4d03887e5c4223351eede9
Opcode Fuzzy Hash: 31ffcc805e5b4cf924e1d14e49084dbbc061596542c434d0eb26f73d5ff170c7
Instruction Fuzzy Hash: 6931F3392042019FCB22DF28C485EAA77E0EF15318F25C059E9168F396CB32EF85CB61

Function 00373EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00373F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00373F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00373F78

Strings

SysMonthCal32, xrefs: 00373F0B

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: b3a5c43025a8c2bc12873a124ab98f456d0876f88fd921b685e2a0cc70692ce6
Instruction ID: 6e1cc45c879200820daf62e74de6135b32e86f271f32fb3e3f85443889683c6d
Opcode Fuzzy Hash: b3a5c43025a8c2bc12873a124ab98f456d0876f88fd921b685e2a0cc70692ce6
Instruction Fuzzy Hash: C821D132610219BFDF228F50CC86FEA3B79EF48754F114214FA19AB1D0D6B5AC50DB90

Function 00374653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00374705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00374713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0037471A

Strings

msctls_updown32, xrefs: 00374684

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f61c62881aa872e6393d98bf3163f1f1ca21e10ec043180ab6da8b76d12d462a
Instruction ID: fed0cec4c109ad22a7bd6da42782847c356fc7abcf5726a1ac7470b1269ea8a4
Opcode Fuzzy Hash: f61c62881aa872e6393d98bf3163f1f1ca21e10ec043180ab6da8b76d12d462a
Instruction Fuzzy Hash: A02190B5600248AFDB22DF64DCD1DA737ADEB9A398B454149FA149B251CB34FC11CBA0

Function 003495AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0034961D

Strings

#OnAutoItStartRegister, xrefs: 003495F3
#notrayicon, xrefs: 003495B7
#requireadmin, xrefs: 003495D9

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 542ecea942fb895e4e6815fed78c17cb5cfb3592a786fea99d92bd112cae8b9f
Instruction ID: 527c4abf908af8675255f68dd997c503b2eb3394eb662656cc5e8bde88590193
Opcode Fuzzy Hash: 542ecea942fb895e4e6815fed78c17cb5cfb3592a786fea99d92bd112cae8b9f
Instruction Fuzzy Hash: E121577224461066D333AB25EC12FBBB3DCAF91320F52802BF9499F081EB59BD95C695

Function 003737B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00373840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00373850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00373876

Strings

Listbox, xrefs: 0037380F

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: de9cb072d80b34f84fc0abb58c70e86047c8e71e13c7738180f7797d3eb334d4
Instruction ID: c6898663faad883b335ce9201f84a9d4cfeb7115fb7f05afc2d997717f048a41
Opcode Fuzzy Hash: de9cb072d80b34f84fc0abb58c70e86047c8e71e13c7738180f7797d3eb334d4
Instruction Fuzzy Hash: C121D472650118BBEF228F54CC85FBB376EEF89750F11C114F9189B190C675DC5297A0

Function 003549F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00354A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00354A5C
SetErrorMode.KERNEL32(00000000,?,?,0037CC08), ref: 00354AD0

Strings

%lu, xrefs: 00354A6F

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: d051fe7bfb91e13debc42ac2d837385411d7f71e654c670a5fcc71583f40a272
Instruction ID: f4e33f1830382147c6a0f0ba7c48d3a3a5e87c8807af6172c1d074f2e3f27377
Opcode Fuzzy Hash: d051fe7bfb91e13debc42ac2d837385411d7f71e654c670a5fcc71583f40a272
Instruction Fuzzy Hash: 83316F71A00109AFDB11DF64C985EAA7BF8EF08308F1480A9F909DB262D771ED85CF61

Function 003741EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0037424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00374264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00374271

Strings

msctls_trackbar32, xrefs: 00374226

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: e55992af0a0cc5813989ac159f1a42947d81d4f8124e4d83986a1c672466c851
Instruction ID: 427edc0faa3f5324b6d6bf9d5af5dbbff659d24bb054df97cb650a671121c281
Opcode Fuzzy Hash: e55992af0a0cc5813989ac159f1a42947d81d4f8124e4d83986a1c672466c851
Instruction Fuzzy Hash: B2112331240248BEEF325F28CC06FAB3BACEF85B54F124518FA58E2090C371EC219B10

Function 00342F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002E6B57: _wcslen.LIBCMT ref: 002E6B6A

Part of subcall function 00342DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00342DC5
Part of subcall function 00342DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00342DD6
Part of subcall function 00342DA7: GetCurrentThreadId.KERNEL32 ref: 00342DDD
Part of subcall function 00342DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00342DE4

GetFocus.USER32 ref: 00342F78

Part of subcall function 00342DEE: GetParent.USER32(00000000), ref: 00342DF9

GetClassNameW.USER32(?,?,00000100), ref: 00342FC3
EnumChildWindows.USER32(?,0034303B), ref: 00342FEB

Strings

%s%d, xrefs: 00342FFF

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: f017759e6ee0c751c08d99cd8a6f8a1bce0fde751d7878af418135026fa2b88c
Instruction ID: f012c1ce138bd1030b2854cd11f8391cb44c520aac15ecfc806dec1da89883c0
Opcode Fuzzy Hash: f017759e6ee0c751c08d99cd8a6f8a1bce0fde751d7878af418135026fa2b88c
Instruction Fuzzy Hash: 7511B4716002056BCF167F748CC5EEE37AAEF95314F044079F919AF152DE30A9458B60

Function 00375882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003758C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003758EE
DrawMenuBar.USER32(?), ref: 003758FD

Strings

0, xrefs: 0037588F

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: b4ca7d05d3d835ecd094b32199a83924aa9187e3a7a9af4f324c54f685643327
Instruction ID: e3af92267db989c84fd8dedaca6cfe83608aa9abc2ddf820a7ed699312ee63db
Opcode Fuzzy Hash: b4ca7d05d3d835ecd094b32199a83924aa9187e3a7a9af4f324c54f685643327
Instruction Fuzzy Hash: 8A018B32510208EEDB269F12DC44BAEBBB8FF46360F00C0A9E94DD6151DB748A94DF20

Function 0033D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0033D3BF
FreeLibrary.KERNEL32 ref: 0033D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0033D3B9
X64, xrefs: 0033D2A8

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 8d30eab0ba10bf7902e929877be0485d19fa58043261b52a593b6792ef393ea8
Instruction ID: 3745c8b0a651343337a0b20c6e17c3fe2aae1b03a3ac613d1ac132eca9655f68
Opcode Fuzzy Hash: 8d30eab0ba10bf7902e929877be0485d19fa58043261b52a593b6792ef393ea8
Instruction Fuzzy Hash: 41F0A37D91562197D37302105CD49AE73189F10701F95953DF407E2404DB30CD808782

Function 0034007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257619a4ef9bdedd562d525b877074e9f52ddfe4b8b26a407513750df22a7dcf
Instruction ID: 6f47e196d714712bf60f9e76989b2ddccd740c86b2e55b932af8552047d91b69
Opcode Fuzzy Hash: 257619a4ef9bdedd562d525b877074e9f52ddfe4b8b26a407513750df22a7dcf
Instruction Fuzzy Hash: 1CC13979A00206AFDB19CFA4C894AAEBBB5FF48704F118598E605EF251D771EE41CB90

Function 0036342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00363459
CoUninitialize.OLE32 ref: 00363463
VariantInit.OLEAUT32(?), ref: 0036346E
VariantClear.OLEAUT32(?), ref: 0036371B

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: bf034353396b85178a99568a6c80bbc58ef42200ead2e2bfdcf8f32638002766
Instruction ID: 67c12a59012dfb2cf8a3fd76e77c6ce878b67f82668909a18ba9cb200a074faa
Opcode Fuzzy Hash: bf034353396b85178a99568a6c80bbc58ef42200ead2e2bfdcf8f32638002766
Instruction Fuzzy Hash: CBA145752147009FC711DF29C485A2ABBE9EF89314F45885DF98A9B366DB30EE01CF91

Function 00340436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0037FC08,?), ref: 003405F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0037FC08,?), ref: 00340608
CLSIDFromProgID.OLE32(?,?,00000000,0037CC40,000000FF,?,00000000,00000800,00000000,?,0037FC08,?), ref: 0034062D
_memcmp.LIBVCRUNTIME ref: 0034064E

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 4a000a7a375cd49dffa6b90e815057693551d5971a5007ef1f2ef47ff146e879
Instruction ID: 2c2f48fdd2f74eb91a2b042d860ca1ea617d01f6ee7de350e4ec42b49df10300
Opcode Fuzzy Hash: 4a000a7a375cd49dffa6b90e815057693551d5971a5007ef1f2ef47ff146e879
Instruction Fuzzy Hash: F5811871A00109EFCB05DF94C984EEEB7B9FF89315F214598E606AB250DB71AE46CF60

Function 0036A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0036A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0036A6BA

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0036A79C
CloseHandle.KERNEL32(00000000), ref: 0036A7AB

Part of subcall function 002FCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00323303,?), ref: 002FCE8A

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d8d85c83d8755fc0e548738ec4b8a5d435f75a52c501bd798054ba904e7f6e4e
Instruction ID: 98782c6db072c3084bf3f5c05b04e9832cefcd63861f2b26cc78f69b281363fc
Opcode Fuzzy Hash: d8d85c83d8755fc0e548738ec4b8a5d435f75a52c501bd798054ba904e7f6e4e
Instruction Fuzzy Hash: 47519C71518340AFD710EF25C886A6BBBE8FF89744F40892DF58997262EB30D954CF92

Function 00321391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003214C0

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d9544ae6adf6689f280853b5a71a0b6c18724f0a68043b254105a560940fdc24
Instruction ID: 3182aecc99db8db865c1f398a4fd4de1e7255bb35eef643ded39adbcd9f25c9c
Opcode Fuzzy Hash: d9544ae6adf6689f280853b5a71a0b6c18724f0a68043b254105a560940fdc24
Instruction Fuzzy Hash: 9C415B35A00120ABDB37BBBEBD456AE3AB8EF66730F254626F41CDA1D1E63448815361

Function 00376278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003762E2
ScreenToClient.USER32(?,?), ref: 00376315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00376382

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 267893326064b418f457111aa2380bc727cf6e01b92b951e55a19e6649036f2c
Instruction ID: 804fb325f8718aaf5adda179cbac11405c48d241ee8c85d3a0147599d00ba28c
Opcode Fuzzy Hash: 267893326064b418f457111aa2380bc727cf6e01b92b951e55a19e6649036f2c
Instruction Fuzzy Hash: 3E516C34A00649EFDB22CF64D8919AE7BB5EF45324F118259F8199B2A0D734ED81CB90

Function 00361AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00361AFD
WSAGetLastError.WSOCK32 ref: 00361B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00361B8A
WSAGetLastError.WSOCK32 ref: 00361B94

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 7fab1b1d1db8aeceff2b374d7b7c4858766982f9a8600e0cff802bee3a735a32
Instruction ID: f38f5d9c8394a1bd047bf25c22492f0917ee341a9fbea5a3fc11bfe10401fc17
Opcode Fuzzy Hash: 7fab1b1d1db8aeceff2b374d7b7c4858766982f9a8600e0cff802bee3a735a32
Instruction Fuzzy Hash: 0A4191346402006FE721AF25C886F2A77E5AB44718F98C458FA1A9F7D3D772DD518B90

Function 0031B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664e6759ea102690dfe28bbe850b43d27ba5f3594e5de2e4ec74e5101bac7a29
Instruction ID: b7ab683c8e2d8e0014aecbfd6af33d767ef407bbdff4bd311d224aeaed532557
Opcode Fuzzy Hash: 664e6759ea102690dfe28bbe850b43d27ba5f3594e5de2e4ec74e5101bac7a29
Instruction Fuzzy Hash: 78410475A00314AFD72AAF79CC41BAABBA9EF8C710F10852EF141DF682D77199818790

Function 003556D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00355783
GetLastError.KERNEL32(?,00000000), ref: 003557A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003557CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003557FA

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 7fbbf3d27e05d075f6c047ee97411b9cb12334f20050d2b46ac7b4f34088cdfa
Instruction ID: 39b47c49911a20f722293d2d413149c307de1ea38c9d2afc6a401a36251ff9ee
Opcode Fuzzy Hash: 7fbbf3d27e05d075f6c047ee97411b9cb12334f20050d2b46ac7b4f34088cdfa
Instruction Fuzzy Hash: 96412B39610A50DFCB11DF15C444A1EBBE2AF89321B598888EC4AAB372CB34FD55CF91

Function 0031D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00306D71,00000000,00000000,003082D9,?,003082D9,?,00000001,00306D71,?,00000001,003082D9,003082D9), ref: 0031D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0031D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0031D9AB
__freea.LIBCMT ref: 0031D9B4

Part of subcall function 00313820: RtlAllocateHeap.NTDLL(00000000,?,003B1444,?,002FFDF5,?,?,002EA976,00000010,003B1440,002E13FC,?,002E13C6,?,002E1129), ref: 00313852

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: a2970d6420ea265c2aef2d52f3673233ff44c73b637f8147cf527ce03920c382
Instruction ID: 68fa825d73c3f1c61b1a4a93b5d608d22b272466ccc082b760f17eaae1c4103a
Opcode Fuzzy Hash: a2970d6420ea265c2aef2d52f3673233ff44c73b637f8147cf527ce03920c382
Instruction Fuzzy Hash: D431A072A1020AABDB2A9F64DC45EEF7BA5EB46310F064168FC04DA150EB35DD90CB90

Function 003752C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00375352
GetWindowLongW.USER32(?,000000F0), ref: 00375375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00375382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003753A8

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 3675e74cec617d17b8109dcad3a8e72cf06842e96cddaf52342e81fe9b86de65
Instruction ID: c1ca6273220baa60a77f9bccd4de4e6df11eaa1b71de808e0e33fc30d28455d2
Opcode Fuzzy Hash: 3675e74cec617d17b8109dcad3a8e72cf06842e96cddaf52342e81fe9b86de65
Instruction Fuzzy Hash: E931E638A55A0CEFFB3B9E14CC55BE877A9AB04390F598105FA19961F0C7F8AD809B41

Function 0034AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0034ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0034AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0034AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0034ACC6

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c6019feb3db6cf0e16aed99ad25ef50676d42729c270ddcc2740ae3cc3142503
Instruction ID: bac4c8e4b85485080d8a8f0b2898a9ad1e3eaedfd8b80aa2ee4ef45b9863bbc9
Opcode Fuzzy Hash: c6019feb3db6cf0e16aed99ad25ef50676d42729c270ddcc2740ae3cc3142503
Instruction Fuzzy Hash: 33310870A84A18AFEF37CB658C847FA7BE9AB49310F04421AE485DE1D1C375AD858792

Function 00377674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0037769A
GetWindowRect.USER32(?,?), ref: 00377710
PtInRect.USER32(?,?,00378B89), ref: 00377720
MessageBeep.USER32(00000000), ref: 0037778C

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 0b4f48578a8ed172a97ff4e10ea10a8afa98d3c07bfeae8ee8c29079c96e1a18
Instruction ID: a9082ea9cc04fb7e289a093e3889a250dcc42c7609e8a1b727f61e9acda17343
Opcode Fuzzy Hash: 0b4f48578a8ed172a97ff4e10ea10a8afa98d3c07bfeae8ee8c29079c96e1a18
Instruction Fuzzy Hash: 00419E34A052949FCB27CF58C894EA9B7F9BB49354F1581A8E5189F261C334A941CF90

Function 003716DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003716EB

Part of subcall function 00343A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00343A57
Part of subcall function 00343A3D: GetCurrentThreadId.KERNEL32 ref: 00343A5E
Part of subcall function 00343A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003425B3), ref: 00343A65

GetCaretPos.USER32(?), ref: 003716FF
ClientToScreen.USER32(00000000,?), ref: 0037174C
GetForegroundWindow.USER32 ref: 00371752

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 98d6414455bac3582b8f420ca632e5261883744cef7b685160d259858a17b364
Instruction ID: 867a8d22e65272ce2f4c0bb5f2190653e8c54bb304a96d084fec01229b65bb25
Opcode Fuzzy Hash: 98d6414455bac3582b8f420ca632e5261883744cef7b685160d259858a17b364
Instruction Fuzzy Hash: 5D315271D10149AFCB15DFAAC881CAEB7FDEF48304B5480AAE415E7211E7359E45CFA1

Function 00378FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002F9BB2

GetCursorPos.USER32(?), ref: 00379001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00337711,?,?,?,?,?), ref: 00379016
GetCursorPos.USER32(?), ref: 0037905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00337711,?,?,?), ref: 00379094

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 781de0804963ca2ae7e90aa2580df0c610e5fa309cbeaa420e899de54b2ef790
Instruction ID: c27a4cc91049f121418ca937e4e6373b196ed7d312d2c4db8409a1eb78ab5f34
Opcode Fuzzy Hash: 781de0804963ca2ae7e90aa2580df0c610e5fa309cbeaa420e899de54b2ef790
Instruction Fuzzy Hash: 30218235610018AFDB368F54C854FFA7BF9FB49360F04825AF50947161C3359990EB60

Function 0034D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0037CB68), ref: 0034D2FB
GetLastError.KERNEL32 ref: 0034D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0034D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0037CB68), ref: 0034D376

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: fc4b4d8c24ce1d4dd487320fd3cc316553ede427e42db1948f1dcc2241c08654
Instruction ID: 3bafa7b32b9ba76a6b3c06a08f8f26ccd8a23da0830ea5bb5ade1f7fa4414eb2
Opcode Fuzzy Hash: fc4b4d8c24ce1d4dd487320fd3cc316553ede427e42db1948f1dcc2241c08654
Instruction Fuzzy Hash: F721A1745182019FC711DF28C8818AAB7E8EF5A324F504A5DF499DB2A1D731ED85CF93

Function 00341571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00341014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0034102A
Part of subcall function 00341014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00341036
Part of subcall function 00341014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00341045
Part of subcall function 00341014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0034104C
Part of subcall function 00341014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00341062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003415BE
_memcmp.LIBVCRUNTIME ref: 003415E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00341617
HeapFree.KERNEL32(00000000), ref: 0034161E

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 2204792607e6ef722accd0ec6e7ac80a2af332f409178ebc4d70eacd40d4bbb4
Instruction ID: dc6d9d3bddc5454c05647f20687d6076062aec5af2e18315d1a59db12033e6f8
Opcode Fuzzy Hash: 2204792607e6ef722accd0ec6e7ac80a2af332f409178ebc4d70eacd40d4bbb4
Instruction Fuzzy Hash: D5218C31E00508EFDF11DFA4C945BEEB7F8EF44344F0A4499E845AB241E734AA85CBA0

Function 00372782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0037280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00372824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00372832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00372840

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: b02f1520c1d9535a82e77c6091bd41593ab298e141296d1207905e43db6c0024
Instruction ID: a0d6ec0297b77c399209b80ddac693f3614971bec871ece456e14711fb7725fb
Opcode Fuzzy Hash: b02f1520c1d9535a82e77c6091bd41593ab298e141296d1207905e43db6c0024
Instruction Fuzzy Hash: 6E210331204150BFD7269B24C844FAB7B99EF45324F14815CF42A8B6E2CB7AFC82CB90

Function 003478F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00348D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0034790A,?,000000FF,?,00348754,00000000,?,0000001C,?,?), ref: 00348D8C
Part of subcall function 00348D7D: lstrcpyW.KERNEL32(00000000,?,?,0034790A,?,000000FF,?,00348754,00000000,?,0000001C,?,?,00000000), ref: 00348DB2
Part of subcall function 00348D7D: lstrcmpiW.KERNEL32(00000000,?,0034790A,?,000000FF,?,00348754,00000000,?,0000001C,?,?), ref: 00348DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00348754,00000000,?,0000001C,?,?,00000000), ref: 00347923
lstrcpyW.KERNEL32(00000000,?,?,00348754,00000000,?,0000001C,?,?,00000000), ref: 00347949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00348754,00000000,?,0000001C,?,?,00000000), ref: 00347984

Strings

cdecl, xrefs: 0034797B

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: bbb47700378a3f53a2c641a6b8a6e55f95be599ddb08a883ce679bff8552fc5d
Instruction ID: ea4718c25e76d58f4c8c5fcbfc85f741df974fceadf9f502d9643377340cc066
Opcode Fuzzy Hash: bbb47700378a3f53a2c641a6b8a6e55f95be599ddb08a883ce679bff8552fc5d
Instruction Fuzzy Hash: 7511E93A200341ABDB269F34D845D7A77E9FF55390B50403AF946CF2A4EB31A851CB91

Function 00377CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00377D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00377D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00377D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0035B7AD,00000000), ref: 00377D6B

Part of subcall function 002F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002F9BB2

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: d7af5666773adf26ec2d6c1d1e0cb63ab5197ded18dd9b5ed59d1442fc445d91
Instruction ID: 037d5178a4bd7f3fc9c662fff1dab5d93a5f5790b04501f0b12bdc08b109917c
Opcode Fuzzy Hash: d7af5666773adf26ec2d6c1d1e0cb63ab5197ded18dd9b5ed59d1442fc445d91
Instruction Fuzzy Hash: 4011D231214615AFCB328F68CC04AA63BA8AF45364F168728F93DC72F0D7358960CB80

Function 00375660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 003756BB
_wcslen.LIBCMT ref: 003756CD
_wcslen.LIBCMT ref: 003756D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00375816

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 0d101d48897bfd3775bfb18693eb5aac6cac51855856085b67131d0b56ba1576
Instruction ID: 0dc1d9d296577754fa80b99b59322007b93b91240c337d912ae3be9978578b79
Opcode Fuzzy Hash: 0d101d48897bfd3775bfb18693eb5aac6cac51855856085b67131d0b56ba1576
Instruction Fuzzy Hash: 3811D675A0460896DB369F61CC85AEE77ACEF11764F50C02AFA1DD6081E7B8DA80CB60

Function 00311D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b33aa8b965cfb97d872e2db5a7c157bc7edba9c68a9500aa3a572ad923ea10
Instruction ID: e9da9cf1f4c1610685540701435c46842fe6bf786b6f0a9c6137ad6b622639ab
Opcode Fuzzy Hash: 89b33aa8b965cfb97d872e2db5a7c157bc7edba9c68a9500aa3a572ad923ea10
Instruction Fuzzy Hash: 860162B32096167EF62B16787CC1FF7661DDF4A3B8F351329F621551D2DB608C905160

Function 00341A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00341A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00341A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00341A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00341A8A

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2af5502c9fbc5407477cd2dcfa30bb06ea128ed63f7dae4348f4698f419d0085
Instruction ID: 02e534a250d926ca5fda624bee91b8ad0f9f16da6dc790ef9da792f339d2c89c
Opcode Fuzzy Hash: 2af5502c9fbc5407477cd2dcfa30bb06ea128ed63f7dae4348f4698f419d0085
Instruction Fuzzy Hash: 4F113C3AD01219FFEB11DBA4CD85FADFBB8EB04750F200495E604BB290D671AE50DB94

Function 0034E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0034E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0034E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0034E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0034E24D

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 9c6ed07bd4fa2eb05b6b45805677ebbfc61dabb5a3610b3fa3b8292a47719e01
Instruction ID: 7352e49a8ee030c7e087cd6ffe21882c83cee5a28c4268d8c214e7beb4ed706a
Opcode Fuzzy Hash: 9c6ed07bd4fa2eb05b6b45805677ebbfc61dabb5a3610b3fa3b8292a47719e01
Instruction Fuzzy Hash: B7112B76904258BFD7139FA8DC05A9F7FECAB45324F404729F929E7290D6B4DD0087A0

Function 0030D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0030CFF9,00000000,00000004,00000000), ref: 0030D218
GetLastError.KERNEL32 ref: 0030D224
__dosmaperr.LIBCMT ref: 0030D22B
ResumeThread.KERNEL32(00000000), ref: 0030D249

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: c80ff70c6194d49ef6b1c02881a913818550ceefc8f0af7833b40a3206f35aef
Instruction ID: 1d586afe4623b26d5c7c9c8ee88c37b7b3fb14ae4fc5d8c2ef2877251f8b2479
Opcode Fuzzy Hash: c80ff70c6194d49ef6b1c02881a913818550ceefc8f0af7833b40a3206f35aef
Instruction Fuzzy Hash: 2501D236816208BBDB236BE5DC19BAF7AADDF81730F110619F9299A5D0CF708951C7A0

Function 002E600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002E604C
GetStockObject.GDI32(00000011), ref: 002E6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 002E606A

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 7526b4651488463caf7a4b96cc442a36b9de8c803358e931d0ebb5d2683c76d1
Instruction ID: dace092a1ed3bfa07781868419e1d999819204d6417a61861b5287514bf1fa5f
Opcode Fuzzy Hash: 7526b4651488463caf7a4b96cc442a36b9de8c803358e931d0ebb5d2683c76d1
Instruction Fuzzy Hash: F611C472111599BFEF225F95DC48EEABB6DFF183A4F440215FA0452010C732ECA0DB90

Function 00303B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00303B56

Part of subcall function 00303AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00303AD2
Part of subcall function 00303AA3: ___AdjustPointer.LIBCMT ref: 00303AED

_UnwindNestedFrames.LIBCMT ref: 00303B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00303B7C
CallCatchBlock.LIBVCRUNTIME ref: 00303BA4

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: edf4eda11425e0914c2100f7fcba5f66b4045b715288aac9835d9f7b10f6405e
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 93014C72101148BBDF126E95CC42EEB3F6DFF88758F054414FE485A161C732EA61DBA0

Function 00313073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002E13C6,00000000,00000000,?,0031301A,002E13C6,00000000,00000000,00000000,?,0031328B,00000006,FlsSetValue), ref: 003130A5
GetLastError.KERNEL32(?,0031301A,002E13C6,00000000,00000000,00000000,?,0031328B,00000006,FlsSetValue,00382290,FlsSetValue,00000000,00000364,?,00312E46), ref: 003130B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0031301A,002E13C6,00000000,00000000,00000000,?,0031328B,00000006,FlsSetValue,00382290,FlsSetValue,00000000), ref: 003130BF

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: bd4848f172891bb0ef2a851cfca1ec22db6593afc4da261022e0d01a11ae01ef
Instruction ID: 38ff6c80318919cca0e24fbcc46a0d71b3919fd39b5c202a8e722ee50e0f0c4b
Opcode Fuzzy Hash: bd4848f172891bb0ef2a851cfca1ec22db6593afc4da261022e0d01a11ae01ef
Instruction Fuzzy Hash: 0E01AC36711622ABDB374B799C449A77BDC9F4D761F110624F90BE7140D721D981C7E0

Function 00347464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0034747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00347497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003474AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003474CA

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f05c474344ec733184c5b5ee329e9cbe415e2c93a1c7e6494291bebd3b59b619
Instruction ID: cc3f23d2dff38dc9f3acc3272203d9d769c398a0fedaa1bb9b7ac8f526fdbc4f
Opcode Fuzzy Hash: f05c474344ec733184c5b5ee329e9cbe415e2c93a1c7e6494291bebd3b59b619
Instruction Fuzzy Hash: F411ADB1215310ABE7328F16DC08BB27BFCEB00B00F10856DA61ADA691D7B0F944DBA0

Function 0034B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0034ACD3,?,00008000), ref: 0034B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0034ACD3,?,00008000), ref: 0034B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0034ACD3,?,00008000), ref: 0034B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0034ACD3,?,00008000), ref: 0034B126

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 1888dee17325d1374a09d6a8afde54bcc3c2fe62ab68dcfcd738839cffa50cce
Instruction ID: 1f4d3ab13cde3b0113febc4c5d017d8109f44ab1e30dfeef459690b9fccf21ff
Opcode Fuzzy Hash: 1888dee17325d1374a09d6a8afde54bcc3c2fe62ab68dcfcd738839cffa50cce
Instruction Fuzzy Hash: 66115B31C1152CE7CF16AFE4E9696EEFBB8FF09711F114099D981B6181CB30A650CB51

Function 00377E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00377E33
ScreenToClient.USER32(?,?), ref: 00377E4B
ScreenToClient.USER32(?,?), ref: 00377E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00377E8A

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 341d5bcdf439865bc74016557281c28c3a8756b76033df2f8747ee4458c8474a
Instruction ID: 1b9b40f5450db565ef4d3bd8151a73af5267ffcd972803af427ec40dca9fc216
Opcode Fuzzy Hash: 341d5bcdf439865bc74016557281c28c3a8756b76033df2f8747ee4458c8474a
Instruction Fuzzy Hash: A51156B9D0024AAFDB51DF98D884AEEBBF9FF08310F509056E915E3210D735AA94CF51

Function 00342DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00342DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00342DD6
GetCurrentThreadId.KERNEL32 ref: 00342DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00342DE4

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 75f7a8f762f9778f365a8d4f6359d7fcfd4ab49ff042f27140a82895eafac97d
Instruction ID: fb867a5c3dd615289822abeac9b0c55686239e0f12b6a878bc44fb325d83c747
Opcode Fuzzy Hash: 75f7a8f762f9778f365a8d4f6359d7fcfd4ab49ff042f27140a82895eafac97d
Instruction Fuzzy Hash: 16E06D71511224BAD7321B629C4DFEB7EACEB43BA1F84101DB109E50809AA49880C6B0

Function 00378863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 002F9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002F9693
Part of subcall function 002F9639: SelectObject.GDI32(?,00000000), ref: 002F96A2
Part of subcall function 002F9639: BeginPath.GDI32(?), ref: 002F96B9
Part of subcall function 002F9639: SelectObject.GDI32(?,00000000), ref: 002F96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00378887
LineTo.GDI32(?,?,?), ref: 00378894
EndPath.GDI32(?), ref: 003788A4
StrokePath.GDI32(?), ref: 003788B2

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 76120294aed6fe94a092227d62c447819ed2667abe5528291df24c0d9b555e9b
Instruction ID: a3107fbcea9823974b3d6b7a0953a64fcb9d6f84888c47d4a4213a9991824f23
Opcode Fuzzy Hash: 76120294aed6fe94a092227d62c447819ed2667abe5528291df24c0d9b555e9b
Instruction Fuzzy Hash: 64F03A36051258BADB236F94AC0DFCA3E5DAF06310F448104FB25650E1C77955A1CFE5

Function 002F98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002F98CC
SetTextColor.GDI32(?,?), ref: 002F98D6
SetBkMode.GDI32(?,00000001), ref: 002F98E9
GetStockObject.GDI32(00000005), ref: 002F98F1

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 3655da679d760d653594560db8d123f1df0a5061dd8ca3a7cd60c474d0940d26
Instruction ID: 023381da849b18b3703997c907b8c2c02f5303fc2baa7d08af21b0574324aea2
Opcode Fuzzy Hash: 3655da679d760d653594560db8d123f1df0a5061dd8ca3a7cd60c474d0940d26
Instruction Fuzzy Hash: 63E06D31254284ABEB325B75AC09BE83F24AB16376F14822DF6FA580E1C3B24690DB10

Function 0034162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00341634
OpenThreadToken.ADVAPI32(00000000,?,?,?,003411D9), ref: 0034163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003411D9), ref: 00341648
OpenProcessToken.ADVAPI32(00000000,?,?,?,003411D9), ref: 0034164F

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 7624da81fabfbeaf6e948f3f1496953556bea5184793bb4873fa0a00569620ed
Instruction ID: 5113ede90d2f71088b34f8f37238af672c06e391184280663368df1c089b422e
Opcode Fuzzy Hash: 7624da81fabfbeaf6e948f3f1496953556bea5184793bb4873fa0a00569620ed
Instruction Fuzzy Hash: 8DE08631611211DBD7711FA0AD0DB463BBCBF44791F15480CF649DD090D638D4C0C7A4

Function 0033D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0033D858
GetDC.USER32(00000000), ref: 0033D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0033D882
ReleaseDC.USER32(?), ref: 0033D8A3

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: bc4665a771383e3886e73fc35f310d26f68b55539d5fd49c529a9247807d58ba
Instruction ID: 75b91ca22cdeb3785f10ee87177cf4a24bd8e7576fda529a45aa6de23274a911
Opcode Fuzzy Hash: bc4665a771383e3886e73fc35f310d26f68b55539d5fd49c529a9247807d58ba
Instruction Fuzzy Hash: D6E01270820204DFCF52AFA0D84866DBBB9FB08310F14901DF80AE7250C7345551DF40

Function 0033D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0033D86C
GetDC.USER32(00000000), ref: 0033D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0033D882
ReleaseDC.USER32(?), ref: 0033D8A3

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 186893fdc302a20cfba099fba70f53c911a6c9e32a0488d639ee304091c30c5d
Instruction ID: 14d872b71a51eba9a92825ee23dfa9f65eeaf2706343c64443f81fe4cdc2a102
Opcode Fuzzy Hash: 186893fdc302a20cfba099fba70f53c911a6c9e32a0488d639ee304091c30c5d
Instruction Fuzzy Hash: 1DE01A70820204DFCF62AFA0D84866DBBB9BB08310F14900DE90AE7260CB385951DF40

Function 00354D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 002E7620: _wcslen.LIBCMT ref: 002E7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00354ED4

Strings

LPT, xrefs: 00354DFB
*, xrefs: 00354E10

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: ca9a2904c5d09964c335c5aea88b2254049306b5a3e0114b1322f29b523ed22a
Instruction ID: 1a1bfbbde6e58607cc031a51d9c00a59ae07c1d86e0d8862503ae7fa33f855ac
Opcode Fuzzy Hash: ca9a2904c5d09964c335c5aea88b2254049306b5a3e0114b1322f29b523ed22a
Instruction Fuzzy Hash: F5918475A002449FCB19DF59C484EA9BBF5BF44308F598099E80A9F7A2D731ED89CF90

Function 0030E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0030E30D

Strings

pow, xrefs: 0030E2E5, 0030E302

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: a8f7f43e1b17139d6d9e275d1769d5a2d8eaddebe96d591d5a135ce026f3b68b
Instruction ID: bbac7cb7ccd83882b4603f21a7ca9116b278fd58ea0993136716264a98b306e0
Opcode Fuzzy Hash: a8f7f43e1b17139d6d9e275d1769d5a2d8eaddebe96d591d5a135ce026f3b68b
Instruction Fuzzy Hash: 90513A71B0E20696CB1B7714DD213FA2BBCAB44740F394DE8E095862E9DB358CD19A86

Function 00367771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0033569E,00000000,?,0037CC08,?,00000000,00000000), ref: 003678DD

Part of subcall function 002E6B57: _wcslen.LIBCMT ref: 002E6B6A

CharUpperBuffW.USER32(0033569E,00000000,?,0037CC08,00000000,?,00000000,00000000), ref: 0036783B

Strings

<s:, xrefs: 003677C8

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s:
API String ID: 3544283678-271464033
Opcode ID: 6d1c69fd99b8157abca014754c549ee3d5cf37bbf8f8cc4c6a47008bf88db8d2
Instruction ID: dde45ae39cb4e2f6c3a68eced3be41ecf21392892893bae4eefe4d1bc7dbb213
Opcode Fuzzy Hash: 6d1c69fd99b8157abca014754c549ee3d5cf37bbf8f8cc4c6a47008bf88db8d2
Instruction Fuzzy Hash: 77618032964158AACF06EBA5CC91DFDB3B8BF14304BD48129F542B3095EF306A55CFA0

Function 002FE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 002FE1B1

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: a8465efd1b8f7e09f0d19fb99196bce78125e6a500de4133f6fdf0adfc347fb6
Instruction ID: a22bd5ae6370d0700edbb6262ab0a0ba7001af2baecfca23a2ae3ad52be4aa30
Opcode Fuzzy Hash: a8465efd1b8f7e09f0d19fb99196bce78125e6a500de4133f6fdf0adfc347fb6
Instruction Fuzzy Hash: 4851343590024ADFDF16DF28C4D1ABABBA8EF65310F654066FD519B2E0E7309D92CB90

Function 002FF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 002FF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 002FF2BB

Strings

@, xrefs: 002FF2AF

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 517917f705aa16f6a2f36aff877283c11ea2c8ac3dcec22733f7af42f64e8ccc
Instruction ID: 86498d2fa4f163d6ae6f39e48e63ff8fed32cf364c79b8465a7d5555a854bc84
Opcode Fuzzy Hash: 517917f705aa16f6a2f36aff877283c11ea2c8ac3dcec22733f7af42f64e8ccc
Instruction Fuzzy Hash: 9E5135714287859BD320AF51E886BABBBF8FB84300F81885DF199411A5EB318539CB66

Function 00365745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 003657E0
_wcslen.LIBCMT ref: 003657EC

Strings

CALLARGARRAY, xrefs: 003657E6, 003657EB

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: be278e232994c4837e955c618670e6d8ba9abbc9f7efde1056584ec645953eef
Instruction ID: dedcafa0631cf7c8daae9361a60752ef04e01cf48bd5fcb65636fe22be5bac25
Opcode Fuzzy Hash: be278e232994c4837e955c618670e6d8ba9abbc9f7efde1056584ec645953eef
Instruction Fuzzy Hash: 9D41BD31A102099FCB15DFA9C8858FEBBF5FF59320F518029E505AB256E7309D81CFA0

Function 0035D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0035D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0035D13A

Strings

|, xrefs: 0035D10B

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 8b98ea032d07fb065f7aafe0284c815c0a43a68c252bc68c4395442d01143d41
Instruction ID: ebc42cd4918ff930069f984557d9fa16a64e53b3566e05fea3f62d58273b4cfe
Opcode Fuzzy Hash: 8b98ea032d07fb065f7aafe0284c815c0a43a68c252bc68c4395442d01143d41
Instruction Fuzzy Hash: 9D311971D10209ABCF15EFA5CC85EEEBFB9FF14340F400059E815A6162DB31AA56CF60

Function 0037356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00373621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0037365C

Strings

static, xrefs: 003735BC

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: d1348ff99b3f66f5a41d389a501fafd71d0ed77cfb1680429079b0a9441e21fa
Instruction ID: 06a9a4e8df75a45aaa9f393f9ea8cf10c212e214a94858ef280f315da3330346
Opcode Fuzzy Hash: d1348ff99b3f66f5a41d389a501fafd71d0ed77cfb1680429079b0a9441e21fa
Instruction Fuzzy Hash: 5F31AF71110204AEDB219F68DC80EFB73A9FF48720F11D61DF9A997280DA38AD91DB60

Function 00374537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0037461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00374634

Strings

', xrefs: 0037458E

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 9656c30a12a0bd22a150dc39bef33634247426f1cea74d443668d4375ae05fad
Instruction ID: d8bd3a951b25abee53b83b51d49a2faa227b968bd71fa62e75a70b1da0301dba
Opcode Fuzzy Hash: 9656c30a12a0bd22a150dc39bef33634247426f1cea74d443668d4375ae05fad
Instruction Fuzzy Hash: 46313974A003099FDB25CF69C990BDABBB9FF0A310F148069E908AB351D774E941CF90

Function 003731EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0037327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00373287

Strings

Combobox, xrefs: 00373249

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: f92637c6f890fe48ba5c983ba10229edbd3ce42c76794c164b727d48c6d3b6c2
Instruction ID: c212be918ccbcdfdbd233f38f2d028b0dc94b6ccc8142e2f27057865238e3457
Opcode Fuzzy Hash: f92637c6f890fe48ba5c983ba10229edbd3ce42c76794c164b727d48c6d3b6c2
Instruction Fuzzy Hash: 141190713002086FEF229E54DC84EAB776AEB983A4F118928F918A7291D6359D51A760

Function 00373710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 002E600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002E604C
Part of subcall function 002E600E: GetStockObject.GDI32(00000011), ref: 002E6060
Part of subcall function 002E600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 002E606A

GetWindowRect.USER32(00000000,?), ref: 0037377A
GetSysColor.USER32(00000012), ref: 00373794

Strings

static, xrefs: 00373757

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 5f787af18406b2cc1e2f6a3ae6c94d4859be68b7e6d140c8b6449876f4d05870
Instruction ID: 2fcf6b94df6e671bd7b76b4354a19382283d400cb2850da8ddee4ccc95badc29
Opcode Fuzzy Hash: 5f787af18406b2cc1e2f6a3ae6c94d4859be68b7e6d140c8b6449876f4d05870
Instruction Fuzzy Hash: 24113AB2610209AFDF12DFB8CC45EEA7BB8FB08354F015918F959E2250D739E8519B50

Function 0035CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0035CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0035CDA6

Strings

<local>, xrefs: 0035CD66

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: ddfbb20e59567862bbbec9414ca2a64c8019c2df264b262f7083a8cb67addfdb
Instruction ID: 4e8f3b1cc553adddd75bd32f2b0555e6bf9ade4e711e269d855dcacf26fabeb0
Opcode Fuzzy Hash: ddfbb20e59567862bbbec9414ca2a64c8019c2df264b262f7083a8cb67addfdb
Instruction Fuzzy Hash: B511A3712257357ED73A4A668C45FE7BEFCEB127A9F00522AB909C20A0D6609848D6F0

Function 00373429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 003734AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003734BA

Strings

edit, xrefs: 0037348F

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: f8abd8f4836f764116c3ef090f8014012c2aa000561fa4079ab5608141be45e6
Instruction ID: 802d2ca1815ccabd26ebe6ab9ecd94f146cfa668654e28d4c85d7760b9c0deb1
Opcode Fuzzy Hash: f8abd8f4836f764116c3ef090f8014012c2aa000561fa4079ab5608141be45e6
Instruction Fuzzy Hash: 6511BF71110108ABEB374E65DC84AFB376EEB15374F518328FA68A31D0C739DC91AB50

Function 00346C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00346CB6
_wcslen.LIBCMT ref: 00346CC2

Strings

STOP, xrefs: 00346CBC, 00346CC1

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: f6f17f40d9e7cdfc8b1e9c4bc75efadb765f67564c0aa48b6f436d9871f8d7d0
Instruction ID: 36628569a6fba1001d9a45c093845127f3456b3145ccc2aed446a1f298312d31
Opcode Fuzzy Hash: f6f17f40d9e7cdfc8b1e9c4bc75efadb765f67564c0aa48b6f436d9871f8d7d0
Instruction Fuzzy Hash: 76010432A105268ACB22AFBDCC828BF33E8EF637147510539E8529A194EB31ED40C651

Function 00341CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

Part of subcall function 00343CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00343CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00341D4C

Strings

ComboBox, xrefs: 00341CEB
ListBox, xrefs: 00341D16

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7aeeedd44b9674d4a4d2338b0e1b008846866d386f0937fdc91d4af88fa30bba
Instruction ID: 0e33e9738d665539d3f649323a7055667e2574aff105d65396bbaed8decef86b
Opcode Fuzzy Hash: 7aeeedd44b9674d4a4d2338b0e1b008846866d386f0937fdc91d4af88fa30bba
Instruction Fuzzy Hash: 6401D871A51614ABCB1AFFA4CC51DFE73E8EB47350B54091AF8225B2D1EA306D988A60

Function 00341BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

Part of subcall function 00343CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00343CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00341C46

Strings

ComboBox, xrefs: 00341BE5
ListBox, xrefs: 00341C10

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 417611fe85c9e195f04b371e992c507a44819057d69e001fd96ae81d0f5d5577
Instruction ID: c974b2a635a3bd14292391fc70d49b7616ac881aeb1954ad9378915ffa42f216
Opcode Fuzzy Hash: 417611fe85c9e195f04b371e992c507a44819057d69e001fd96ae81d0f5d5577
Instruction Fuzzy Hash: A801A7756D111866CB16FB90CD91AFF77ECDB16340F54001AE8066B281EA20AE988AB1

Function 00341C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

Part of subcall function 00343CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00343CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00341CC8

Strings

ComboBox, xrefs: 00341C69
ListBox, xrefs: 00341C94

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5e28599e75f1d8a4e2c2bbe8db389c647424bee20c1f204bbcd395d1ba71722b
Instruction ID: b2ce49ac74a491a3245b90eebcd81664c6b8df8cd74eb51e55d266f6116a97ff
Opcode Fuzzy Hash: 5e28599e75f1d8a4e2c2bbe8db389c647424bee20c1f204bbcd395d1ba71722b
Instruction Fuzzy Hash: 7501D6716D011867CB16FBA1CE91AFE73EC9B12340F54001AB8027B281FA20AF98CA71

Function 002FA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002FA529

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

Strings

3y3, xrefs: 002FA545, 002FA54D, 002FA552
,%;, xrefs: 002FA509

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%;$3y3
API String ID: 2551934079-1555124621
Opcode ID: ab39143020845b3a587c8de580afbe9c8fd8f9e3995725dcae7901a0cf7c74fa
Instruction ID: de923ddaaf3d52bfb8e89e3b73c1208d818018389ad5d8dfd5a1c46054da98f1
Opcode Fuzzy Hash: ab39143020845b3a587c8de580afbe9c8fd8f9e3995725dcae7901a0cf7c74fa
Instruction Fuzzy Hash: BA017B71F6021987C51AF768DC17BBEB318CB06790FD00539F7091B1C2EE509D518A97

Function 00341D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD

Part of subcall function 00343CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00343CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00341DD3

Strings

ComboBox, xrefs: 00341D75
ListBox, xrefs: 00341DA0

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 197e7a3fe35363ff40c845f7bdc25ed88a75ae3e4cc603015e95f19fe79b5e98
Instruction ID: 5c74794bab4dbb2feeb9ebe603cd72db51bd907fd5d18da6b7ac0d81a39ccd72
Opcode Fuzzy Hash: 197e7a3fe35363ff40c845f7bdc25ed88a75ae3e4cc603015e95f19fe79b5e98
Instruction Fuzzy Hash: 39F0F971F9061466C715F7A4CC91BFE73ACEB02340F44091AF8226B2C1EA7069488660

Function 00378172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,003B3018,003B305C), ref: 003781BF
CloseHandle.KERNEL32 ref: 003781D1

Strings

\0;, xrefs: 0037818A

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0;
API String ID: 3712363035-4104835345
Opcode ID: b1f8a04371362809c7168a198d68c9e8d9096194dfe418c8897f8c0aa1bc8748
Instruction ID: 4512d79d179d560e2a9de67a091586c6683738446af9ed3552d326013b829739
Opcode Fuzzy Hash: b1f8a04371362809c7168a198d68c9e8d9096194dfe418c8897f8c0aa1bc8748
Instruction Fuzzy Hash: B7F05EF5640320BAF2227761AC59FB73A5CDF04758F004464BB0DE91A2D679AA4083B8

Function 0036747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00367493
_wcslen.LIBCMT ref: 003674B9

Strings

3, 3, 16, 1, xrefs: 00367483

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 1e9950aaadb4ab2d83790cc364130bee3419194884ed432579faa7df81f809c1
Instruction ID: b05f7d845df3606a34e4d1ff421e9dc4edb54bbbfd02b6265d77673e8b34efa7
Opcode Fuzzy Hash: 1e9950aaadb4ab2d83790cc364130bee3419194884ed432579faa7df81f809c1
Instruction Fuzzy Hash: B5E02B4620A22011D233127B9CC9A7F5689CFC6B50751183BFE81C62AEEF948E9193A0

Function 00340B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00340B23

Strings

AutoIt, xrefs: 00340B17
Error allocating memory., xrefs: 00340B1C

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 657fad6bfae4510022c72f4b8ca88abae2820f7abbb34da70d7036dbf19fb6a1
Instruction ID: f198621b52efbcb94417717c1f1f3b032cbbe2fae41d814626d12c7b6486d4f1
Opcode Fuzzy Hash: 657fad6bfae4510022c72f4b8ca88abae2820f7abbb34da70d7036dbf19fb6a1
Instruction Fuzzy Hash: E1E0D83239430C2AD26636947C43FC9BA84CF05B50F10442EF74C5D4C38BE164A04AA9

Function 00300D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 002FF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00300D71,?,?,?,002E100A), ref: 002FF7CE

IsDebuggerPresent.KERNEL32(?,?,?,002E100A), ref: 00300D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,002E100A), ref: 00300D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00300D7F

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: c3bec714cd3629c0a9e95405b5a553d91acc521a9dabaf27cfde30ae01eba319
Instruction ID: 52b61a1cf46725409a3f6ffed743d155d7c41bd4c3cc61c86797cdf53488c9a4
Opcode Fuzzy Hash: c3bec714cd3629c0a9e95405b5a553d91acc521a9dabaf27cfde30ae01eba319
Instruction Fuzzy Hash: 9CE092742007418FD7729FB8E854752BBE4BF04744F008D2DE48AC7692EBB4E484CBA1

Function 002FE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002FE3D5

Strings

8%;, xrefs: 002FE3CA
0%;, xrefs: 002FE3B5

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%;$8%;
API String ID: 1385522511-3897545404
Opcode ID: c539edbd77ae0b76b432dd0b9067564df55a393b505458efa73165cd490c7a28
Instruction ID: 5d193ec724c8f9eb546a59a7003cf7a99221556e51f0c3d34dcfedc60d77bd25
Opcode Fuzzy Hash: c539edbd77ae0b76b432dd0b9067564df55a393b505458efa73165cd490c7a28
Instruction Fuzzy Hash: 59E0D835420918CBCA2B9B18B868EF9F359AB06324F1107B6F3034B5E19B3019418755

Function 00353017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0035302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00353044

Strings

aut, xrefs: 00353038

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: e3b95adfda0a6a2260a58b09a18ab56a6a09167c09eb42870e276e6932172d35
Instruction ID: 9b0eb3b921ac28ec703669a4a46d8ed6fa50169b64d21a31bd6527e899c06594
Opcode Fuzzy Hash: e3b95adfda0a6a2260a58b09a18ab56a6a09167c09eb42870e276e6932172d35
Instruction Fuzzy Hash: 1ED05EB250032867DF30A7A4AC0EFCB3A6CDB05750F0006A1F659E2092DBB09A84CBD0

Function 0033D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0033D220

Strings

%.3d, xrefs: 0033D22B
X64, xrefs: 0033D2A8

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 190fa315df8a55bf92a8ada4c5e6e2cf81ffbbc4946ec77e557f20e053855f73
Instruction ID: 90e5ebd47d2f799b2f2ab55da532fe3a5f58fd32e4b96994fbe5b14c01eaec56
Opcode Fuzzy Hash: 190fa315df8a55bf92a8ada4c5e6e2cf81ffbbc4946ec77e557f20e053855f73
Instruction Fuzzy Hash: 83D01261818108EACF9296D0ECC58BBB37CEB08341F608866F906D1441D634C5586B61

Function 00372322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0037232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0037233F

Part of subcall function 0034E97B: Sleep.KERNEL32 ref: 0034E9F3

Strings

Shell_TrayWnd, xrefs: 00372325

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8c55775d87260b440c84ac4761586f14b612ce13f262895a8d66a8251f297658
Instruction ID: f431c513f2f08db91c238226ea9acb649208650a9a6afab65a313ef0d3f03771
Opcode Fuzzy Hash: 8c55775d87260b440c84ac4761586f14b612ce13f262895a8d66a8251f297658
Instruction Fuzzy Hash: FED022323A0310B7E275B330DC0FFC6BA08AB00B10F00090AB309AE0D0CAF0B840CA04

Function 00372356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0037236C
PostMessageW.USER32(00000000), ref: 00372373

Part of subcall function 0034E97B: Sleep.KERNEL32 ref: 0034E9F3

Strings

Shell_TrayWnd, xrefs: 00372365

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c05b0f6448b48b1550699ed59a55d17e830a94d0f04df4a674e69ca048e89f26
Instruction ID: a7701ddce4831747bb14ed3f02b1199ea983b6be35ba73088517ceee04ba3511
Opcode Fuzzy Hash: c05b0f6448b48b1550699ed59a55d17e830a94d0f04df4a674e69ca048e89f26
Instruction Fuzzy Hash: 11D0A9323A0310BAE276A3309C0FFC6B608AB01B10F00090AB209AE0D0CAA0B8408A08

Function 0031BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0031BE93
GetLastError.KERNEL32 ref: 0031BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0031BEFC

Memory Dump Source

Source File: 00000000.00000002.2109769885.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000000.00000002.2109421240.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110062116.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110262102.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110331170.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: b96b969a176caa64b6ee91ec7988254216e06e2a850c75ce4ed484d1a26474a0
Instruction ID: 112763f264e9a96f6d53718ba3cf1cd7421aca8f2243e8ea8801cfc88ae02c08
Opcode Fuzzy Hash: b96b969a176caa64b6ee91ec7988254216e06e2a850c75ce4ed484d1a26474a0
Instruction Fuzzy Hash: 56410D34601206AFCF2B8F64DC54AFAFBA9EF49310F154169F9595B1E1DB308D82DB60

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2287200729.000001C0860B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272484650.000001C0860B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308612970.000001C0860B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2258686128.000001C08375A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2288445524.000001C08375A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258795458.000001C082279000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2258686128.000001C08375A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2288445524.000001C08375A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258795458.000001C082279000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2287200729.000001C0860B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272484650.000001C0860B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122321368.000001C07ABF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2303684483.000001C082174000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2303684483.000001C082174000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2258686128.000001C08375A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2288445524.000001C08375A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2117061325.000001C081EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2258686128.000001C08375A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2288445524.000001C08375A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2117061325.000001C081EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3915050275.000001B1DD10A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3915050275.000001B1DD10A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2335449542.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326819854.000001C07C3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3915050275.000001B1DD10A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2287200729.000001C0860B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272484650.000001C0860B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122321368.000001C07ABF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2330185650.000001C077191000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2339485879.000001C07717F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2338511429.000001C07AF13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2258441623.000001C083790000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2328093790.000001C07B5F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122321368.000001C07ABF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309762217.000001C07B5E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.5:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50020 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50032 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50031 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_e1d9ddb1-93e9-4a73-82e0-22625ed03d5d.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_e1d9ddb1-93e9-4a73-82e0-22625ed03d5d.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KG1OIVVFHBUQU90GQA6N.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q1BJG0BERUVVRI6UH9B1.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre