Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1543579
MD5:	434908e8890502c3474bd02af6f81c9e
SHA1:	59215a1b157616e996795b7cde809a9c9f45db0f
SHA256:	6716f4acee3a96a916714ddb4b602a4663b136f3d0930627a099e8392d263d20
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 1056 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 434908E8890502C3474BD02AF6F81C9E)

taskkill.exe (PID: 6284 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5252 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2736 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1976 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7060 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 5388 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5656 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6392 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6532 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9efe5bd-3818-4102-acc0-f131aa402c4d} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" 16e02a6ef10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7184 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3992 -parentBuildID 20230927232528 -prefsHandle 3744 -prefMapHandle 3808 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69b0aaa9-ce77-4b53-9fb5-8079c51ca5b4} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" 16e12fbca10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7724 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4568 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5060 -prefMapHandle 5052 -prefsLen 32965 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa83c025-9667-4496-beda-54bcdad7c984} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" 16e16a48710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.2270402786.0000000000FAF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 1056	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00CAEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00CAEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CAED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00CAED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00CAEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00C9AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CC9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00CC9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8fd76e1f-2
Source: file.exe, 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9f27f516-f
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_551fd110-a
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7fedec59-2

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001D2CBD75437 NtQuerySystemInformation,		18_2_000001D2CBD75437
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001D2CBD961F2 NtQuerySystemInformation,		18_2_000001D2CBD961F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00C9D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C91201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00C91201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00C9E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA2046	0_2_00CA2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C38060	0_2_00C38060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C98298	0_2_00C98298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6E4FF	0_2_00C6E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6676B	0_2_00C6676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC4873	0_2_00CC4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3CAF0	0_2_00C3CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5CAA0	0_2_00C5CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4CC39	0_2_00C4CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C66DD9	0_2_00C66DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C391C0	0_2_00C391C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4B119	0_2_00C4B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C51394	0_2_00C51394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5781B	0_2_00C5781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4997D	0_2_00C4997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C37920	0_2_00C37920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C57A4A	0_2_00C57A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C57CA7	0_2_00C57CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C69EEE	0_2_00C69EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBBE44	0_2_00CBBE44
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001D2CBD75437	18_2_000001D2CBD75437
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001D2CBD961F2	18_2_000001D2CBD961F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001D2CBD9691C	18_2_000001D2CBD9691C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001D2CBD96232	18_2_000001D2CBD96232

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C50A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C39CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C4F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@75/13

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA37B5 GetLastError,FormatMessageW,

0_2_00CA37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C910BF AdjustTokenPrivileges,CloseHandle,		0_2_00C910BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00C916C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00CA51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00C9D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00CA648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C342A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2740:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2427642269.0000016E1CB75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2399557422.0000016E1EDAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2460159665.0000016E1CB7C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2427642269.0000016E1CB75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2460159665.0000016E1CB7C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2427642269.0000016E1CB75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2460159665.0000016E1CB7C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2427642269.0000016E1CB75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2460159665.0000016E1CB7C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2427642269.0000016E1CB75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2460159665.0000016E1CB7C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2427642269.0000016E1CB75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2460159665.0000016E1CB7C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2427642269.0000016E1CB75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2460159665.0000016E1CB7C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2427642269.0000016E1CB75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2460159665.0000016E1CB7C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2427642269.0000016E1CB75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2460159665.0000016E1CB7C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

Virustotal: Detection: 40%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9efe5bd-3818-4102-acc0-f131aa402c4d} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" 16e02a6ef10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3992 -parentBuildID 20230927232528 -prefsHandle 3744 -prefMapHandle 3808 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69b0aaa9-ce77-4b53-9fb5-8079c51ca5b4} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" 16e12fbca10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4568 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5060 -prefMapHandle 5052 -prefsLen 32965 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa83c025-9667-4496-beda-54bcdad7c984} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" 16e16a48710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9efe5bd-3818-4102-acc0-f131aa402c4d} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" 16e02a6ef10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3992 -parentBuildID 20230927232528 -prefsHandle 3744 -prefMapHandle 3808 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69b0aaa9-ce77-4b53-9fb5-8079c51ca5b4} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" 16e12fbca10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4568 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5060 -prefMapHandle 5052 -prefsLen 32965 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa83c025-9667-4496-beda-54bcdad7c984} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" 16e16a48710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2365569596.0000016E1F301000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2368323140.0000016E125AC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2364485627.0000016E125B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2367580256.0000016E125A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2368323140.0000016E125AC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2364485627.0000016E125B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2366758819.0000016E1F301000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2365569596.0000016E1F301000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2367580256.0000016E125A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2366758819.0000016E1F301000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C342DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3A430 push FFFFFFA1h; ret		0_2_00C3A44E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C50A76 push ecx; ret		0_2_00C50A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C4F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00CC1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96788

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_000001D2CBD75437 rdtsc

18_2_000001D2CBD75437

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Users\user\Desktop\file.exe TID: 6440	Thread sleep count: 95 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6440	Thread sleep count: 157 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C9DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6C2A2 FindFirstFileExW,	0_2_00C6C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA68EE FindFirstFileW,FindClose,	0_2_00CA68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00CA698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C9D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C9D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CA9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CA979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00CA9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00CA5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C342DE

Source: firefox.exe, 00000013.00000002.3463663257.000002263805A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW .@8&
Source: firefox.exe, 00000010.00000002.3472252857.000001A916940000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: firefox.exe, 00000012.00000002.3470119002.000001D2CBC60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
Source: firefox.exe, 00000010.00000002.3464307274.000001A91609A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: firefox.exe, 00000010.00000002.3464307274.000001A91609A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3470119002.000001D2CBC60000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3464118327.000001D2CB52A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3471281950.0000022638400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3470989381.000001A91651E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000012.00000002.3470119002.000001D2CBC60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: firefox.exe, 00000012.00000002.3470119002.000001D2CBC60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: firefox.exe, 00000010.00000002.3472252857.000001A916940000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_000001D2CBD75437 rdtsc

18_2_000001D2CBD75437

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CAEAA2 BlockInput,

0_2_00CAEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00C62622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C342DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C54CE8 mov eax, dword ptr fs:[00000030h]

0_2_00C54CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C90B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00C90B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C62622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C5083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C509D5 SetUnhandledExceptionFilter,	0_2_00C509D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C50C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C50C21

Source: C:\Users\user\Desktop\file.exe

0_2_00C91201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C72BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C72BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9B226 SendInput,keybd_event,

0_2_00C9B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00CB22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00C90B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C91663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C91663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2357357702.0000016E1F301000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C50698 cpuid

0_2_00C50698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00CA8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C8D27A GetUserNameW,

0_2_00C8D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C6B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00C6B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C342DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2270402786.0000000000FAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 1056, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2270402786.0000000000FAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 1056, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00CB1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00CB1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	40%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggestabout	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://truecolors.firefox.com/	0%	URL Reputation	safe
http://json-schema.org/draft-07/schema#-	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	0%	URL Reputation	safe
https://support.mozilla.org/	0%	URL Reputation	safe
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	0%	URL Reputation	safe
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.65	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.1.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	172.217.16.142	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	172.217.18.14	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.193.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
198.187.3.20.in-addr.arpa	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://detectportal.firefox.com;	firefox.exe, 0000000E.00000003.2421423450.0000016E15F3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2464543194.0000016E15F3F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000E.00000003.2463635595.0000016E1649E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2463579186.0000016E164EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2418840205.0000016E164EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3465997201.000001D2CB7C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3466725523.00000226383C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2409369398.0000016E12B98000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000013.00000002.3466725523.000002263838E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2464319537.0000016E16149000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/on	firefox.exe, 0000000E.00000003.2294866688.000030633A780000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2428858435.0000016E1AD97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2443444070.0000016E146D8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2254765567.0000016E12800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254945428.0000016E12A10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255351568.0000016E12A53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255150189.0000016E12A32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2396914469.0000016E1BFB9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2427642269.0000016E1CB75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2460339541.0000016E1CB75000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2428858435.0000016E1ADBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2416949332.0000016E1ADBD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://accounts.googlr	firefox.exe, 00000013.00000002.3463663257.000002263805A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2402839626.0000016E14A4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254765567.0000016E12800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2443444070.0000016E146D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2307736408.0000016E14A51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312294190.0000016E14A51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309498575.0000016E14A51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311378964.0000016E14A4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254945428.0000016E12A10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255351568.0000016E12A53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255150189.0000016E12A32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382055438.0000016E14A4E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.2420391967.0000016E164C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2429420041.0000016E164C1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2254765567.0000016E12800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254945428.0000016E12A10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255150189.0000016E12A32000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 0000000E.00000003.2290608366.0000016E163B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2421423450.0000016E15F1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2422913959.0000016E14F9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2465870138.0000016E14E49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2463748681.0000016E16470000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2464319537.0000016E16149000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=https://ac	firefox.exe, 00000013.00000002.3465232395.0000022638130000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2396475064.0000016E1C28D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2428858435.0000016E1ADBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2416949332.0000016E1ADBD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2396707402.0000016E1C262000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3465997201.000001D2CB70A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3466725523.000002263830C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2346459229.0000016E1F23F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347383123.0000016E1F246000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000E.00000003.2463635595.0000016E1649E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2463579186.0000016E164EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2418840205.0000016E164EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3465997201.000001D2CB7C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3466725523.00000226383C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2347643600.0000016E1F228000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2346459229.0000016E1F22A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2390153314.0000016E14920000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2315009806.0000016E14920000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2425966528.0000016E1EDF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2396914469.0000016E1BFB9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2428858435.0000016E1ADBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2428858435.0000016E1ADA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2416949332.0000016E1ADBD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000013.00000002.3466725523.0000022638313000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2395785094.0000016E1C74C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000010.00000002.3467090605.000001A916473000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2358036030.0000016E1442F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364007253.0000016E12DA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364007253.0000016E12DF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2319171655.0000016E14789000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2421731985.0000016E15EE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2282261878.0000016E1C8DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312913318.0000016E14785000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2287503947.0000016E1C887000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2317352340.0000016E1C8E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2390153314.0000016E1491E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2285976000.0000016E151DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2358036030.0000016E144BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2432533482.0000016E14F9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2422913959.0000016E14FDC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2430302455.0000016E15E45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312913318.0000016E14764000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2413039357.0000016E12DBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2389845977.0000016E14765000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281675834.0000016E1C8E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2259957719.0000016E12DDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281331884.0000016E1C8E4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2429420041.0000016E164AD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2420391967.0000016E164B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2395785094.0000016E1C739000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2395785094.0000016E1C739000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2432533482.0000016E14F9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2422913959.0000016E14F9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2462664539.0000016E1B13D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2428858435.0000016E1ADA8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2396333736.0000016E1C293000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2430302455.0000016E15E85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2421981082.0000016E15E85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2437629277.0000016E15E8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2351121402.0000016E1F24F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347643600.0000016E1F228000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347260304.0000016E1F245000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2346459229.0000016E1F22A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2346459229.0000016E1F23F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347383123.0000016E1F246000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2416949332.0000016E1ADF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2428458792.0000016E1B0B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2399557422.0000016E1EDAF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2255150189.0000016E12A32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://truecolors.firefox.com/	firefox.exe, 0000000E.00000003.2396257333.0000016E1C2EC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000E.00000003.2402839626.0000016E14A4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254765567.0000016E12800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2443444070.0000016E146D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2307736408.0000016E14A51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312294190.0000016E14A51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309498575.0000016E14A51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311378964.0000016E14A4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254945428.0000016E12A10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255351568.0000016E12A53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255150189.0000016E12A32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382055438.0000016E14A4E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000E.00000003.2464319537.0000016E16149000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000010.00000002.3466100035.000001A916260000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3465235613.000001D2CB590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3465851956.0000022638160000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://twitter.com/	firefox.exe, 0000000E.00000003.2396707402.0000016E1C262000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://mozilla.org/S	firefox.exe, 0000000E.00000003.2294866688.000030633A780000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000E.00000003.2346459229.0000016E1F23F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347383123.0000016E1F246000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	firefox.exe, 00000010.00000002.3467090605.000001A9164C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3465997201.000001D2CB7EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3471611302.0000022638504000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
http://mozilla.org/Z	firefox.exe, 0000000E.00000003.2294866688.000030633A780000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/	firefox.exe, 0000000E.00000003.2395785094.0000016E1C74C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	firefox.exe, 0000000E.00000003.2416949332.0000016E1ADBD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/complete/search	firefox.exe, 0000000E.00000003.2281431715.0000016E1AF94000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2	firefox.exe, 0000000E.00000003.2428858435.0000016E1ADBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2428858435.0000016E1ADA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2416949332.0000016E1ADBD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	firefox.exe, 00000010.00000002.3467090605.000001A9164C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3465997201.000001D2CB7EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3471611302.0000022638504000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
http://mozilla.org/h	firefox.exe, 0000000E.00000003.2294866688.000030633A780000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/complete/	firefox.exe, 0000000E.00000003.2428858435.0000016E1ADD2000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.114.113	unknown	United States	15169	GOOGLEUS	false
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false
172.217.16.142	youtube.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543579
Start date and time:	2024-10-28 07:17:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@75/13
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 306
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 34.218.156.47, 52.32.18.233, 34.211.181.209, 142.250.185.202, 216.58.206.74, 216.58.206.46, 2.22.61.59, 2.22.61.57, 142.250.185.206
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:18:25	API Interceptor	1x Sleep call for process: firefox.exe modified
07:18:04	Task Scheduler	Run new task: {A1DF0BA8-F0FC-4DBF-9B4F-B33AC5A5CAFF} path: .

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWorm	Browse	185.199.110.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	33.61.87.223
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	34.60.130.135
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	33.62.176.104
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	bin.sh.elf	Get hash	malicious	Mirai	Browse	48.14.246.45
ATGS-MMD-ASUS	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	33.61.87.223
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	34.60.130.135
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	33.62.176.104
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	bin.sh.elf	Get hash	malicious	Mirai	Browse	48.14.246.45

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.250.114.113 151.101.1.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.250.114.113 151.101.1.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.250.114.113 151.101.1.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.250.114.113 151.101.1.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.250.114.113 151.101.1.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.250.114.113 151.101.1.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.250.114.113 151.101.1.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 142.250.114.113 151.101.1.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.250.114.113 151.101.1.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.250.114.113 151.101.1.91 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_f08c46bb-f207-4d48-a336-51a109eed8cb.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.176268388826662
Encrypted:	false
SSDEEP:	192:nRBMXvbMcbhbVbTbfbRbObtbyEl7nfNYJA6unSrDtTkdxSofGt:RiQcNhnzFSJ/NL1nSrDhkdxk
MD5:	87F456535AEBC94A3FB288780FF1A83A
SHA1:	5DA7E950826BD974ABE376EC2600C998521B3FA9
SHA-256:	3D8F4103C973F31CFAD549BAF94FB922CA9F8667D3D801BB5F597F6BEF73097B
SHA-512:	1C0042E727426CB2ABA472AB320A5E777058BF802576DDD996F9BA0E5A4C49B44691F3A25B55A2F00A03E2A39A8DD3AD70793AF9FADF459B4D58C64A3904A87D
Malicious:	false
Preview:	{"type":"uninstall","id":"f08c46bb-f207-4d48-a336-51a109eed8cb","creationDate":"2024-10-28T07:40:01.253Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_f08c46bb-f207-4d48-a336-51a109eed8cb.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.176268388826662
Encrypted:	false
SSDEEP:	192:nRBMXvbMcbhbVbTbfbRbObtbyEl7nfNYJA6unSrDtTkdxSofGt:RiQcNhnzFSJ/NL1nSrDhkdxk
MD5:	87F456535AEBC94A3FB288780FF1A83A
SHA1:	5DA7E950826BD974ABE376EC2600C998521B3FA9
SHA-256:	3D8F4103C973F31CFAD549BAF94FB922CA9F8667D3D801BB5F597F6BEF73097B
SHA-512:	1C0042E727426CB2ABA472AB320A5E777058BF802576DDD996F9BA0E5A4C49B44691F3A25B55A2F00A03E2A39A8DD3AD70793AF9FADF459B4D58C64A3904A87D
Malicious:	false
Preview:	{"type":"uninstall","id":"f08c46bb-f207-4d48-a336-51a109eed8cb","creationDate":"2024-10-28T07:40:01.253Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.932271246944599
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsLOlq8P:gXiNFS+OcUGOdwiOdwBjkYLOlq8P
MD5:	53EB163BE17E0C65174B5DB380F750FA
SHA1:	8E8604E454DF7800BC36D499414EE707E06C1687
SHA-256:	D68C409449A4C878D996BAF566C9483BC867B872C18863001AB591A937502AB0
SHA-512:	D7B80761A46525BCBDC51934393473443CD9AC85DA7F0EBFDE8696E15FBA0EF746401D72B6DBD595AABCF81A5F23D7A6679AE63CE52A0BAEC67304FB45086F4E
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.932271246944599
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsLOlq8P:gXiNFS+OcUGOdwiOdwBjkYLOlq8P
MD5:	53EB163BE17E0C65174B5DB380F750FA
SHA1:	8E8604E454DF7800BC36D499414EE707E06C1687
SHA-256:	D68C409449A4C878D996BAF566C9483BC867B872C18863001AB591A937502AB0
SHA-512:	D7B80761A46525BCBDC51934393473443CD9AC85DA7F0EBFDE8696E15FBA0EF746401D72B6DBD595AABCF81A5F23D7A6679AE63CE52A0BAEC67304FB45086F4E
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07338695179673393
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki5:DLhesh7Owd4+ji
MD5:	7E72B58B0FDC8D1084B8AD15AA9492F3
SHA1:	363DF26C1B4008183F87D175751DC94E43A4475C
SHA-256:	5DF193EEC1837555DE0476496C19AEB70E08012B6DABD7D1C0CDD4F22AC74E11
SHA-512:	848E9D04F606BDCC4E89B9BE0C74B3F429009B85FC4A59727D1399CEBA04FCD181D82715EEEDFAA3233CB4A8482FE21A5D209608169425A39636EBBF72D260F6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035577876577226504
Encrypted:	false
SSDEEP:	3:GtlstFFKuRVR4lstFFKuRVJ1T89//alEl:GtWtquRb4WtquRDZ89XuM
MD5:	629AA4663F627203F32829224518C968
SHA1:	0B8C11B4A6311BF11E2F036BDCA65D4CC68D1F67
SHA-256:	517DD5109F5944783EF79A17656A5828E3691EEE752D61A36D919DB77456DA16
SHA-512:	E2C65F5D4CA9FA88804F114C4D6A63B9085948BB6AE56BF3FF82C10FF4AD317D3AF8AB86CB40F8E03935B4BD98360D11341F4ED48301F7ED350B129CD157A4A3
Malicious:	false
Preview:	..-..........................~y.....t...`..0:~..-..........................~y.....t...`..0:~........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.034901160083758986
Encrypted:	false
SSDEEP:	3:Ol1xHNlo3Bcwlga5SrV//mwl8XW3R2:KNSMJpuw93w
MD5:	935D796A35FAAEA01392F45F99C3F489
SHA1:	2FE1B82975B0A3A3BB1BA2B4B90719DCBF0B35B6
SHA-256:	8955E71835047DDD0D5E6CC15018EB815BC28D033EE05BA687DC92C6D201BB62
SHA-512:	431A32D91C2E3CAAB52DF8CD43CB991CB2190CB2DCA367A22A795E77A6C7A5F86884DDC13751FC013EB3513171932431D358A1F6F159134AE6A92D7346B2661E
Malicious:	false
Preview:	7....-...............t...h..RBk..............t.....y~..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.464367568693136
Encrypted:	false
SSDEEP:	192:FnTFTRRUYbBp6OLZNMGaXa6qU4+Zzy+/3/7OVV5RYiNBw8dbSl:lKezFNMlpFyC2dwg0
MD5:	D763B37A4529656CA35CA70705E5086D
SHA1:	EECD57C3F87E993289E885B4B651E25F4179AE92
SHA-256:	3DBD6FA651A3457FE38BD8FA422836378638A91E9EB6CA676EF9B44678C6B4D4
SHA-512:	7CC3750907A4144A96EF2CB58CE400F37A0B3FFC3A90777D58E8F5BDD8F247AFA155BECB0F5C56B9648409E4F7E9A860C194379AB5156BD0C7FA6AB0466810F2
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730101171);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730101171);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730101171);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173010

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.464367568693136
Encrypted:	false
SSDEEP:	192:FnTFTRRUYbBp6OLZNMGaXa6qU4+Zzy+/3/7OVV5RYiNBw8dbSl:lKezFNMlpFyC2dwg0
MD5:	D763B37A4529656CA35CA70705E5086D
SHA1:	EECD57C3F87E993289E885B4B651E25F4179AE92
SHA-256:	3DBD6FA651A3457FE38BD8FA422836378638A91E9EB6CA676EF9B44678C6B4D4
SHA-512:	7CC3750907A4144A96EF2CB58CE400F37A0B3FFC3A90777D58E8F5BDD8F247AFA155BECB0F5C56B9648409E4F7E9A860C194379AB5156BD0C7FA6AB0466810F2
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730101171);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730101171);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730101171);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173010

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.33183615989063
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSnUiLXnIg2/pnxQwRlszT5sKL0eV3eHVvwKXTkamhujJmyOOxmOmaR:GUpOxeUi2nR613eNwCTk4JNKRh4
MD5:	3972BDE5957B15F9C3938E3FC2EFDDDF
SHA1:	891C1CCD5899CCA5447B218D3B76E807378E67CE
SHA-256:	2099960ECC34BA7B4F2F0663775D6952943B98C4E51950883D3BDDD3AA5D652B
SHA-512:	0E0784CD5DCFDC8B243E4DF780DAD1A5B932D9732C449EABD4EFC85AA70B0A707C5A4F218891763714679B3D8F353368EB3AB6EC33CA0D5BD503895F3BBFBA7E
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{1da3bd77-cbc6-4f3f-ab79-a67214b4b054}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730101175285,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..P41013...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...45131,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.33183615989063
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSnUiLXnIg2/pnxQwRlszT5sKL0eV3eHVvwKXTkamhujJmyOOxmOmaR:GUpOxeUi2nR613eNwCTk4JNKRh4
MD5:	3972BDE5957B15F9C3938E3FC2EFDDDF
SHA1:	891C1CCD5899CCA5447B218D3B76E807378E67CE
SHA-256:	2099960ECC34BA7B4F2F0663775D6952943B98C4E51950883D3BDDD3AA5D652B
SHA-512:	0E0784CD5DCFDC8B243E4DF780DAD1A5B932D9732C449EABD4EFC85AA70B0A707C5A4F218891763714679B3D8F353368EB3AB6EC33CA0D5BD503895F3BBFBA7E
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{1da3bd77-cbc6-4f3f-ab79-a67214b4b054}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730101175285,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..P41013...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...45131,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.33183615989063
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSnUiLXnIg2/pnxQwRlszT5sKL0eV3eHVvwKXTkamhujJmyOOxmOmaR:GUpOxeUi2nR613eNwCTk4JNKRh4
MD5:	3972BDE5957B15F9C3938E3FC2EFDDDF
SHA1:	891C1CCD5899CCA5447B218D3B76E807378E67CE
SHA-256:	2099960ECC34BA7B4F2F0663775D6952943B98C4E51950883D3BDDD3AA5D652B
SHA-512:	0E0784CD5DCFDC8B243E4DF780DAD1A5B932D9732C449EABD4EFC85AA70B0A707C5A4F218891763714679B3D8F353368EB3AB6EC33CA0D5BD503895F3BBFBA7E
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{1da3bd77-cbc6-4f3f-ab79-a67214b4b054}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730101175285,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..P41013...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...45131,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 4, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.042811512334329
Encrypted:	false
SSDEEP:	24:JBkSldh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jkSWEUo9LXtR+JdkOnohYsl
MD5:	21235938025E2102017AC8C9748948A4
SHA1:	A1EED1C4588724A8396C95FC9923C0A33B360FF8
SHA-256:	E34B06B180E3F73DC8E441650BB7FE694A9D58E927412D6ED40B0852B784824E
SHA-512:	D334B419A2A75179C17D7F53BF65FCC132ADE03B21059F0007ACDBB08284A281D8CE1C1CC598E6A070024D0DAE158E2E9618E121342BE068E87A051FE33D6061
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.0092823559562465
Encrypted:	false
SSDEEP:	48:YrSAYhHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJFde:ychCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	424206F985A9551367F785A8744C46D1
SHA1:	01F73FFFD7773CC0F514BB8C806F9259EE384609
SHA-256:	3C0BA01C76CED03CB79AEC006F28A5F7D1ED89AA43B9310B318A55EA6F946083
SHA-512:	E78843ED7F6C6BBC22AD7D7F26B4BF35084E6687E6F71D4C6140F082CC91C1FF3E8299D0DB1BE15B0F3E72DFE1FA9E918205FB3DBC5025DB1F2B7705937E60B0
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-28T07:39:15.044Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.0092823559562465
Encrypted:	false
SSDEEP:	48:YrSAYhHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJFde:ychCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	424206F985A9551367F785A8744C46D1
SHA1:	01F73FFFD7773CC0F514BB8C806F9259EE384609
SHA-256:	3C0BA01C76CED03CB79AEC006F28A5F7D1ED89AA43B9310B318A55EA6F946083
SHA-512:	E78843ED7F6C6BBC22AD7D7F26B4BF35084E6687E6F71D4C6140F082CC91C1FF3E8299D0DB1BE15B0F3E72DFE1FA9E918205FB3DBC5025DB1F2B7705937E60B0
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-28T07:39:15.044Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584662062127835
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	434908e8890502c3474bd02af6f81c9e
SHA1:	59215a1b157616e996795b7cde809a9c9f45db0f
SHA256:	6716f4acee3a96a916714ddb4b602a4663b136f3d0930627a099e8392d263d20
SHA512:	d2f84d74b7f6dd6a173065f89e136988d8cb79e519bd92e01484f2002a6d097af25f1335f06eed204438e3ead14045e83b4cfa306912de24f59ecc8b0e173add
SSDEEP:	12288:DqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TA:DqDEvCTbMWu7rQYlBQcBiT6rprG8abA
TLSH:	A4159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671F2A69 [Mon Oct 28 06:08:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F42F8D2A753h
jmp 00007F42F8D2A05Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F42F8D2A23Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F42F8D2A20Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F42F8D2CDFDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F42F8D2CE48h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F42F8D2CE31h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	ffc72132f7db19789775feb7320d5101	False	0.3156398338607595	data	5.373417590636384	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 07:18:22.478174925 CET	49741	443	192.168.2.6	35.190.72.216
Oct 28, 2024 07:18:22.478215933 CET	443	49741	35.190.72.216	192.168.2.6
Oct 28, 2024 07:18:22.478710890 CET	49742	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:22.479571104 CET	49741	443	192.168.2.6	35.190.72.216
Oct 28, 2024 07:18:22.484165907 CET	80	49742	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:22.484673023 CET	49741	443	192.168.2.6	35.190.72.216
Oct 28, 2024 07:18:22.484688044 CET	443	49741	35.190.72.216	192.168.2.6
Oct 28, 2024 07:18:22.488995075 CET	49742	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:22.489499092 CET	49742	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:22.489721060 CET	49743	443	192.168.2.6	172.217.16.142
Oct 28, 2024 07:18:22.489785910 CET	443	49743	172.217.16.142	192.168.2.6
Oct 28, 2024 07:18:22.489830017 CET	49744	443	192.168.2.6	172.217.16.142
Oct 28, 2024 07:18:22.489872932 CET	443	49744	172.217.16.142	192.168.2.6
Oct 28, 2024 07:18:22.489914894 CET	49743	443	192.168.2.6	172.217.16.142
Oct 28, 2024 07:18:22.491369963 CET	49743	443	192.168.2.6	172.217.16.142
Oct 28, 2024 07:18:22.491404057 CET	443	49743	172.217.16.142	192.168.2.6
Oct 28, 2024 07:18:22.491498947 CET	49744	443	192.168.2.6	172.217.16.142
Oct 28, 2024 07:18:22.492923975 CET	49744	443	192.168.2.6	172.217.16.142
Oct 28, 2024 07:18:22.492944002 CET	443	49744	172.217.16.142	192.168.2.6
Oct 28, 2024 07:18:22.494967937 CET	80	49742	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:22.906548023 CET	49750	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:22.906582117 CET	443	49750	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:22.909817934 CET	49750	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:22.911346912 CET	49750	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:22.911364079 CET	443	49750	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:23.085187912 CET	80	49742	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:23.092236042 CET	49751	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:23.092319012 CET	443	49751	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:23.092777014 CET	49751	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:23.094511032 CET	49751	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:23.094542027 CET	443	49751	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:23.107743025 CET	443	49741	35.190.72.216	192.168.2.6
Oct 28, 2024 07:18:23.108721018 CET	49741	443	192.168.2.6	35.190.72.216
Oct 28, 2024 07:18:23.118135929 CET	49741	443	192.168.2.6	35.190.72.216
Oct 28, 2024 07:18:23.118149042 CET	443	49741	35.190.72.216	192.168.2.6
Oct 28, 2024 07:18:23.118299007 CET	49741	443	192.168.2.6	35.190.72.216
Oct 28, 2024 07:18:23.118491888 CET	443	49741	35.190.72.216	192.168.2.6
Oct 28, 2024 07:18:23.124058962 CET	49741	443	192.168.2.6	35.190.72.216
Oct 28, 2024 07:18:23.124974012 CET	49752	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:23.125009060 CET	443	49752	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:23.125338078 CET	49752	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:23.125451088 CET	49752	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:23.125463963 CET	443	49752	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:23.150693893 CET	49742	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:23.537540913 CET	49742	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:23.557504892 CET	80	49742	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:23.561167002 CET	49753	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:23.562066078 CET	49754	443	192.168.2.6	34.160.144.191
Oct 28, 2024 07:18:23.562098980 CET	443	49754	34.160.144.191	192.168.2.6
Oct 28, 2024 07:18:23.562618017 CET	49754	443	192.168.2.6	34.160.144.191
Oct 28, 2024 07:18:23.562880993 CET	49754	443	192.168.2.6	34.160.144.191
Oct 28, 2024 07:18:23.562896013 CET	443	49754	34.160.144.191	192.168.2.6
Oct 28, 2024 07:18:23.563158989 CET	443	49750	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:23.563260078 CET	49750	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:23.565186977 CET	443	49743	172.217.16.142	192.168.2.6
Oct 28, 2024 07:18:23.565448999 CET	49743	443	192.168.2.6	172.217.16.142
Oct 28, 2024 07:18:23.566189051 CET	443	49743	172.217.16.142	192.168.2.6
Oct 28, 2024 07:18:23.566531897 CET	80	49753	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:23.566740990 CET	49743	443	192.168.2.6	172.217.16.142
Oct 28, 2024 07:18:23.566782951 CET	49753	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:23.568334103 CET	49753	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:23.570622921 CET	49750	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:23.570631981 CET	443	49750	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:23.570766926 CET	49750	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:23.570815086 CET	443	49750	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:23.571228981 CET	49755	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:23.571261883 CET	443	49755	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:23.572568893 CET	443	49744	172.217.16.142	192.168.2.6
Oct 28, 2024 07:18:23.573257923 CET	49743	443	192.168.2.6	172.217.16.142
Oct 28, 2024 07:18:23.573263884 CET	443	49743	172.217.16.142	192.168.2.6
Oct 28, 2024 07:18:23.573358059 CET	49743	443	192.168.2.6	172.217.16.142
Oct 28, 2024 07:18:23.573509932 CET	443	49743	172.217.16.142	192.168.2.6
Oct 28, 2024 07:18:23.573565006 CET	443	49744	172.217.16.142	192.168.2.6
Oct 28, 2024 07:18:23.573590994 CET	49750	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:23.573627949 CET	49755	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:23.573735952 CET	80	49753	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:23.573795080 CET	49743	443	192.168.2.6	172.217.16.142
Oct 28, 2024 07:18:23.573894978 CET	49744	443	192.168.2.6	172.217.16.142
Oct 28, 2024 07:18:23.573894978 CET	49744	443	192.168.2.6	172.217.16.142
Oct 28, 2024 07:18:23.573909998 CET	443	49744	172.217.16.142	192.168.2.6
Oct 28, 2024 07:18:23.584353924 CET	49755	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:23.584368944 CET	443	49755	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:23.588534117 CET	49744	443	192.168.2.6	172.217.16.142
Oct 28, 2024 07:18:23.588547945 CET	443	49744	172.217.16.142	192.168.2.6
Oct 28, 2024 07:18:23.588596106 CET	49744	443	192.168.2.6	172.217.16.142
Oct 28, 2024 07:18:23.589802027 CET	443	49744	172.217.16.142	192.168.2.6
Oct 28, 2024 07:18:23.590277910 CET	49744	443	192.168.2.6	172.217.16.142
Oct 28, 2024 07:18:23.677043915 CET	80	49742	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:23.697141886 CET	49753	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:23.713860989 CET	443	49751	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:23.714601040 CET	49751	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:23.729652882 CET	49751	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:23.729666948 CET	443	49751	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:23.729832888 CET	49751	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:23.729949951 CET	443	49751	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:23.730268955 CET	49742	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:23.730531931 CET	49757	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:23.730565071 CET	443	49757	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:23.732897043 CET	49751	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:23.732983112 CET	49757	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:23.734894037 CET	49757	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:23.734910011 CET	443	49757	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:23.746253967 CET	80	49753	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:23.749695063 CET	443	49752	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:23.749897957 CET	49752	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:23.753488064 CET	49752	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:23.753499031 CET	443	49752	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:23.753876925 CET	443	49752	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:23.756057978 CET	49752	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:23.756179094 CET	49752	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:23.756261110 CET	443	49752	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:23.757811069 CET	49752	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:23.757867098 CET	49752	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:23.948723078 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:23.954010010 CET	49742	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:24.206027985 CET	49764	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:24.268265009 CET	49742	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:24.879961014 CET	49742	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:24.920056105 CET	80	49753	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:24.920119047 CET	49753	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:24.920248032 CET	80	49753	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:24.920295954 CET	49753	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:24.920670033 CET	80	49753	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:24.920713902 CET	49753	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:24.921035051 CET	80	49753	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:24.921077967 CET	49753	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:24.923522949 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:24.923537016 CET	80	49764	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:24.923563004 CET	80	49742	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:24.923573971 CET	80	49742	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:24.923583031 CET	80	49742	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:24.923620939 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:24.923851967 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:24.923882008 CET	49764	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:24.924000978 CET	49742	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:24.925745010 CET	443	49757	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:24.926284075 CET	443	49755	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:24.927079916 CET	49757	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:24.927093029 CET	49755	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:24.930632114 CET	80	49753	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:24.930713892 CET	80	49753	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:24.930778027 CET	80	49753	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:24.930936098 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:24.933012009 CET	443	49754	34.160.144.191	192.168.2.6
Oct 28, 2024 07:18:24.933412075 CET	49754	443	192.168.2.6	34.160.144.191
Oct 28, 2024 07:18:24.936800957 CET	49754	443	192.168.2.6	34.160.144.191
Oct 28, 2024 07:18:24.936827898 CET	443	49754	34.160.144.191	192.168.2.6
Oct 28, 2024 07:18:24.937361002 CET	443	49754	34.160.144.191	192.168.2.6
Oct 28, 2024 07:18:24.937949896 CET	49755	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:24.937983036 CET	443	49755	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:24.938122988 CET	49755	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:24.938146114 CET	49757	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:24.938162088 CET	443	49757	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:24.938272953 CET	49757	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:24.938407898 CET	443	49757	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:24.938476086 CET	443	49755	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:24.940015078 CET	49754	443	192.168.2.6	34.160.144.191
Oct 28, 2024 07:18:24.940124989 CET	49754	443	192.168.2.6	34.160.144.191
Oct 28, 2024 07:18:24.940226078 CET	443	49754	34.160.144.191	192.168.2.6
Oct 28, 2024 07:18:24.940532923 CET	49766	443	192.168.2.6	34.160.144.191
Oct 28, 2024 07:18:24.940546989 CET	443	49766	34.160.144.191	192.168.2.6
Oct 28, 2024 07:18:24.940884113 CET	49754	443	192.168.2.6	34.160.144.191
Oct 28, 2024 07:18:24.940917015 CET	49755	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:24.940917969 CET	49757	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:24.940980911 CET	49754	443	192.168.2.6	34.160.144.191
Oct 28, 2024 07:18:24.941000938 CET	49766	443	192.168.2.6	34.160.144.191
Oct 28, 2024 07:18:24.941138029 CET	49766	443	192.168.2.6	34.160.144.191
Oct 28, 2024 07:18:24.941143036 CET	443	49766	34.160.144.191	192.168.2.6
Oct 28, 2024 07:18:25.135467052 CET	49767	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:25.135551929 CET	443	49767	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:25.135972977 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:25.141334057 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:25.141702890 CET	49767	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:25.141871929 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:25.143747091 CET	49767	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:25.143779039 CET	443	49767	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:25.143870115 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:25.149207115 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:25.515450954 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:25.541770935 CET	443	49766	34.160.144.191	192.168.2.6
Oct 28, 2024 07:18:25.541846037 CET	49766	443	192.168.2.6	34.160.144.191
Oct 28, 2024 07:18:25.545747995 CET	49766	443	192.168.2.6	34.160.144.191
Oct 28, 2024 07:18:25.545761108 CET	443	49766	34.160.144.191	192.168.2.6
Oct 28, 2024 07:18:25.546122074 CET	443	49766	34.160.144.191	192.168.2.6
Oct 28, 2024 07:18:25.548960924 CET	49766	443	192.168.2.6	34.160.144.191
Oct 28, 2024 07:18:25.549057007 CET	49766	443	192.168.2.6	34.160.144.191
Oct 28, 2024 07:18:25.549160004 CET	443	49766	34.160.144.191	192.168.2.6
Oct 28, 2024 07:18:25.549245119 CET	49766	443	192.168.2.6	34.160.144.191
Oct 28, 2024 07:18:25.557775021 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:25.746118069 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:25.767061949 CET	443	49767	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:25.769232035 CET	49767	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:25.776202917 CET	49767	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:25.776223898 CET	443	49767	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:25.776376009 CET	49767	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:25.776825905 CET	443	49767	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:25.776904106 CET	49774	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:25.776941061 CET	443	49774	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:25.776984930 CET	49767	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:25.777100086 CET	49774	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:25.779042006 CET	49774	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:25.779053926 CET	443	49774	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:25.792159081 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:26.419995070 CET	443	49774	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:26.420082092 CET	49774	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:26.425790071 CET	49774	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:26.425797939 CET	443	49774	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:26.425900936 CET	49774	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:26.426007032 CET	443	49774	34.117.188.166	192.168.2.6
Oct 28, 2024 07:18:26.426059008 CET	49774	443	192.168.2.6	34.117.188.166
Oct 28, 2024 07:18:26.503274918 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:26.508709908 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:26.577152967 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:26.582490921 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:26.626807928 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:26.683335066 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:26.705630064 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:26.761471987 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:28.966691017 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:28.972153902 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:29.002239943 CET	49791	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:29.002286911 CET	443	49791	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:29.004303932 CET	49791	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:29.004740000 CET	49791	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:29.004756927 CET	443	49791	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:29.040817022 CET	49792	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:29.040848017 CET	443	49792	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:29.051220894 CET	49792	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:29.058490992 CET	49792	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:29.058506012 CET	443	49792	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:29.090060949 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:29.135802031 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:29.588655949 CET	49798	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:29.588695049 CET	443	49798	34.107.243.93	192.168.2.6
Oct 28, 2024 07:18:29.589490891 CET	49798	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:29.591017962 CET	49798	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:29.591037035 CET	443	49798	34.107.243.93	192.168.2.6
Oct 28, 2024 07:18:29.615350962 CET	443	49791	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:29.615451097 CET	49791	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:29.618541956 CET	49791	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:29.618550062 CET	443	49791	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:29.618829966 CET	443	49791	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:29.620964050 CET	49791	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:29.621053934 CET	49791	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:29.621120930 CET	443	49791	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:29.621244907 CET	49791	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:29.664407015 CET	443	49792	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:29.664428949 CET	443	49792	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:29.673137903 CET	49792	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:29.678415060 CET	49792	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:29.678426981 CET	443	49792	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:29.678584099 CET	49792	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:29.678875923 CET	443	49792	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:29.693062067 CET	49792	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:29.741375923 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:29.746798038 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:29.763077974 CET	49799	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:29.763117075 CET	443	49799	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:29.773644924 CET	49799	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:29.775500059 CET	49799	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:29.775517941 CET	443	49799	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:29.820816040 CET	49800	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:29.820868015 CET	443	49800	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:29.820936918 CET	49800	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:29.822390079 CET	49800	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:29.822406054 CET	443	49800	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:29.868336916 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:29.930262089 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:30.030827045 CET	49764	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:30.036513090 CET	80	49764	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:30.036900997 CET	49764	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:30.205303907 CET	443	49798	34.107.243.93	192.168.2.6
Oct 28, 2024 07:18:30.205421925 CET	49798	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:30.234630108 CET	49798	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:30.234652042 CET	443	49798	34.107.243.93	192.168.2.6
Oct 28, 2024 07:18:30.234723091 CET	49798	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:30.234942913 CET	443	49798	34.107.243.93	192.168.2.6
Oct 28, 2024 07:18:30.235255957 CET	49798	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:30.401432037 CET	443	49799	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:30.401470900 CET	443	49799	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:30.401547909 CET	49799	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:30.428442001 CET	49799	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:30.428462029 CET	443	49799	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:30.428659916 CET	49799	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:30.429040909 CET	443	49799	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:30.429191113 CET	49799	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:30.450813055 CET	443	49800	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:30.455332994 CET	49800	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:30.498878956 CET	49800	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:30.498894930 CET	443	49800	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:30.498991013 CET	49800	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:30.499464989 CET	443	49800	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:30.499530077 CET	49800	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:33.441493988 CET	49818	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:33.441507101 CET	443	49818	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:33.451422930 CET	49818	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:33.452056885 CET	49818	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:33.452069998 CET	443	49818	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:33.602077007 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:33.607564926 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:33.621057987 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:33.623642921 CET	49824	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:33.623722076 CET	443	49824	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:33.626519918 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:33.626769066 CET	49824	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:33.628241062 CET	49824	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:33.628268003 CET	443	49824	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:33.727921009 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:33.747653008 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:33.782279968 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:33.798002005 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:34.061764956 CET	443	49818	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:34.061804056 CET	443	49818	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:34.061872959 CET	49818	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:34.095472097 CET	49818	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:34.095495939 CET	443	49818	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:34.095571041 CET	49818	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:34.096098900 CET	443	49818	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:34.096210957 CET	49818	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:34.231077909 CET	443	49824	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:34.231168985 CET	49824	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:34.235493898 CET	49824	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:34.235503912 CET	443	49824	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:34.235594988 CET	49824	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:34.235764980 CET	443	49824	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:34.236623049 CET	49824	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:34.298796892 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:34.304233074 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:34.422333002 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:34.468735933 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:34.588510990 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:34.596318007 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:35.103648901 CET	49830	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.103699923 CET	443	49830	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:35.103820086 CET	49831	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.103899956 CET	443	49831	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:35.107388020 CET	49830	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.107407093 CET	49831	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.107572079 CET	49830	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.107587099 CET	443	49830	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:35.107708931 CET	49831	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.107727051 CET	443	49831	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:35.163995028 CET	49832	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.164032936 CET	443	49832	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:35.164232969 CET	49832	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.165859938 CET	49832	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.165874004 CET	443	49832	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:35.207788944 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:35.208208084 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:35.208362103 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:35.208831072 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:35.208884001 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:35.687767982 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:35.693106890 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:35.809726954 CET	443	49830	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:35.809751034 CET	443	49832	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:35.809820890 CET	49830	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.810376883 CET	49832	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.811079979 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:35.813704967 CET	49830	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.813715935 CET	443	49830	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:35.813945055 CET	443	49830	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:35.818355083 CET	49830	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.818451881 CET	49830	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.818509102 CET	443	49830	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:35.818571091 CET	49832	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.818584919 CET	443	49832	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:35.818659067 CET	49832	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.818964005 CET	49830	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.820615053 CET	443	49832	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:35.820702076 CET	49832	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.825154066 CET	443	49831	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:35.825226068 CET	49831	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:35.857242107 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:36.288928986 CET	49831	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:36.288954020 CET	443	49831	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:36.289908886 CET	443	49831	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:36.291363955 CET	49831	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:36.291893005 CET	443	49831	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:36.292052984 CET	49831	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:36.292063951 CET	443	49831	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:36.295698881 CET	49831	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:36.295722961 CET	49831	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:36.296060085 CET	49831	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:36.300198078 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:36.305604935 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:36.426600933 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:36.474690914 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:36.854079962 CET	49843	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:36.854121923 CET	443	49843	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:36.855515957 CET	49843	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:36.857093096 CET	49843	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:36.857108116 CET	443	49843	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:36.858903885 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:36.864233017 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:36.982542038 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:37.023085117 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:37.456857920 CET	443	49843	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:37.456971884 CET	49843	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:37.740186930 CET	49843	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:37.740209103 CET	443	49843	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:37.740266085 CET	49843	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:37.740555048 CET	443	49843	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:37.742696047 CET	49843	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:37.755357981 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:37.760020971 CET	49849	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:37.760092974 CET	443	49849	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:37.760204077 CET	49849	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:37.760700941 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:37.761666059 CET	49849	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:37.761725903 CET	443	49849	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:37.882172108 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:37.947843075 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:38.364018917 CET	443	49849	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:38.364097118 CET	49849	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:38.405618906 CET	49849	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:38.405643940 CET	443	49849	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:38.405755043 CET	49849	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:38.405913115 CET	443	49849	34.120.208.123	192.168.2.6
Oct 28, 2024 07:18:38.406361103 CET	49849	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:18:38.499250889 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:38.504105091 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:38.505331993 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:38.510225058 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:38.622565031 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:38.630582094 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:38.665616035 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:38.681230068 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:38.778394938 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:38.783787966 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:38.795646906 CET	49856	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:38.795677900 CET	443	49856	34.107.243.93	192.168.2.6
Oct 28, 2024 07:18:38.795799017 CET	49856	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:38.797588110 CET	49856	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:38.797605991 CET	443	49856	34.107.243.93	192.168.2.6
Oct 28, 2024 07:18:38.903378010 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:38.950864077 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:39.413886070 CET	443	49856	34.107.243.93	192.168.2.6
Oct 28, 2024 07:18:39.413997889 CET	49856	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:39.418165922 CET	49856	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:39.418176889 CET	443	49856	34.107.243.93	192.168.2.6
Oct 28, 2024 07:18:39.418281078 CET	49856	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:39.418410063 CET	443	49856	34.107.243.93	192.168.2.6
Oct 28, 2024 07:18:39.419374943 CET	49856	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:39.421523094 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:39.428829908 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:39.551080942 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:39.555100918 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:39.560389042 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:39.599525928 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:39.678848982 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:39.731035948 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:49.551563978 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:49.689656019 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:49.709677935 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:49.709693909 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:49.819564104 CET	50292	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:49.819613934 CET	443	50292	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:49.820575953 CET	50292	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:49.820703030 CET	50292	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:49.820713997 CET	443	50292	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:49.825001001 CET	50293	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:49.825037956 CET	443	50293	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:49.825618982 CET	50294	443	192.168.2.6	151.101.1.91
Oct 28, 2024 07:18:49.825654030 CET	443	50294	151.101.1.91	192.168.2.6
Oct 28, 2024 07:18:49.825738907 CET	50293	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:49.825891018 CET	50293	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:49.825906992 CET	443	50293	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:49.826149940 CET	50294	443	192.168.2.6	151.101.1.91
Oct 28, 2024 07:18:49.826288939 CET	50294	443	192.168.2.6	151.101.1.91
Oct 28, 2024 07:18:49.826306105 CET	443	50294	151.101.1.91	192.168.2.6
Oct 28, 2024 07:18:49.831114054 CET	50295	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:49.831140995 CET	443	50295	34.107.243.93	192.168.2.6
Oct 28, 2024 07:18:49.831232071 CET	50295	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:49.832667112 CET	50295	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:49.832679987 CET	443	50295	34.107.243.93	192.168.2.6
Oct 28, 2024 07:18:49.839837074 CET	50296	443	192.168.2.6	35.190.72.216
Oct 28, 2024 07:18:49.839879036 CET	443	50296	35.190.72.216	192.168.2.6
Oct 28, 2024 07:18:49.842186928 CET	50296	443	192.168.2.6	35.190.72.216
Oct 28, 2024 07:18:49.843699932 CET	50296	443	192.168.2.6	35.190.72.216
Oct 28, 2024 07:18:49.843714952 CET	443	50296	35.190.72.216	192.168.2.6
Oct 28, 2024 07:18:49.865933895 CET	50297	443	192.168.2.6	35.201.103.21
Oct 28, 2024 07:18:49.865979910 CET	443	50297	35.201.103.21	192.168.2.6
Oct 28, 2024 07:18:49.868357897 CET	50297	443	192.168.2.6	35.201.103.21
Oct 28, 2024 07:18:49.869874001 CET	50297	443	192.168.2.6	35.201.103.21
Oct 28, 2024 07:18:49.869889975 CET	443	50297	35.201.103.21	192.168.2.6
Oct 28, 2024 07:18:50.419867039 CET	443	50292	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:50.420062065 CET	50292	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:50.423271894 CET	50292	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:50.423280001 CET	443	50292	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:50.423633099 CET	443	50292	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:50.426290989 CET	50292	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:50.426407099 CET	50292	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:50.426600933 CET	443	50292	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:50.426954031 CET	50292	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:50.434245110 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:50.439239979 CET	443	50293	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:50.439331055 CET	50293	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:50.439454079 CET	443	50295	34.107.243.93	192.168.2.6
Oct 28, 2024 07:18:50.439516068 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:50.439677954 CET	50295	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:50.442466974 CET	50293	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:50.442475080 CET	443	50293	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:50.443423033 CET	443	50293	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:50.446696043 CET	50293	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:50.446794987 CET	50293	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:50.446934938 CET	443	50293	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:50.447223902 CET	50293	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:50.447448015 CET	50295	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:50.447458029 CET	443	50295	34.107.243.93	192.168.2.6
Oct 28, 2024 07:18:50.447638035 CET	50295	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:50.447638988 CET	443	50295	34.107.243.93	192.168.2.6
Oct 28, 2024 07:18:50.447653055 CET	443	50295	34.107.243.93	192.168.2.6
Oct 28, 2024 07:18:50.469424009 CET	443	50296	35.190.72.216	192.168.2.6
Oct 28, 2024 07:18:50.469638109 CET	50296	443	192.168.2.6	35.190.72.216
Oct 28, 2024 07:18:50.472040892 CET	443	50294	151.101.1.91	192.168.2.6
Oct 28, 2024 07:18:50.472127914 CET	50294	443	192.168.2.6	151.101.1.91
Oct 28, 2024 07:18:50.474694014 CET	50294	443	192.168.2.6	151.101.1.91
Oct 28, 2024 07:18:50.474706888 CET	443	50294	151.101.1.91	192.168.2.6
Oct 28, 2024 07:18:50.475224018 CET	443	50294	151.101.1.91	192.168.2.6
Oct 28, 2024 07:18:50.477133036 CET	50296	443	192.168.2.6	35.190.72.216
Oct 28, 2024 07:18:50.477138996 CET	443	50296	35.190.72.216	192.168.2.6
Oct 28, 2024 07:18:50.477232933 CET	50296	443	192.168.2.6	35.190.72.216
Oct 28, 2024 07:18:50.477622032 CET	443	50296	35.190.72.216	192.168.2.6
Oct 28, 2024 07:18:50.477931023 CET	50296	443	192.168.2.6	35.190.72.216
Oct 28, 2024 07:18:50.478147984 CET	50294	443	192.168.2.6	151.101.1.91
Oct 28, 2024 07:18:50.478148937 CET	50294	443	192.168.2.6	151.101.1.91
Oct 28, 2024 07:18:50.478354931 CET	443	50294	151.101.1.91	192.168.2.6
Oct 28, 2024 07:18:50.478568077 CET	50294	443	192.168.2.6	151.101.1.91
Oct 28, 2024 07:18:50.481990099 CET	443	50297	35.201.103.21	192.168.2.6
Oct 28, 2024 07:18:50.485651016 CET	50297	443	192.168.2.6	35.201.103.21
Oct 28, 2024 07:18:50.488686085 CET	50302	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:50.488728046 CET	443	50302	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:50.489038944 CET	50302	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:50.489134073 CET	50302	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:50.489140034 CET	443	50302	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:50.490087032 CET	50297	443	192.168.2.6	35.201.103.21
Oct 28, 2024 07:18:50.490093946 CET	443	50297	35.201.103.21	192.168.2.6
Oct 28, 2024 07:18:50.490163088 CET	50297	443	192.168.2.6	35.201.103.21
Oct 28, 2024 07:18:50.490255117 CET	443	50297	35.201.103.21	192.168.2.6
Oct 28, 2024 07:18:50.492021084 CET	50297	443	192.168.2.6	35.201.103.21
Oct 28, 2024 07:18:50.492628098 CET	50303	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:50.492656946 CET	443	50303	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:50.493221998 CET	50303	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:50.493457079 CET	50303	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:50.493470907 CET	443	50303	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:50.495780945 CET	50304	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:50.495799065 CET	443	50304	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:50.496702909 CET	50304	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:50.496803045 CET	50304	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:50.496809006 CET	443	50304	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:50.504925966 CET	50305	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:50.504944086 CET	443	50305	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:50.505055904 CET	50305	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:50.505158901 CET	50305	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:50.505167007 CET	443	50305	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:50.560899973 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:50.565391064 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:50.570713043 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:50.607914925 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:50.659337044 CET	443	50295	34.107.243.93	192.168.2.6
Oct 28, 2024 07:18:50.660235882 CET	50295	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:18:50.688682079 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:50.739445925 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:51.100114107 CET	443	50303	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:51.100200891 CET	50303	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:51.103419065 CET	50303	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:51.103427887 CET	443	50303	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:51.103677034 CET	443	50303	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:51.105681896 CET	443	50302	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:51.105737925 CET	50303	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:51.105842113 CET	50303	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:51.105901003 CET	443	50303	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:51.108272076 CET	50303	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:51.108288050 CET	50303	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:51.108308077 CET	50302	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:51.111659050 CET	50302	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:51.111673117 CET	443	50302	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:51.111920118 CET	443	50302	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:51.114062071 CET	50302	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:51.114156008 CET	50302	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:51.114245892 CET	443	50302	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:51.114346981 CET	50302	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:51.116686106 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:51.122059107 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:51.132813931 CET	443	50304	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:51.132945061 CET	50304	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:51.135603905 CET	50304	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:51.135615110 CET	443	50304	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:51.136032104 CET	443	50304	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:51.138465881 CET	50304	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:51.138515949 CET	50304	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:51.138662100 CET	443	50304	35.244.181.201	192.168.2.6
Oct 28, 2024 07:18:51.138899088 CET	50304	443	192.168.2.6	35.244.181.201
Oct 28, 2024 07:18:51.146950960 CET	443	50305	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:51.148724079 CET	50305	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:51.151750088 CET	50305	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:51.151772022 CET	443	50305	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:51.152093887 CET	443	50305	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:51.154655933 CET	50305	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:51.154748917 CET	50305	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:51.155044079 CET	443	50305	34.149.100.209	192.168.2.6
Oct 28, 2024 07:18:51.156263113 CET	50305	443	192.168.2.6	34.149.100.209
Oct 28, 2024 07:18:51.243421078 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:51.247195959 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:51.252612114 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:51.284586906 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:51.370558977 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:51.425873995 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:51.750588894 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:51.755937099 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:51.877193928 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:51.880852938 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:51.886244059 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:51.927347898 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:52.321563005 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:52.322094917 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:52.322673082 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:53.730350971 CET	53345	443	192.168.2.6	142.250.114.113
Oct 28, 2024 07:18:53.730387926 CET	443	53345	142.250.114.113	192.168.2.6
Oct 28, 2024 07:18:53.730494022 CET	53345	443	192.168.2.6	142.250.114.113
Oct 28, 2024 07:18:53.730707884 CET	53345	443	192.168.2.6	142.250.114.113
Oct 28, 2024 07:18:53.730724096 CET	443	53345	142.250.114.113	192.168.2.6
Oct 28, 2024 07:18:54.346504927 CET	443	53345	142.250.114.113	192.168.2.6
Oct 28, 2024 07:18:54.346853971 CET	53345	443	192.168.2.6	142.250.114.113
Oct 28, 2024 07:18:54.347142935 CET	443	53345	142.250.114.113	192.168.2.6
Oct 28, 2024 07:18:54.347215891 CET	53345	443	192.168.2.6	142.250.114.113
Oct 28, 2024 07:18:54.351922035 CET	53345	443	192.168.2.6	142.250.114.113
Oct 28, 2024 07:18:54.351941109 CET	443	53345	142.250.114.113	192.168.2.6
Oct 28, 2024 07:18:54.352258921 CET	443	53345	142.250.114.113	192.168.2.6
Oct 28, 2024 07:18:54.355886936 CET	53345	443	192.168.2.6	142.250.114.113
Oct 28, 2024 07:18:54.355998039 CET	53345	443	192.168.2.6	142.250.114.113
Oct 28, 2024 07:18:54.356050014 CET	443	53345	142.250.114.113	192.168.2.6
Oct 28, 2024 07:18:54.359529018 CET	53345	443	192.168.2.6	142.250.114.113
Oct 28, 2024 07:18:54.362510920 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:54.367865086 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:54.488811016 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:54.496345043 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:54.501846075 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:54.535059929 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:18:54.619987965 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:18:54.666588068 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:04.503182888 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:04.634721994 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:05.479588032 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:05.479603052 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:10.458748102 CET	53428	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:19:10.458780050 CET	443	53428	34.107.243.93	192.168.2.6
Oct 28, 2024 07:19:10.459278107 CET	53428	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:19:10.460737944 CET	53428	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:19:10.460752964 CET	443	53428	34.107.243.93	192.168.2.6
Oct 28, 2024 07:19:11.064940929 CET	443	53428	34.107.243.93	192.168.2.6
Oct 28, 2024 07:19:11.065016985 CET	53428	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:19:11.071706057 CET	53428	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:19:11.071727037 CET	443	53428	34.107.243.93	192.168.2.6
Oct 28, 2024 07:19:11.071844101 CET	53428	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:19:11.071922064 CET	443	53428	34.107.243.93	192.168.2.6
Oct 28, 2024 07:19:11.072103977 CET	53428	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:19:11.075201988 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:11.080499887 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:11.201883078 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:11.205718040 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:11.211580992 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:11.254472971 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:11.329495907 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:11.370371103 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:19.578294039 CET	53436	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:19.578314066 CET	443	53436	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:19.578594923 CET	53437	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:19.578634024 CET	443	53437	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:19.578880072 CET	53438	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:19.578891039 CET	443	53438	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:19.579152107 CET	53439	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:19.579160929 CET	443	53439	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:19.580189943 CET	53436	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:19.580203056 CET	53437	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:19.580219030 CET	53438	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:19.580228090 CET	53439	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:19.580394983 CET	53436	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:19.580409050 CET	443	53436	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:19.580542088 CET	53437	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:19.580558062 CET	443	53437	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:19.580634117 CET	53438	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:19.580643892 CET	443	53438	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:19.580701113 CET	53439	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:19.580713034 CET	443	53439	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:19.593302965 CET	53440	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:19.593312979 CET	443	53440	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:19.593482018 CET	53441	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:19.593494892 CET	443	53441	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:19.605515957 CET	53440	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:19.605559111 CET	53441	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:19.605846882 CET	53440	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:19.605859041 CET	443	53440	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:19.605974913 CET	53441	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:19.605997086 CET	443	53441	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.387561083 CET	443	53437	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.387643099 CET	53437	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.390081882 CET	443	53436	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.390561104 CET	443	53439	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.391279936 CET	443	53441	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.391299009 CET	443	53441	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.391346931 CET	53437	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.391359091 CET	443	53437	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.391467094 CET	443	53440	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.391485929 CET	443	53440	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.391684055 CET	443	53437	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.391937017 CET	53436	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.392082930 CET	53441	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.392085075 CET	53439	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.392323971 CET	53440	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.394423008 CET	53436	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.394428968 CET	443	53436	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.394530058 CET	443	53438	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.394736052 CET	53438	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.394774914 CET	443	53436	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.398407936 CET	53438	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.398412943 CET	443	53438	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.398830891 CET	443	53438	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.401668072 CET	53439	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.401674986 CET	443	53439	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.402072906 CET	443	53439	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.404820919 CET	53441	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.404827118 CET	443	53441	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.405203104 CET	443	53441	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.407862902 CET	53440	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.407871008 CET	443	53440	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.408776999 CET	443	53440	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.415700912 CET	53437	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.415935993 CET	443	53437	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.420059919 CET	53437	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.420082092 CET	443	53437	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.420622110 CET	53442	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.420658112 CET	443	53442	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.421813011 CET	53436	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.421974897 CET	53436	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.422074080 CET	443	53436	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.422736883 CET	53443	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.422760010 CET	443	53443	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.423165083 CET	53438	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.423686028 CET	53438	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.423705101 CET	443	53438	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.425435066 CET	53439	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.425519943 CET	53439	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.425735950 CET	443	53439	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.427397966 CET	53441	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.427494049 CET	53441	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.427582979 CET	53440	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.427612066 CET	443	53441	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.427671909 CET	53440	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.428028107 CET	443	53440	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.433132887 CET	53436	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.433150053 CET	53438	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.433155060 CET	53439	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.433175087 CET	53441	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.433187962 CET	53443	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.433190107 CET	53442	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.433485031 CET	53442	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.433501959 CET	443	53442	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.433562040 CET	53443	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.433574915 CET	443	53443	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.438604116 CET	53440	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.467917919 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:20.473309994 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:20.594796896 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:20.627341032 CET	443	53437	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:20.627409935 CET	53437	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:20.635236025 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:20.640661001 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:20.653702974 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:20.759401083 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:20.816504955 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:21.046207905 CET	443	53442	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:21.046250105 CET	443	53442	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:21.046415091 CET	53442	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:21.049571037 CET	53442	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:21.049587011 CET	443	53442	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:21.049911022 CET	443	53442	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:21.052719116 CET	53442	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:21.052839994 CET	53442	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:21.052917957 CET	443	53442	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:21.053014040 CET	53442	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:21.059432030 CET	443	53443	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:21.059467077 CET	443	53443	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:21.059638977 CET	53443	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:21.062571049 CET	53443	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:21.062577963 CET	443	53443	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:21.063638926 CET	443	53443	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:21.065387011 CET	53443	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:21.065530062 CET	53443	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:21.065825939 CET	443	53443	34.120.208.123	192.168.2.6
Oct 28, 2024 07:19:21.066667080 CET	53443	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:21.066680908 CET	53443	443	192.168.2.6	34.120.208.123
Oct 28, 2024 07:19:21.163167953 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:21.400670052 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:21.520494938 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:21.523680925 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:21.529109955 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:21.572010040 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:21.647089005 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:21.687900066 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:31.532138109 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:31.537549019 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:31.648061037 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:31.653670073 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:41.558461905 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:41.564142942 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:41.658899069 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:41.664218903 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:51.566113949 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:51.571523905 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:51.666481972 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:51.671967030 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:51.732764006 CET	53445	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:19:51.732796907 CET	443	53445	34.107.243.93	192.168.2.6
Oct 28, 2024 07:19:51.733268023 CET	53445	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:19:51.734780073 CET	53445	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:19:51.734790087 CET	443	53445	34.107.243.93	192.168.2.6
Oct 28, 2024 07:19:52.342410088 CET	443	53445	34.107.243.93	192.168.2.6
Oct 28, 2024 07:19:52.342557907 CET	53445	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:19:52.349653959 CET	53445	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:19:52.349668980 CET	443	53445	34.107.243.93	192.168.2.6
Oct 28, 2024 07:19:52.349812031 CET	53445	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:19:52.349875927 CET	443	53445	34.107.243.93	192.168.2.6
Oct 28, 2024 07:19:52.350946903 CET	53445	443	192.168.2.6	34.107.243.93
Oct 28, 2024 07:19:52.353491068 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:52.358851910 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:52.480669022 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:52.485301971 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:52.491424084 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:52.521876097 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:19:52.609818935 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:19:52.653398037 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:20:02.481118917 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:20:02.486531973 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:20:02.619374037 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:20:02.625061035 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:20:12.495831966 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:20:12.501240015 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:20:12.627490997 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:20:12.632812023 CET	80	49763	34.107.221.82	192.168.2.6
Oct 28, 2024 07:20:22.501739979 CET	49768	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:20:22.507136106 CET	80	49768	34.107.221.82	192.168.2.6
Oct 28, 2024 07:20:22.638341904 CET	49763	80	192.168.2.6	34.107.221.82
Oct 28, 2024 07:20:22.643815041 CET	80	49763	34.107.221.82	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 07:18:22.458853960 CET	62847	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:22.458996058 CET	54230	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:22.467885971 CET	53	54230	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:22.479288101 CET	51324	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:22.480581999 CET	51863	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:22.487040043 CET	53	51324	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:22.488466978 CET	53	51863	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:22.489984035 CET	61110	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:22.490411997 CET	52467	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:22.494283915 CET	62316	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:22.497303963 CET	53	61110	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:22.498188019 CET	63564	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:22.498790026 CET	53	52467	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:22.503670931 CET	53	62316	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:22.506916046 CET	53	63564	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:22.894568920 CET	55327	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:22.902729034 CET	53	55327	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:22.907107115 CET	50416	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:22.914658070 CET	53	50416	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:22.924350977 CET	63246	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:22.931922913 CET	53	63246	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:23.084168911 CET	52546	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:23.091450930 CET	53	52546	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:23.092719078 CET	63834	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:23.101430893 CET	53	63834	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:23.118994951 CET	64523	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:23.125278950 CET	60783	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:23.126430035 CET	53	64523	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:23.133291960 CET	53	60783	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:23.157978058 CET	61062	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:23.165816069 CET	53	61062	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:23.295037985 CET	59717	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:23.296387911 CET	61875	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:23.321980953 CET	58023	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:23.534621000 CET	49231	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:23.559048891 CET	53	61875	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:23.559256077 CET	53	49231	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:23.559633017 CET	53	59717	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:23.562680960 CET	62586	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:23.571278095 CET	53	62586	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:23.574457884 CET	50356	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:23.581832886 CET	53	50356	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:23.696623087 CET	53748	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:23.743201971 CET	53	49909	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:28.970858097 CET	57158	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:28.978213072 CET	53	57158	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:28.980401039 CET	52755	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:28.988523960 CET	53	52755	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:29.002182007 CET	53079	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:29.009444952 CET	59275	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:29.009644032 CET	53	53079	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:29.017067909 CET	53	59275	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:29.030297041 CET	53008	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:29.031296968 CET	63619	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:29.038199902 CET	53	53008	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:29.038829088 CET	53	63619	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:29.057784081 CET	63068	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:29.058305979 CET	64352	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:29.065454960 CET	53	63068	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:29.065707922 CET	53	64352	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:29.066329956 CET	64813	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:29.073513985 CET	53	64813	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:29.760425091 CET	53990	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:29.768140078 CET	53	53990	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:29.821069956 CET	65412	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:29.829040051 CET	53	65412	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:29.830375910 CET	52862	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:29.838254929 CET	53	52862	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:33.629947901 CET	61928	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:33.637489080 CET	53	61928	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:36.960480928 CET	59249	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:36.960774899 CET	53958	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:36.961376905 CET	62082	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:36.967787981 CET	53	59249	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:36.967848063 CET	53	53958	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:36.969738960 CET	53	62082	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:37.736016035 CET	49764	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:37.736695051 CET	51897	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:37.743415117 CET	53	49764	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:37.744036913 CET	53	51897	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:37.752856970 CET	50328	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:37.752856970 CET	59603	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:37.753133059 CET	62659	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:37.760185003 CET	53	50328	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:37.761106014 CET	53	59603	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:37.761259079 CET	53	62659	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:37.762664080 CET	54083	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:37.764059067 CET	53654	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:37.764424086 CET	50600	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:37.770071030 CET	53	54083	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:37.770692110 CET	61309	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:37.771581888 CET	53	50600	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:37.772257090 CET	53	53654	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:37.772321939 CET	57392	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:37.778774023 CET	53	61309	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:37.779365063 CET	51537	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:37.779583931 CET	53	57392	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:37.780133963 CET	49903	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:37.787117958 CET	53	51537	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:37.787797928 CET	53	49903	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:38.795221090 CET	60617	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:38.803710938 CET	53	60617	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:38.804968119 CET	63634	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:38.813366890 CET	53	63634	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:45.781094074 CET	53	53843	162.159.36.2	192.168.2.6
Oct 28, 2024 07:18:46.406799078 CET	57900	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:46.417047024 CET	53	57900	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:49.816853046 CET	54019	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:49.822863102 CET	64936	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:49.823936939 CET	53	54019	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:49.824913979 CET	52596	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:49.826287985 CET	58538	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:49.829993963 CET	53	64936	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:49.832437992 CET	53	52596	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:49.833295107 CET	63491	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:49.833972931 CET	51845	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:49.834225893 CET	53	58538	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:49.834723949 CET	52998	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:49.840620995 CET	53	63491	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:49.841233015 CET	53	51845	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:49.842168093 CET	53	52998	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:49.846971035 CET	59354	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:49.854517937 CET	53	59354	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:49.866625071 CET	62343	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:49.874469042 CET	53	62343	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:49.886398077 CET	62151	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:49.893655062 CET	53	62151	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:50.434657097 CET	59777	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:50.446168900 CET	59494	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:50.453442097 CET	53	59494	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:50.454142094 CET	59756	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:50.461230040 CET	53	59756	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:50.563304901 CET	55875	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:50.563304901 CET	64240	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:18:50.570903063 CET	53	64240	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:50.571230888 CET	53	55875	1.1.1.1	192.168.2.6
Oct 28, 2024 07:18:53.124831915 CET	53	58249	1.1.1.1	192.168.2.6
Oct 28, 2024 07:19:10.459228039 CET	57325	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:19:10.466528893 CET	53	57325	1.1.1.1	192.168.2.6
Oct 28, 2024 07:19:19.577327967 CET	50081	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:19:19.585604906 CET	53	50081	1.1.1.1	192.168.2.6
Oct 28, 2024 07:19:19.586220026 CET	57709	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:19:19.593332052 CET	53	57709	1.1.1.1	192.168.2.6
Oct 28, 2024 07:19:51.724028111 CET	54220	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:19:51.731493950 CET	53	54220	1.1.1.1	192.168.2.6
Oct 28, 2024 07:19:51.732918978 CET	53534	53	192.168.2.6	1.1.1.1
Oct 28, 2024 07:19:51.740209103 CET	53	53534	1.1.1.1	192.168.2.6
Oct 28, 2024 07:19:52.353802919 CET	59621	53	192.168.2.6	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 28, 2024 07:18:22.458853960 CET	192.168.2.6	1.1.1.1	0xcf3b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:22.458996058 CET	192.168.2.6	1.1.1.1	0x631a	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:22.479288101 CET	192.168.2.6	1.1.1.1	0xca7c	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:22.480581999 CET	192.168.2.6	1.1.1.1	0xf8f5	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:22.489984035 CET	192.168.2.6	1.1.1.1	0x421a	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:22.490411997 CET	192.168.2.6	1.1.1.1	0x431b	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 07:18:22.494283915 CET	192.168.2.6	1.1.1.1	0x6856	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 07:18:22.498188019 CET	192.168.2.6	1.1.1.1	0x8d58	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 28, 2024 07:18:22.894568920 CET	192.168.2.6	1.1.1.1	0x6971	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:22.907107115 CET	192.168.2.6	1.1.1.1	0x8aae	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:22.924350977 CET	192.168.2.6	1.1.1.1	0x1194	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 07:18:23.084168911 CET	192.168.2.6	1.1.1.1	0xdb00	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.092719078 CET	192.168.2.6	1.1.1.1	0xfc4	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.118994951 CET	192.168.2.6	1.1.1.1	0x9c3	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 07:18:23.125278950 CET	192.168.2.6	1.1.1.1	0xd907	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.157978058 CET	192.168.2.6	1.1.1.1	0xbd11	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 07:18:23.295037985 CET	192.168.2.6	1.1.1.1	0xde25	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.296387911 CET	192.168.2.6	1.1.1.1	0xab3f	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.321980953 CET	192.168.2.6	1.1.1.1	0x7ec3	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.534621000 CET	192.168.2.6	1.1.1.1	0x76e3	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.562680960 CET	192.168.2.6	1.1.1.1	0x9d7d	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.574457884 CET	192.168.2.6	1.1.1.1	0x58ac	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 07:18:23.696623087 CET	192.168.2.6	1.1.1.1	0x2cf8	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:28.970858097 CET	192.168.2.6	1.1.1.1	0x9540	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:28.980401039 CET	192.168.2.6	1.1.1.1	0x50c8	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:29.002182007 CET	192.168.2.6	1.1.1.1	0xc44a	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 07:18:29.009444952 CET	192.168.2.6	1.1.1.1	0x9ea3	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:29.030297041 CET	192.168.2.6	1.1.1.1	0xf16b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:29.031296968 CET	192.168.2.6	1.1.1.1	0x728a	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 07:18:29.057784081 CET	192.168.2.6	1.1.1.1	0x7a9	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:29.058305979 CET	192.168.2.6	1.1.1.1	0xaf09	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 07:18:29.066329956 CET	192.168.2.6	1.1.1.1	0x9da6	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 07:18:29.760425091 CET	192.168.2.6	1.1.1.1	0xd4cc	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:29.821069956 CET	192.168.2.6	1.1.1.1	0x18b2	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:29.830375910 CET	192.168.2.6	1.1.1.1	0x85a5	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 07:18:33.629947901 CET	192.168.2.6	1.1.1.1	0x101c	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 07:18:36.960480928 CET	192.168.2.6	1.1.1.1	0x9d12	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.960774899 CET	192.168.2.6	1.1.1.1	0x5668	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.961376905 CET	192.168.2.6	1.1.1.1	0xce07	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.736016035 CET	192.168.2.6	1.1.1.1	0x2c2a	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.736695051 CET	192.168.2.6	1.1.1.1	0x826d	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.752856970 CET	192.168.2.6	1.1.1.1	0x4f90	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 28, 2024 07:18:37.752856970 CET	192.168.2.6	1.1.1.1	0xc741	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.753133059 CET	192.168.2.6	1.1.1.1	0xde76	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 28, 2024 07:18:37.762664080 CET	192.168.2.6	1.1.1.1	0x95dc	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.764059067 CET	192.168.2.6	1.1.1.1	0xcdf3	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 28, 2024 07:18:37.764424086 CET	192.168.2.6	1.1.1.1	0xf5ae	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.770692110 CET	192.168.2.6	1.1.1.1	0xff0d	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.772321939 CET	192.168.2.6	1.1.1.1	0xf793	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.779365063 CET	192.168.2.6	1.1.1.1	0x4fa1	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 28, 2024 07:18:37.780133963 CET	192.168.2.6	1.1.1.1	0xf2ae	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 28, 2024 07:18:38.795221090 CET	192.168.2.6	1.1.1.1	0xa9c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:38.804968119 CET	192.168.2.6	1.1.1.1	0x4a2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 07:18:46.406799078 CET	192.168.2.6	1.1.1.1	0x1517	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 28, 2024 07:18:49.816853046 CET	192.168.2.6	1.1.1.1	0x46ec	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:49.822863102 CET	192.168.2.6	1.1.1.1	0x30a9	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:49.824913979 CET	192.168.2.6	1.1.1.1	0x3ee3	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:49.826287985 CET	192.168.2.6	1.1.1.1	0xc2b	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:49.833295107 CET	192.168.2.6	1.1.1.1	0x74d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 07:18:49.833972931 CET	192.168.2.6	1.1.1.1	0xfb3a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 07:18:49.834723949 CET	192.168.2.6	1.1.1.1	0x240d	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 28, 2024 07:18:49.846971035 CET	192.168.2.6	1.1.1.1	0xe961	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:49.866625071 CET	192.168.2.6	1.1.1.1	0xa88d	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:49.886398077 CET	192.168.2.6	1.1.1.1	0x52f5	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 07:18:50.434657097 CET	192.168.2.6	1.1.1.1	0xf3c4	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:50.446168900 CET	192.168.2.6	1.1.1.1	0x79d0	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:50.454142094 CET	192.168.2.6	1.1.1.1	0x7983	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 07:18:50.563304901 CET	192.168.2.6	1.1.1.1	0xfa90	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:50.563304901 CET	192.168.2.6	1.1.1.1	0xcd15	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:19:10.459228039 CET	192.168.2.6	1.1.1.1	0xfe95	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 07:19:19.577327967 CET	192.168.2.6	1.1.1.1	0x3ca1	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:19:19.586220026 CET	192.168.2.6	1.1.1.1	0x62ef	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 07:19:51.724028111 CET	192.168.2.6	1.1.1.1	0x9e2b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:19:51.732918978 CET	192.168.2.6	1.1.1.1	0x9562	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 07:19:52.353802919 CET	192.168.2.6	1.1.1.1	0xa201	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 28, 2024 07:18:22.467248917 CET	1.1.1.1	192.168.2.6	0x390a	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:22.467288017 CET	1.1.1.1	192.168.2.6	0xcf3b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:22.467288017 CET	1.1.1.1	192.168.2.6	0xcf3b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:22.467885971 CET	1.1.1.1	192.168.2.6	0x631a	No error (0)	youtube.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:22.487040043 CET	1.1.1.1	192.168.2.6	0xca7c	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:22.488466978 CET	1.1.1.1	192.168.2.6	0xf8f5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:22.497303963 CET	1.1.1.1	192.168.2.6	0x421a	No error (0)	youtube.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:22.498790026 CET	1.1.1.1	192.168.2.6	0x431b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 28, 2024 07:18:22.506916046 CET	1.1.1.1	192.168.2.6	0x8d58	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 28, 2024 07:18:22.902729034 CET	1.1.1.1	192.168.2.6	0x6971	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:22.914658070 CET	1.1.1.1	192.168.2.6	0x8aae	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.091450930 CET	1.1.1.1	192.168.2.6	0xdb00	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:23.091450930 CET	1.1.1.1	192.168.2.6	0xdb00	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.101430893 CET	1.1.1.1	192.168.2.6	0xfc4	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.113375902 CET	1.1.1.1	192.168.2.6	0xb344	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:23.113375902 CET	1.1.1.1	192.168.2.6	0xb344	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.133291960 CET	1.1.1.1	192.168.2.6	0xd907	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.559048891 CET	1.1.1.1	192.168.2.6	0xab3f	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.559048891 CET	1.1.1.1	192.168.2.6	0xab3f	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.559060097 CET	1.1.1.1	192.168.2.6	0x7ec3	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:23.559060097 CET	1.1.1.1	192.168.2.6	0x7ec3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.559256077 CET	1.1.1.1	192.168.2.6	0x76e3	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:23.559256077 CET	1.1.1.1	192.168.2.6	0x76e3	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:23.559256077 CET	1.1.1.1	192.168.2.6	0x76e3	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.559633017 CET	1.1.1.1	192.168.2.6	0xde25	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.571278095 CET	1.1.1.1	192.168.2.6	0x9d7d	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:23.581832886 CET	1.1.1.1	192.168.2.6	0x58ac	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 28, 2024 07:18:23.704269886 CET	1.1.1.1	192.168.2.6	0x2cf8	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:28.978213072 CET	1.1.1.1	192.168.2.6	0x9540	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:28.988523960 CET	1.1.1.1	192.168.2.6	0x50c8	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:28.988523960 CET	1.1.1.1	192.168.2.6	0x50c8	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:28.988523960 CET	1.1.1.1	192.168.2.6	0x50c8	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:28.988754034 CET	1.1.1.1	192.168.2.6	0x7eb2	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:28.988754034 CET	1.1.1.1	192.168.2.6	0x7eb2	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:29.017067909 CET	1.1.1.1	192.168.2.6	0x9ea3	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:29.038096905 CET	1.1.1.1	192.168.2.6	0xfb07	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:29.038199902 CET	1.1.1.1	192.168.2.6	0xf16b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:29.065454960 CET	1.1.1.1	192.168.2.6	0x7a9	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:29.750005007 CET	1.1.1.1	192.168.2.6	0x88b7	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:29.768140078 CET	1.1.1.1	192.168.2.6	0xd4cc	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:29.768140078 CET	1.1.1.1	192.168.2.6	0xd4cc	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:29.829040051 CET	1.1.1.1	192.168.2.6	0x18b2	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967787981 CET	1.1.1.1	192.168.2.6	0x9d12	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967787981 CET	1.1.1.1	192.168.2.6	0x9d12	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967787981 CET	1.1.1.1	192.168.2.6	0x9d12	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967787981 CET	1.1.1.1	192.168.2.6	0x9d12	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967787981 CET	1.1.1.1	192.168.2.6	0x9d12	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967787981 CET	1.1.1.1	192.168.2.6	0x9d12	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967787981 CET	1.1.1.1	192.168.2.6	0x9d12	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967787981 CET	1.1.1.1	192.168.2.6	0x9d12	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967787981 CET	1.1.1.1	192.168.2.6	0x9d12	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967787981 CET	1.1.1.1	192.168.2.6	0x9d12	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967787981 CET	1.1.1.1	192.168.2.6	0x9d12	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967787981 CET	1.1.1.1	192.168.2.6	0x9d12	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967787981 CET	1.1.1.1	192.168.2.6	0x9d12	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967787981 CET	1.1.1.1	192.168.2.6	0x9d12	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967787981 CET	1.1.1.1	192.168.2.6	0x9d12	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967787981 CET	1.1.1.1	192.168.2.6	0x9d12	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967787981 CET	1.1.1.1	192.168.2.6	0x9d12	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967848063 CET	1.1.1.1	192.168.2.6	0x5668	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:36.967848063 CET	1.1.1.1	192.168.2.6	0x5668	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:36.969738960 CET	1.1.1.1	192.168.2.6	0xce07	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:36.969738960 CET	1.1.1.1	192.168.2.6	0xce07	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.743415117 CET	1.1.1.1	192.168.2.6	0x2c2a	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.743415117 CET	1.1.1.1	192.168.2.6	0x2c2a	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.743415117 CET	1.1.1.1	192.168.2.6	0x2c2a	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.743415117 CET	1.1.1.1	192.168.2.6	0x2c2a	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.743415117 CET	1.1.1.1	192.168.2.6	0x2c2a	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.743415117 CET	1.1.1.1	192.168.2.6	0x2c2a	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.743415117 CET	1.1.1.1	192.168.2.6	0x2c2a	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.743415117 CET	1.1.1.1	192.168.2.6	0x2c2a	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.743415117 CET	1.1.1.1	192.168.2.6	0x2c2a	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.743415117 CET	1.1.1.1	192.168.2.6	0x2c2a	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.743415117 CET	1.1.1.1	192.168.2.6	0x2c2a	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.743415117 CET	1.1.1.1	192.168.2.6	0x2c2a	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.743415117 CET	1.1.1.1	192.168.2.6	0x2c2a	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.743415117 CET	1.1.1.1	192.168.2.6	0x2c2a	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.743415117 CET	1.1.1.1	192.168.2.6	0x2c2a	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.743415117 CET	1.1.1.1	192.168.2.6	0x2c2a	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.744036913 CET	1.1.1.1	192.168.2.6	0x826d	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.760185003 CET	1.1.1.1	192.168.2.6	0x4f90	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 28, 2024 07:18:37.760185003 CET	1.1.1.1	192.168.2.6	0x4f90	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 28, 2024 07:18:37.760185003 CET	1.1.1.1	192.168.2.6	0x4f90	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 28, 2024 07:18:37.760185003 CET	1.1.1.1	192.168.2.6	0x4f90	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 28, 2024 07:18:37.761106014 CET	1.1.1.1	192.168.2.6	0xc741	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.761259079 CET	1.1.1.1	192.168.2.6	0xde76	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 28, 2024 07:18:37.770071030 CET	1.1.1.1	192.168.2.6	0x95dc	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:37.770071030 CET	1.1.1.1	192.168.2.6	0x95dc	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.770071030 CET	1.1.1.1	192.168.2.6	0x95dc	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.770071030 CET	1.1.1.1	192.168.2.6	0x95dc	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.770071030 CET	1.1.1.1	192.168.2.6	0x95dc	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.771581888 CET	1.1.1.1	192.168.2.6	0xf5ae	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.772257090 CET	1.1.1.1	192.168.2.6	0xcdf3	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 28, 2024 07:18:37.778774023 CET	1.1.1.1	192.168.2.6	0xff0d	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.778774023 CET	1.1.1.1	192.168.2.6	0xff0d	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.778774023 CET	1.1.1.1	192.168.2.6	0xff0d	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.778774023 CET	1.1.1.1	192.168.2.6	0xff0d	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:37.779583931 CET	1.1.1.1	192.168.2.6	0xf793	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:38.803710938 CET	1.1.1.1	192.168.2.6	0xa9c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:46.417047024 CET	1.1.1.1	192.168.2.6	0x1517	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 28, 2024 07:18:49.823864937 CET	1.1.1.1	192.168.2.6	0x78aa	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:49.823864937 CET	1.1.1.1	192.168.2.6	0x78aa	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:49.823936939 CET	1.1.1.1	192.168.2.6	0x46ec	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:49.823936939 CET	1.1.1.1	192.168.2.6	0x46ec	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:49.823936939 CET	1.1.1.1	192.168.2.6	0x46ec	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:49.823936939 CET	1.1.1.1	192.168.2.6	0x46ec	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:49.829993963 CET	1.1.1.1	192.168.2.6	0x30a9	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:49.832437992 CET	1.1.1.1	192.168.2.6	0x3ee3	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:49.834225893 CET	1.1.1.1	192.168.2.6	0xc2b	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:49.834225893 CET	1.1.1.1	192.168.2.6	0xc2b	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:49.834225893 CET	1.1.1.1	192.168.2.6	0xc2b	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:49.834225893 CET	1.1.1.1	192.168.2.6	0xc2b	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:49.854517937 CET	1.1.1.1	192.168.2.6	0xe961	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:49.854517937 CET	1.1.1.1	192.168.2.6	0xe961	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:49.874469042 CET	1.1.1.1	192.168.2.6	0xa88d	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:50.441747904 CET	1.1.1.1	192.168.2.6	0xf3c4	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:50.441747904 CET	1.1.1.1	192.168.2.6	0xf3c4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:50.453442097 CET	1.1.1.1	192.168.2.6	0x79d0	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:50.461230040 CET	1.1.1.1	192.168.2.6	0x7983	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 28, 2024 07:18:50.570903063 CET	1.1.1.1	192.168.2.6	0xcd15	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:50.570903063 CET	1.1.1.1	192.168.2.6	0xcd15	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:50.571230888 CET	1.1.1.1	192.168.2.6	0xfa90	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:18:51.128705978 CET	1.1.1.1	192.168.2.6	0x2cf6	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:18:51.128705978 CET	1.1.1.1	192.168.2.6	0x2cf6	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:19:19.576186895 CET	1.1.1.1	192.168.2.6	0xa17b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:19:19.585604906 CET	1.1.1.1	192.168.2.6	0x3ca1	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:19:51.731493950 CET	1.1.1.1	192.168.2.6	0x9e2b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 07:19:52.361525059 CET	1.1.1.1	192.168.2.6	0xa201	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 07:19:52.361525059 CET	1.1.1.1	192.168.2.6	0xa201	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49742	34.107.221.82	80	6392	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 07:18:22.489499092 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:18:23.085187912 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54818 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:18:23.537540913 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:18:23.677043915 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54818 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49753	34.107.221.82	80	6392	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 07:18:23.568334103 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49763	34.107.221.82	80	6392	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 07:18:24.923851967 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 07:18:25.515450954 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68838 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:18:26.503274918 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 07:18:26.626807928 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68839 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:18:28.966691017 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 07:18:29.090060949 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68842 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:18:33.602077007 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 07:18:33.727921009 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68846 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:18:34.298796892 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 07:18:34.422333002 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68847 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:18:35.687767982 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 07:18:35.811079979 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68848 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:18:36.858903885 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 07:18:36.982542038 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68849 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:18:38.499250889 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 07:18:38.622565031 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68851 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:18:38.778394938 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 07:18:38.903378010 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68851 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:18:39.555100918 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 07:18:39.678848982 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68852 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:18:49.689656019 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 07:18:50.565391064 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 07:18:50.688682079 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68863 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:18:51.247195959 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 07:18:51.370558977 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68864 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:18:51.880852938 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 07:18:52.321563005 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68864 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:18:52.322094917 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68864 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:18:54.496345043 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 07:18:54.619987965 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68867 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:19:04.634721994 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 07:19:11.205718040 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 07:19:11.329495907 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68884 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:19:20.635236025 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 07:19:20.759401083 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68893 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:19:21.523680925 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 07:19:21.647089005 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68894 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:19:31.648061037 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 07:19:41.658899069 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 07:19:51.666481972 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 07:19:52.485301971 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 07:19:52.609818935 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 68925 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 07:20:02.619374037 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 07:20:12.627490997 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 07:20:22.638341904 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49768	34.107.221.82	80	6392	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 07:18:25.143870115 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:18:25.746118069 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54820 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:18:26.577152967 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:18:26.705630064 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54821 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:18:29.741375923 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:18:29.868336916 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54824 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:18:33.621057987 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:18:33.747653008 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54828 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:18:34.588510990 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:18:35.207788944 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54829 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:18:35.208208084 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54829 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:18:35.208831072 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54829 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:18:36.300198078 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:18:36.426600933 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54831 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:18:37.755357981 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:18:37.882172108 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54832 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:18:38.504105091 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:18:38.630582094 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54833 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:18:39.421523094 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:18:39.551080942 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54834 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:18:49.551563978 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 07:18:50.434245110 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:18:50.560899973 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54845 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:18:51.116686106 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:18:51.243421078 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54846 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:18:51.750588894 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:18:51.877193928 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54846 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:18:54.362510920 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:18:54.488811016 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54849 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:19:04.503182888 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 07:19:11.075201988 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:19:11.201883078 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54866 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:19:20.467917919 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:19:20.594796896 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54875 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:19:21.163167953 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:19:21.520494938 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54876 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:19:31.532138109 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 07:19:41.558461905 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 07:19:51.566113949 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 07:19:52.353491068 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 07:19:52.480669022 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 54907 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 07:20:02.481118917 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 07:20:12.495831966 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 07:20:22.501739979 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	02:18:13
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xc30000
File size:	919'552 bytes
MD5 hash:	434908E8890502C3474BD02AF6F81C9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.2270402786.0000000000FAF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:18:13
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x230000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:18:13
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:18:16
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x230000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:18:16
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:18:16
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x230000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:18:16
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:18:16
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x230000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:18:16
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:18:16
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x230000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:18:16
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:18:16
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:18:17
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:18:17
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	02:18:18
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9efe5bd-3818-4102-acc0-f131aa402c4d} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" 16e02a6ef10 socket
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	02:18:19
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3992 -parentBuildID 20230927232528 -prefsHandle 3744 -prefMapHandle 3808 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69b0aaa9-ce77-4b53-9fb5-8079c51ca5b4} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" 16e12fbca10 rdd
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	02:18:26
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4568 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5060 -prefMapHandle 5052 -prefsLen 32965 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa83c025-9667-4496-beda-54bcdad7c984} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" 16e16a48710 utility
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1523
Total number of Limit Nodes:	52

Executed Functions

Function 00C342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C3430D

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

GetCurrentProcess.KERNEL32(?,00CCCB64,00000000,?,?), ref: 00C34422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00C34429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00C34454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C34466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00C34474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00C3447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00C344A0

Strings

GetNativeSystemInfo, xrefs: 00C34460
|O, xrefs: 00C736F8
kernel32.dll, xrefs: 00C3444F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: e99ce3213e31a652347b9b2e52db3a465358aa31dcb7024bfa0f076c42720e2e
Instruction ID: 735e60f12776dfe48aa85a3d2873f0e681cb51c8ce1b61875bcaa080f5d79fef
Opcode Fuzzy Hash: e99ce3213e31a652347b9b2e52db3a465358aa31dcb7024bfa0f076c42720e2e
Instruction Fuzzy Hash: 26A1A47AD1A3C0DFC719C769BC817D97FA47B26300F0898A9E09DD3B62D2215A09DB71

Function 00C342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C350AA,?,?,00000000,00000000), ref: 00C342B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C350AA,?,?,00000000,00000000), ref: 00C342C9
LoadResource.KERNEL32(?,00000000,?,?,00C350AA,?,?,00000000,00000000,?,?,?,?,?,?,00C34F20), ref: 00C735BE
SizeofResource.KERNEL32(?,00000000,?,?,00C350AA,?,?,00000000,00000000,?,?,?,?,?,?,00C34F20), ref: 00C735D3
LockResource.KERNEL32(00C350AA,?,?,00C350AA,?,?,00000000,00000000,?,?,?,?,?,?,00C34F20,?), ref: 00C735E6

Strings

SCRIPT, xrefs: 00C342BF

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 7e246927e26e87ddabdc2c9c1c49b060c9bf0991c829bf4393f212f9dae419c5
Instruction ID: 2932bd104e78bd29f779b6e19936e6ae439fd58477e2b648d6e955f7d8d3f6b2
Opcode Fuzzy Hash: 7e246927e26e87ddabdc2c9c1c49b060c9bf0991c829bf4393f212f9dae419c5
Instruction Fuzzy Hash: 9A118E70200700BFD7258BA6DC88F2B7BBDEBC6B51F14816DF426D6690DB72ED008A20

Function 00C72BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00C32B6B

Part of subcall function 00C33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D01418,?,00C32E7F,?,?,?,00000000), ref: 00C33A78

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00CF2224), ref: 00C72C10
ShellExecuteW.SHELL32(00000000,?,?,00CF2224), ref: 00C72C17

Strings

runas, xrefs: 00C72C0B

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 840cd12071b8e27125002b1bd331755c37fa101540cbb879ba120b39bb6561a4
Instruction ID: 9f371c98f823d5522bd49791f65b7823b28afaa9f9f75dd67ca2f9cd18a172ce
Opcode Fuzzy Hash: 840cd12071b8e27125002b1bd331755c37fa101540cbb879ba120b39bb6561a4
Instruction Fuzzy Hash: 6F11B1312183856BCB14FF60E891EBEB7A49B91310F04542DF29A520B2CF708A0AE722

Function 00C9D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C9D501
Process32FirstW.KERNEL32(00000000,?), ref: 00C9D50F
Process32NextW.KERNEL32(00000000,?), ref: 00C9D52F
CloseHandle.KERNELBASE(00000000), ref: 00C9D5DC

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 06372ad45933dd9d24f9cfaab10d6f074b73128d9825dcdc279c2c081c53126a
Instruction ID: f716459127c4553baf9d9a6afd47d2a7e43e7637e5c4b3b2ae3c2f3eba911b34
Opcode Fuzzy Hash: 06372ad45933dd9d24f9cfaab10d6f074b73128d9825dcdc279c2c081c53126a
Instruction Fuzzy Hash: 5931BC711083009FD300EF64D885BAFBBE8EF99354F14092DF586961A1EB719A48DBA3

Function 00C9DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00C75222), ref: 00C9DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00C9DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00C9DBEE
FindClose.KERNEL32(00000000), ref: 00C9DBFA

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 5e58f9e0c8dbc6112a44dc0cf54e7613a158b1a14e175eb1e3b2a912af1707e7
Instruction ID: 0b076411fb5ce06d5bd6343dbaf4359215452905bc7c5ef4bbf3089911293c05
Opcode Fuzzy Hash: 5e58f9e0c8dbc6112a44dc0cf54e7613a158b1a14e175eb1e3b2a912af1707e7
Instruction Fuzzy Hash: 8EF0A030810910978B206B78EC4DAAE776C9F01334B144702F83AD20F0EBB05A568695

Function 00C54CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00C628E9,?,00C54CBE,00C628E9,00CF88B8,0000000C,00C54E15,00C628E9,00000002,00000000,?,00C628E9), ref: 00C54D09
TerminateProcess.KERNEL32(00000000,?,00C54CBE,00C628E9,00CF88B8,0000000C,00C54E15,00C628E9,00000002,00000000,?,00C628E9), ref: 00C54D10
ExitProcess.KERNEL32 ref: 00C54D22

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6c14b3ce3aee39ed185d9b2a51043ff09086083f27518ce7d3ee3336eddca176
Instruction ID: 7c6e6fd7ad27d7b7157c01d2580c13f58b3ef5e62b94ec03858d9c3b90ed123f
Opcode Fuzzy Hash: 6c14b3ce3aee39ed185d9b2a51043ff09086083f27518ce7d3ee3336eddca176
Instruction Fuzzy Hash: E1E0B675400188ABCF25AF54EE49F9C3B79FB41796B144018FC198B132CB3ADE86DA94

Function 00CBAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00CBB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CBB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CBB1D4
_wcslen.LIBCMT ref: 00CBB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CBB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CBB236
_wcslen.LIBCMT ref: 00CBB332

Part of subcall function 00CA05A7: GetStdHandle.KERNEL32(000000F6), ref: 00CA05C6

_wcslen.LIBCMT ref: 00CBB34B
_wcslen.LIBCMT ref: 00CBB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CBB3B6
GetLastError.KERNEL32(00000000), ref: 00CBB407
CloseHandle.KERNEL32(?), ref: 00CBB439
CloseHandle.KERNEL32(00000000), ref: 00CBB44A
CloseHandle.KERNEL32(00000000), ref: 00CBB45C
CloseHandle.KERNEL32(00000000), ref: 00CBB46E
CloseHandle.KERNEL32(?), ref: 00CBB4E3

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: c3b227c095627e8e8b73faecfa95324caa17b94ed12b310e26948b04c874dd02
Instruction ID: 764804eedb8b75574647d9dbe96810da4fbe025ce630d920a83398ce2427dd64
Opcode Fuzzy Hash: c3b227c095627e8e8b73faecfa95324caa17b94ed12b310e26948b04c874dd02
Instruction Fuzzy Hash: B2F1BD715083009FCB24EF24C891BAEBBE4BF85314F18855DF8999B2A2CB71ED45DB52

Function 00C3D733 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C3D807
timeGetTime.WINMM ref: 00C3DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C3DB28
TranslateMessage.USER32(?), ref: 00C3DB7B
DispatchMessageW.USER32(?), ref: 00C3DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C3DB9F
Sleep.KERNELBASE(0000000A), ref: 00C3DBB1

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: a343900cdd5c8aa00fc4f6b37a38832f2bb0fd8053f2e10b95248c1a8b9bd963
Instruction ID: 90d503ca4c915d2c92b69e371459e52c1f8be8f608a814ab46cd46a7847826ec
Opcode Fuzzy Hash: a343900cdd5c8aa00fc4f6b37a38832f2bb0fd8053f2e10b95248c1a8b9bd963
Instruction Fuzzy Hash: FF420130618341EFD728DF25D888BAAB7E0FF45308F14865DF86A87291DB70E944DB96

Function 00C32CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C32D07
RegisterClassExW.USER32(00000030), ref: 00C32D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C32D42
InitCommonControlsEx.COMCTL32(?), ref: 00C32D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C32D6F
LoadIconW.USER32(000000A9), ref: 00C32D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C32D94

Strings

AutoIt v3 GUI, xrefs: 00C32D23
TaskbarCreated, xrefs: 00C32D37
+, xrefs: 00C32CF0
0, xrefs: 00C32CE9

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 71fe56a2c9e6efffdee01bbd5cd3afd1b56664f760baf18342c5e95f6ad27a89
Instruction ID: f7d95c39be0f1cc37131f6811e5533272f1ca9b2219ef3b53a4f533aab4236cf
Opcode Fuzzy Hash: 71fe56a2c9e6efffdee01bbd5cd3afd1b56664f760baf18342c5e95f6ad27a89
Instruction Fuzzy Hash: D721BFB9D01319AFDB00DFA4E889B9DBBB4FB08700F00811AF629E62A0D7B155448FA1

Function 00C7065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C7039A: CreateFileW.KERNELBASE(00000000,00000000,?,00C70704,?,?,00000000,?,00C70704,00000000,0000000C), ref: 00C703B7

GetLastError.KERNEL32 ref: 00C7076F
__dosmaperr.LIBCMT ref: 00C70776
GetFileType.KERNELBASE(00000000), ref: 00C70782
GetLastError.KERNEL32 ref: 00C7078C
__dosmaperr.LIBCMT ref: 00C70795
CloseHandle.KERNEL32(00000000), ref: 00C707B5
CloseHandle.KERNEL32(?), ref: 00C708FF
GetLastError.KERNEL32 ref: 00C70931
__dosmaperr.LIBCMT ref: 00C70938

Strings

H, xrefs: 00C708BD

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: bb099bd509f247e5e607b6a561516d3224893e4a978f0073fc62923e7db35644
Instruction ID: 7c7e232e29bff517f8a1a6a5ed39a3f706298944b0ba2344acc0677d991804c0
Opcode Fuzzy Hash: bb099bd509f247e5e607b6a561516d3224893e4a978f0073fc62923e7db35644
Instruction Fuzzy Hash: 2EA12732A101459FDF19AF68DC91BAD3FA0AB06320F24815DF829DB3E1DB319913DB91

Function 00C3344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D01418,?,00C32E7F,?,?,?,00000000), ref: 00C33A78

Part of subcall function 00C33357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C33379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C3356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C7318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C731CE
RegCloseKey.ADVAPI32(?), ref: 00C73210
_wcslen.LIBCMT ref: 00C73277
_wcslen.LIBCMT ref: 00C73286

Strings

\Include\, xrefs: 00C33527
\, xrefs: 00C7328C
Include, xrefs: 00C73184, 00C731C5
Software\AutoIt v3\AutoIt, xrefs: 00C33560

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: d3d09ccc3adcdc05706112d8ec15be4331833de8115ce0f79d51bec249792c59
Instruction ID: 0358262abbc254bf28e73dc01d6824fc5d291f9687e33d7d36fa4c182396cc0c
Opcode Fuzzy Hash: d3d09ccc3adcdc05706112d8ec15be4331833de8115ce0f79d51bec249792c59
Instruction Fuzzy Hash: F471A2714153009FC304EF65EC89AABBBE8FF85340F40482EF559D32A1EB749A48DB62

Function 00C32B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C32B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00C32B9D
LoadIconW.USER32(00000063), ref: 00C32BB3
LoadIconW.USER32(000000A4), ref: 00C32BC5
LoadIconW.USER32(000000A2), ref: 00C32BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C32BEF
RegisterClassExW.USER32(?), ref: 00C32C40

Part of subcall function 00C32CD4: GetSysColorBrush.USER32(0000000F), ref: 00C32D07
Part of subcall function 00C32CD4: RegisterClassExW.USER32(00000030), ref: 00C32D31
Part of subcall function 00C32CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C32D42
Part of subcall function 00C32CD4: InitCommonControlsEx.COMCTL32(?), ref: 00C32D5F
Part of subcall function 00C32CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C32D6F
Part of subcall function 00C32CD4: LoadIconW.USER32(000000A9), ref: 00C32D85
Part of subcall function 00C32CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C32D94

Strings

#, xrefs: 00C32C16
0, xrefs: 00C32C0F
AutoIt v3, xrefs: 00C32C2F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e2bd600e2e940dbf201883e7af636b4333cb459542763f4d63b86837287f7c5c
Instruction ID: 9a38c9ba3d53cfeec348f9e5543ee111ad5f512fd4cd82805cc37a862c5663d0
Opcode Fuzzy Hash: e2bd600e2e940dbf201883e7af636b4333cb459542763f4d63b86837287f7c5c
Instruction Fuzzy Hash: 8921D579E10318ABDB109FA5EC99BAD7FB4FB48B50F04401AE508E67A0D7B155409FA4

Function 00C33170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00C3316A,?,?), ref: 00C331D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00C3316A,?,?), ref: 00C33204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C33227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00C3316A,?,?), ref: 00C33232
CreatePopupMenu.USER32 ref: 00C33246
PostQuitMessage.USER32(00000000), ref: 00C33267

Strings

TaskbarCreated, xrefs: 00C3322D

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 8e469f1b93b81f1cc7df425d4434d731c689f77c0a0e94d508b43587fbbcbcc4
Instruction ID: ce6f94aef016d6e5f7f273c122c7caa293c3c1206c87dcc7ac83fdd1fbf7e251
Opcode Fuzzy Hash: 8e469f1b93b81f1cc7df425d4434d731c689f77c0a0e94d508b43587fbbcbcc4
Instruction Fuzzy Hash: 77412639620284ABDF251B79DD4DB7E3A19E705340F044125F92EC62E2CBB28F40ABB1

Function 00C31410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C31459
CoUninitialize.COMBASE ref: 00C314F8
UnregisterHotKey.USER32(?), ref: 00C316DD
DestroyWindow.USER32(?), ref: 00C724B9
FreeLibrary.KERNEL32(?), ref: 00C7251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C7254B

Strings

close all, xrefs: 00C31454

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 92884fb5099667539e80b6a4e920392536a7706d1f240c33cc25e07c931d7048
Instruction ID: 9cf0c8f5377bc63eb6f7354cb086f44a8dd2b1279a77ea4962b7229fdecfca2f
Opcode Fuzzy Hash: 92884fb5099667539e80b6a4e920392536a7706d1f240c33cc25e07c931d7048
Instruction Fuzzy Hash: 19D15B31711212CFCB29EF55C899B29F7A4FF05700F1882ADE84AAB252DB31AD12DF51

Function 00C32C63 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C32C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C32CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C31CAD,?), ref: 00C32CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C31CAD,?), ref: 00C32CCF

Strings

_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00C32C84
edit, xrefs: 00C32CAC
AutoIt v3, xrefs: 00C32C89, 00C32C8E, 00C32C8F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{$edit
API String ID: 1584632944-3899645675
Opcode ID: bd8cec21f6c8deed86727e2c3818ceba6b982519d378b676cefd26d4edf32bf0
Instruction ID: c5d2e6bab984e717502194177473c599c8f4c220562c069d3a13c933789c81ce
Opcode Fuzzy Hash: bd8cec21f6c8deed86727e2c3818ceba6b982519d378b676cefd26d4edf32bf0
Instruction Fuzzy Hash: 97F0DA799403907AEB311757AC48F772EBDD7C6F50B00105EF908E26A0C6711851DAB0

Function 00C33B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00C33B0F,SwapMouseButtons,00000004,?), ref: 00C33B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00C33B0F,SwapMouseButtons,00000004,?), ref: 00C33B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00C33B0F,SwapMouseButtons,00000004,?), ref: 00C33B83

Strings

Control Panel\Mouse, xrefs: 00C33B3E

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 73952bd38b7dcb88b79d678f8a55387b4645c9b62ccb18ad6f592b61d5fe06b1
Instruction ID: 0882784734fc72b81c76355f88aed65b23b41758b65075f15101ca3648a9fb24
Opcode Fuzzy Hash: 73952bd38b7dcb88b79d678f8a55387b4645c9b62ccb18ad6f592b61d5fe06b1
Instruction Fuzzy Hash: AA112AB5520248FFDB208FA5DC84EAEB7B8EF04748F104459E805D7110D2319F409B60

Function 00C33923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C733A2

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C33A04

Strings

Line: , xrefs: 00C733EB

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 458680ec9395c3c2080be3a026bd0f8440f344ae0cca9098b905f08b8acfcebb
Instruction ID: 5d40d666e3fcc6fa60bf0e765532201d384e8d3f7814dc5a7c1f1cd4c2eb3109
Opcode Fuzzy Hash: 458680ec9395c3c2080be3a026bd0f8440f344ae0cca9098b905f08b8acfcebb
Instruction Fuzzy Hash: 0131C171418340AAC325EB20DC45BEFB7E8AB84714F00852EF599821E1EB709B49DBD2

Function 00C4FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00C50668

Part of subcall function 00C532A4: RaiseException.KERNEL32(?,?,?,00C5068A,?,00D01444,?,?,?,?,?,?,00C5068A,00C31129,00CF8738,00C31129), ref: 00C53304

__CxxThrowException@8.LIBVCRUNTIME ref: 00C50685

Strings

Unknown exception, xrefs: 00C50692

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 6b56f81f7e2a24300503a2930415fbd19f9a5589e07144a5ef05dd3a5179d3a5
Instruction ID: 6b919a4c303beb018ada57cf174b888b5d3bbd7d2450aeaa66846eec9fffd720
Opcode Fuzzy Hash: 6b56f81f7e2a24300503a2930415fbd19f9a5589e07144a5ef05dd3a5179d3a5
Instruction Fuzzy Hash: B0F0223890060DB3CB00BAA4DC46D9E7B6CAE00341BB04435BD24C2492EF71DBEED599

Function 00C310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C31BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C31BF4
Part of subcall function 00C31BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C31BFC
Part of subcall function 00C31BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C31C07
Part of subcall function 00C31BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C31C12
Part of subcall function 00C31BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C31C1A
Part of subcall function 00C31BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C31C22

Part of subcall function 00C31B4A: RegisterWindowMessageW.USER32(00000004,?,00C312C4), ref: 00C31BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C3136A
OleInitialize.OLE32 ref: 00C31388
CloseHandle.KERNEL32(00000000,00000000), ref: 00C724AB

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: ca7926c4f22a4bf1dac6928b829150591e015a1e95452afd0d36b54887d73dfd
Instruction ID: 3cf9490ebfea8de65ca9471e7bc9bce5ece33b5c89e131024ab6a74bab6ec25b
Opcode Fuzzy Hash: ca7926c4f22a4bf1dac6928b829150591e015a1e95452afd0d36b54887d73dfd
Instruction Fuzzy Hash: 9C718ABC9113019EC784DF7AAC897593AF0BB89354B58822EE44EDB3B1EB3085459F71

Function 00C9C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C33923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C33A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C9C259
KillTimer.USER32(?,00000001,?,?), ref: 00C9C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C9C270

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 1f82a1b4fd277b05dea6cbd24d7a47873ad5fc2c529ed630830f50b0e169faa3
Instruction ID: 3b78bac83e255a4b3434001ad09584715a8a16695edf1c937dd9e8480c7b0f67
Opcode Fuzzy Hash: 1f82a1b4fd277b05dea6cbd24d7a47873ad5fc2c529ed630830f50b0e169faa3
Instruction Fuzzy Hash: 7D319370904784AFEF22DF64C899BEBBBEC9B06708F00449ED5EE97241C7745A84CB51

Function 00C686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00C685CC,?,00CF8CC8,0000000C), ref: 00C68704
GetLastError.KERNEL32(?,00C685CC,?,00CF8CC8,0000000C), ref: 00C6870E
__dosmaperr.LIBCMT ref: 00C68739

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 6989a8c2aff293666310c2e436b98c496be797f5fd0b25ca90e3f5ccbd978f33
Instruction ID: 7c4e3df73079335e492fbd0af7cc833cff3b82475c1ce25901c4cfdf609fe129
Opcode Fuzzy Hash: 6989a8c2aff293666310c2e436b98c496be797f5fd0b25ca90e3f5ccbd978f33
Instruction Fuzzy Hash: 6B014E3260566026D6346334E8C5B7E6B494F81B74F390329F928CB2E2DEA0CD859150

Function 00C3DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00C3DB7B
DispatchMessageW.USER32(?), ref: 00C3DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C3DB9F
Sleep.KERNELBASE(0000000A), ref: 00C3DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00C81CC9

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 420c9ceb867e927fcf8da199dcd443de112778e2423b27d6b2fc0ca2c1b9af0d
Instruction ID: 48d9706eb0c40e089740d4ffece54dcd865037bd9059194a10d5eaae31bb4c95
Opcode Fuzzy Hash: 420c9ceb867e927fcf8da199dcd443de112778e2423b27d6b2fc0ca2c1b9af0d
Instruction Fuzzy Hash: 13F05E306443409BE730DB60DC89FAA73ACEB44314F104A18E61EC30C0DB30A5889B65

Function 00C41310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C417F6

Strings

CALL, xrefs: 00C417C6

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 366474faa585c393d4eff42c98501414ba6ded74857e032e288030b76d7546fb
Instruction ID: e84db23be68193771d4e04e856f25223f69ba5bc61c69c972cc9755d8295ac40
Opcode Fuzzy Hash: 366474faa585c393d4eff42c98501414ba6ded74857e032e288030b76d7546fb
Instruction Fuzzy Hash: C022AB706083019FC714DF15C494B6ABBF1BF89314F28891DF89A8B3A2D731E985DB92

Function 00C32DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00C72C8C

Part of subcall function 00C33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C33A97,?,?,00C32E7F,?,?,?,00000000), ref: 00C33AC2

Part of subcall function 00C32DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C32DC4

Strings

X, xrefs: 00C72C5A

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: d6d57009b060001b61a6ae365a303a715f87eb6aff7eaef31711347bbf12d72a
Instruction ID: bcdca90430af8a34268f17aec8935caff1b5e841026d7edfe2c9c23584f50771
Opcode Fuzzy Hash: d6d57009b060001b61a6ae365a303a715f87eb6aff7eaef31711347bbf12d72a
Instruction Fuzzy Hash: CC21D270A1029C9FDF41EF94C849BEEBBFCAF48305F008059E509B7241DBB45A899FA1

Function 00C33837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C33908

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ae45493e529aa30547de099e3e11624cac3708f21219bfad271bad27f2d9aecf
Instruction ID: e8a11559fcc8aef1b55d0ab46117393beb9b56f588eb586c1c797b3fe7c032c2
Opcode Fuzzy Hash: ae45493e529aa30547de099e3e11624cac3708f21219bfad271bad27f2d9aecf
Instruction Fuzzy Hash: 32318E745043419FD720DF24D88479BBBE8FB49709F00092EF9A9C7290E771AA44CBA2

Function 00C4F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C4F661

Part of subcall function 00C3D733: GetInputState.USER32 ref: 00C3D807

Sleep.KERNEL32(00000000), ref: 00C8F2DE

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: d06cfcc824781df9fcc0b31a8ef33fb3f6a9e2443459bbb7671a1c0710f59655
Instruction ID: 07040fccac770656a33a0df154e1a3a36e815b1fa575684bcee9410b5bd17d24
Opcode Fuzzy Hash: d06cfcc824781df9fcc0b31a8ef33fb3f6a9e2443459bbb7671a1c0710f59655
Instruction Fuzzy Hash: B8F01C312506059FD314EF69D489F6AB7E8FF45761F004029F95EC7261DB70AC10DB95

Function 00C34ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C34E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C34EDD,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34E9C
Part of subcall function 00C34E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C34EAE
Part of subcall function 00C34E90: FreeLibrary.KERNEL32(00000000,?,?,00C34EDD,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34EFD

Part of subcall function 00C34E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C73CDE,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34E62
Part of subcall function 00C34E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C34E74
Part of subcall function 00C34E59: FreeLibrary.KERNEL32(00000000,?,?,00C73CDE,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34E87

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: de118b66e17bc8a12fb07eb573d9e1dc450bfb6b7e958a74abb2528a66a8d53b
Instruction ID: 79e8c94271a4caebaea300239b24ca26f05f695f6931ba23e76072c994be5d87
Opcode Fuzzy Hash: de118b66e17bc8a12fb07eb573d9e1dc450bfb6b7e958a74abb2528a66a8d53b
Instruction Fuzzy Hash: EB112332620205ABCB28ABA4DC02FAD77A5AF44710F24842DF442A61C1EE70AA05AB50

Function 00C68402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00C68440

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ad1a886cbdf7280e26a8147bfc85148efc80012277b4c88d607086ce3502584b
Instruction ID: dbb4bfbc9a09e035e859005549b0db9e25852cc56613225d979aa22141bec158
Opcode Fuzzy Hash: ad1a886cbdf7280e26a8147bfc85148efc80012277b4c88d607086ce3502584b
Instruction Fuzzy Hash: C311487190420AAFCB15DF58E980AAE7BF4EF48300F104199F808AB312DA30DA15CBA4

Function 00C65000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C64C7D: RtlAllocateHeap.NTDLL(00000008,00C31129,00000000,?,00C62E29,00000001,00000364,?,?,?,00C5F2DE,00C63863,00D01444,?,00C4FDF5,?), ref: 00C64CBE

_free.LIBCMT ref: 00C6506C

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 08101cae97ae96cd05ebfbd944812e6cd50af9d69471a282f1dfa4c162725794
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: B60122722047056BE3318F69D8C1A9AFBE8FB89370F25062DE194832C0EB30A905C6B4

Function 00C5E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 298ac76e29bd10556a0c875ddc01be64290c3cdbea06ae39ece58ffed8f3941b
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 2DF02D3A510E18DAC7353A66CC05B5A33999F523B3F100715FC21931D2CF70D68E96AD

Function 00C64C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00C31129,00000000,?,00C62E29,00000001,00000364,?,?,?,00C5F2DE,00C63863,00D01444,?,00C4FDF5,?), ref: 00C64CBE

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c1c6db7a9a1d6dd2d6e1d24d46d90ffb20ead237f6b3f0c94e97a1e7fc4744f1
Instruction ID: d23469c14266665ac4f83bd5e2d355e599012b64730c7f4212b3674b97487f02
Opcode Fuzzy Hash: c1c6db7a9a1d6dd2d6e1d24d46d90ffb20ead237f6b3f0c94e97a1e7fc4744f1
Instruction Fuzzy Hash: 2FF0E93560222477DB3D5F6BDC89F5A3788BF817A1B144115FC2AE6380CA70D94196E0

Function 00C63820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00D01444,?,00C4FDF5,?,?,00C3A976,00000010,00D01440,00C313FC,?,00C313C6,?,00C31129), ref: 00C63852

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 96e5101c272eb2028911ff564849914448923605b28798be7d39f02f874271bd
Instruction ID: f15fcec1ef92262f062ed04772435d7b79a3a008f44987703a5709522eaf1581
Opcode Fuzzy Hash: 96e5101c272eb2028911ff564849914448923605b28798be7d39f02f874271bd
Instruction Fuzzy Hash: D1E0E5351002A456E73126A79C45BDA3749EF467B5F050122FC25975C1CB10DF4292F4

Function 00C34F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34F6D

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: cf4ab712b9ff7a6e3a9683f522e4c29e59ee8090e517790d45f426556ce40ebb
Instruction ID: d84696e4c494f76403167ca6f9f38d763c1cbc352e7cb0602cfd444d2c728107
Opcode Fuzzy Hash: cf4ab712b9ff7a6e3a9683f522e4c29e59ee8090e517790d45f426556ce40ebb
Instruction Fuzzy Hash: 75F03071115751CFDB389FA5D490916B7E4EF1831971889BEE1EA82611C731A944DF10

Function 00CC2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CC2A66

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: ebda74c7b0b1aad9cea7abc1f0399db6b03cae6e071911a7728576278d64dfb2
Instruction ID: e74fecf658acc4fdf4f344eb5b92444d3f61241e2ff78813e4775ee5ef58a0ac
Opcode Fuzzy Hash: ebda74c7b0b1aad9cea7abc1f0399db6b03cae6e071911a7728576278d64dfb2
Instruction Fuzzy Hash: 97E08C36354116AACB14EB35EC84EFEB35CEF50395B10453AFC2AC2140EB309A96B6E0

Function 00C330F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C3314E

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 3966a68749f3ca2dba2939ec85b2a64cdafb83a73bedf0c2654aa899823d2c7b
Instruction ID: 47a18f57a873438baafaea262bed57cbd30ffc521994cb7f3bed1f5e001decef
Opcode Fuzzy Hash: 3966a68749f3ca2dba2939ec85b2a64cdafb83a73bedf0c2654aa899823d2c7b
Instruction Fuzzy Hash: 02F037749143549FE752DB64DC497D97BFCA701708F0040E9A54CD6291D7745788CF61

Function 00C32DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C32DC4

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: fb4797b6f514a124e720344f625ba852134f1bc2ad872e2e5e1a24bb99a5bd41
Instruction ID: 1747035774fff61c3d044b7dac4f5db8134608731676e3d9ca5f25c52e4d59b1
Opcode Fuzzy Hash: fb4797b6f514a124e720344f625ba852134f1bc2ad872e2e5e1a24bb99a5bd41
Instruction Fuzzy Hash: 4AE0CD72A001245BC710D698DC05FDA77DDDFC8790F044071FD0DD7248D960AD809650

Function 00C32B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C33837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C33908

Part of subcall function 00C3D733: GetInputState.USER32 ref: 00C3D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00C32B6B

Part of subcall function 00C330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C3314E

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 2791e9fde7a1652b64a130b4176b17f593b7b67a0362c6ca17c1eb8a7b4ce5eb
Instruction ID: b9b62ad7dda7c444de1fddeba580573d30c5ca70e48541df3f7ab6e135049a84
Opcode Fuzzy Hash: 2791e9fde7a1652b64a130b4176b17f593b7b67a0362c6ca17c1eb8a7b4ce5eb
Instruction Fuzzy Hash: D4E08C2672428807CA08BB74A852AADA7599BD2365F40153EF14B872B2CF648A499262

Function 00C7039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00C70704,?,?,00000000,?,00C70704,00000000,0000000C), ref: 00C703B7

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d21f8b6fbac0c3e0daf5a0756a8d40583f033ae71961169a0c22b792f8b66cad
Instruction ID: 8744a9c52526f34a33f91bdef1cb130bd61ee9445eb4c0b4bb91dcc07cc6b8e1
Opcode Fuzzy Hash: d21f8b6fbac0c3e0daf5a0756a8d40583f033ae71961169a0c22b792f8b66cad
Instruction Fuzzy Hash: B0D06C3204010DBBDF028F85DD46EDE3BAAFB48714F014040FE1856020C732E821AB90

Function 00C31CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00C31CBC

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 0161c9f26b856640dc4285e4dd0348036391cee3acdc085e77f9eb751674d811
Instruction ID: d5caebe21cc3096625d6f8e479eaeec3e2b3b03892b443720bc8562a76ca96b0
Opcode Fuzzy Hash: 0161c9f26b856640dc4285e4dd0348036391cee3acdc085e77f9eb751674d811
Instruction Fuzzy Hash: E5C0923A280304AFF3148B80FC8EF247764A348B00F048001F60DE96E3C3E22821EA64

Non-executed Functions

Function 00CC9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00CC961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CC965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00CC969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CC96C9
SendMessageW.USER32 ref: 00CC96F2
GetKeyState.USER32(00000011), ref: 00CC978B
GetKeyState.USER32(00000009), ref: 00CC9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CC97AE
GetKeyState.USER32(00000010), ref: 00CC97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CC97E9
SendMessageW.USER32 ref: 00CC9810
SendMessageW.USER32(?,00001030,?,00CC7E95), ref: 00CC9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00CC992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CC9941
SetCapture.USER32(?), ref: 00CC994A
ClientToScreen.USER32(?,?), ref: 00CC99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CC99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CC99D6
ReleaseCapture.USER32 ref: 00CC99E1
GetCursorPos.USER32(?), ref: 00CC9A19
ScreenToClient.USER32(?,?), ref: 00CC9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CC9A80
SendMessageW.USER32 ref: 00CC9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CC9AEB
SendMessageW.USER32 ref: 00CC9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CC9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CC9B4A
GetCursorPos.USER32(?), ref: 00CC9B68
ScreenToClient.USER32(?,?), ref: 00CC9B75
GetParent.USER32(?), ref: 00CC9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CC9BFA
SendMessageW.USER32 ref: 00CC9C2B
ClientToScreen.USER32(?,?), ref: 00CC9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CC9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CC9CDE
SendMessageW.USER32 ref: 00CC9D01
ClientToScreen.USER32(?,?), ref: 00CC9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CC9D82

Part of subcall function 00C49944: GetWindowLongW.USER32(?,000000EB), ref: 00C49952

GetWindowLongW.USER32(?,000000F0), ref: 00CC9E05

Strings

F, xrefs: 00CC9D07
@GUI_DRAGID, xrefs: 00CC997D

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 6476d7736a6e28dfc513bcbd0fd71ee65f4a66c54f3a3daa3ce1d189f4c3f598
Instruction ID: cb1046b8a1d637c80da27cd6fe527997d532e332b70b3cc0958d7cc8b3be2a13
Opcode Fuzzy Hash: 6476d7736a6e28dfc513bcbd0fd71ee65f4a66c54f3a3daa3ce1d189f4c3f598
Instruction Fuzzy Hash: F0425835604601AFDB25CF24C888FAABBF5FF49310F14061DF6A9972A1D731AA60DF52

Function 00CC4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00CC48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00CC4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00CC4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00CC494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00CC495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00CC497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00CC49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00CC49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00CC4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CC4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CC4A7E
IsMenu.USER32(?), ref: 00CC4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CC4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CC4B20
GetWindowLongW.USER32(?,000000F0), ref: 00CC4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00CC4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00CC4C82
wsprintfW.USER32 ref: 00CC4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CC4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CC4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CC4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CC4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CC4D5A

Strings

%d/%02d/%02d, xrefs: 00CC4CA8

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 7820cc22ba621096d65e78f0cbecd7070d29e6c7c69e3ca0ee207d39c1d37eb7
Instruction ID: 52f3ba73504ed15c7909c9bbf8f5d03bcd2021d668a82a76cd73daf2f8e5c17a
Opcode Fuzzy Hash: 7820cc22ba621096d65e78f0cbecd7070d29e6c7c69e3ca0ee207d39c1d37eb7
Instruction Fuzzy Hash: 37120271A00214ABEB288F65CC59FAE7BF8EF45310F10812DF52ADB2E1DB749A41CB50

Function 00C4F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00C4F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C8F474
IsIconic.USER32(00000000), ref: 00C8F47D
ShowWindow.USER32(00000000,00000009), ref: 00C8F48A
SetForegroundWindow.USER32(00000000), ref: 00C8F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C8F4AA
GetCurrentThreadId.KERNEL32 ref: 00C8F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C8F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C8F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C8F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00C8F4DE
SetForegroundWindow.USER32(00000000), ref: 00C8F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C8F4F6
keybd_event.USER32(00000012,00000000), ref: 00C8F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C8F50B
keybd_event.USER32(00000012,00000000), ref: 00C8F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C8F519
keybd_event.USER32(00000012,00000000), ref: 00C8F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C8F528
keybd_event.USER32(00000012,00000000), ref: 00C8F52D
SetForegroundWindow.USER32(00000000), ref: 00C8F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00C8F557

Strings

Shell_TrayWnd, xrefs: 00C8F46F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 14e3a9ec2152bd425f1b3dd4a7cfcbb796c7677ec0ab5c23c9582265708f4b96
Instruction ID: 51bee6ef6edd3f881dd36bede2f21e5d319ddbad613fce9e370efcdbe1b40bdc
Opcode Fuzzy Hash: 14e3a9ec2152bd425f1b3dd4a7cfcbb796c7677ec0ab5c23c9582265708f4b96
Instruction Fuzzy Hash: 10316671A40218BFEB206BB59C8AFBF7E6CEB44B54F10006AFA05E61D1C7B55D01AF64

Function 00C91201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00C916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C9170D
Part of subcall function 00C916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C9173A
Part of subcall function 00C916C3: GetLastError.KERNEL32 ref: 00C9174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00C91286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00C912A8
CloseHandle.KERNEL32(?), ref: 00C912B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C912D1
GetProcessWindowStation.USER32 ref: 00C912EA
SetProcessWindowStation.USER32(00000000), ref: 00C912F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C91310

Part of subcall function 00C910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C911FC), ref: 00C910D4
Part of subcall function 00C910BF: CloseHandle.KERNEL32(?,?,00C911FC), ref: 00C910E9

Strings

, xrefs: 00C9125A
default, xrefs: 00C9130B
winsta0, xrefs: 00C912CC

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 907c11026d7c96be8e8e02c094ebffae12508f453f1fa714b06a4738ea132aab
Instruction ID: 7c72736be173e5822fe1928ebd50fc93cab62ed670932c5ed6c06364e6520b06
Opcode Fuzzy Hash: 907c11026d7c96be8e8e02c094ebffae12508f453f1fa714b06a4738ea132aab
Instruction Fuzzy Hash: A981A37190020AAFEF119FA5DC4AFEE7BB9FF08704F184119FD25A61A0C7318A55DB21

Function 00C90B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C91114
Part of subcall function 00C910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C91120
Part of subcall function 00C910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C9112F
Part of subcall function 00C910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C91136
Part of subcall function 00C910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C9114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C90BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C90C00
GetLengthSid.ADVAPI32(?), ref: 00C90C17
GetAce.ADVAPI32(?,00000000,?), ref: 00C90C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C90C6D
GetLengthSid.ADVAPI32(?), ref: 00C90C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C90C8C
HeapAlloc.KERNEL32(00000000), ref: 00C90C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C90CB4
CopySid.ADVAPI32(00000000), ref: 00C90CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C90CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C90D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C90D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90D45
HeapFree.KERNEL32(00000000), ref: 00C90D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90D55
HeapFree.KERNEL32(00000000), ref: 00C90D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90D65
HeapFree.KERNEL32(00000000), ref: 00C90D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C90D78
HeapFree.KERNEL32(00000000), ref: 00C90D7F

Part of subcall function 00C91193: GetProcessHeap.KERNEL32(00000008,00C90BB1,?,00000000,?,00C90BB1,?), ref: 00C911A1
Part of subcall function 00C91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C90BB1,?), ref: 00C911A8
Part of subcall function 00C91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C90BB1,?), ref: 00C911B7

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7bca1dd9cf086147e9aed748153c65ec1d500dd8f842d1186f9fede4be6e4410
Instruction ID: 19e427dd3146bbc613dfb982e15a8c97517370c365fc324a61f6a8715ddad9c3
Opcode Fuzzy Hash: 7bca1dd9cf086147e9aed748153c65ec1d500dd8f842d1186f9fede4be6e4410
Instruction Fuzzy Hash: 8F716B7290020AAFDF10DFA5DC88FAEBBBCBF04304F144519F929A7291D771AA05CB60

Function 00CAEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00CCCC08), ref: 00CAEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00CAEB37
GetClipboardData.USER32(0000000D), ref: 00CAEB43
CloseClipboard.USER32 ref: 00CAEB4F
GlobalLock.KERNEL32(00000000), ref: 00CAEB87
CloseClipboard.USER32 ref: 00CAEB91
GlobalUnlock.KERNEL32(00000000), ref: 00CAEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00CAEBC9
GetClipboardData.USER32(00000001), ref: 00CAEBD1
GlobalLock.KERNEL32(00000000), ref: 00CAEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00CAEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00CAEC38
GetClipboardData.USER32(0000000F), ref: 00CAEC44
GlobalLock.KERNEL32(00000000), ref: 00CAEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00CAEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00CAEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00CAECD2
GlobalUnlock.KERNEL32(00000000), ref: 00CAECF3
CountClipboardFormats.USER32 ref: 00CAED14
CloseClipboard.USER32 ref: 00CAED59

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 40fc8c249058b9152740604e84c15b60f5e90091236254cb85f1068be657339b
Instruction ID: 68e1a369c475d12052630ae0047fe8a9b40be5519b43993adeeb77565e783745
Opcode Fuzzy Hash: 40fc8c249058b9152740604e84c15b60f5e90091236254cb85f1068be657339b
Instruction Fuzzy Hash: E061CF34204302AFD300EF24D889F6EB7A4EF85718F14455DF46A972A2DB71DE46DBA2

Function 00CA698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CA69BE
FindClose.KERNEL32(00000000), ref: 00CA6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CA6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CA6A75

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00CA6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00CA6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00CA6B32
%03d, xrefs: 00CA6DA2
%4d, xrefs: 00CA6BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00CA6B6A
%02d, xrefs: 00CA6C00, 00CA6C0A, 00CA6C5A, 00CA6CAA, 00CA6CFA, 00CA6D4A

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: d1984acbdfac4ec36f4b22bf720f600bf64da34d292c4b3315bdff855c53978d
Instruction ID: 85b4c379e488074f89a15d807f7affbb625750faa61e7b66be1289e4961dad2f
Opcode Fuzzy Hash: d1984acbdfac4ec36f4b22bf720f600bf64da34d292c4b3315bdff855c53978d
Instruction Fuzzy Hash: A8D15DB2518300AFC714EBA4C885EAFB7ECEF89704F04491DF589D6291EB74DA44DB62

Function 00CA9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00CA9663
GetFileAttributesW.KERNEL32(?), ref: 00CA96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00CA96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00CA96D3
FindClose.KERNEL32(00000000), ref: 00CA96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00CA96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA974A
SetCurrentDirectoryW.KERNEL32(00CF6B7C), ref: 00CA9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CA9772
FindClose.KERNEL32(00000000), ref: 00CA977F
FindClose.KERNEL32(00000000), ref: 00CA978F

Strings

*.*, xrefs: 00CA96F5

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: fb1d3fd1fc9d719b2e8926b6932cb9a8d1a3d2fd329f9b4d0c2425897c72436e
Instruction ID: 1e178e1f8032b4b3ad5104ba78ff9a84cd0f346dea01035eb6771e47fc334fb8
Opcode Fuzzy Hash: fb1d3fd1fc9d719b2e8926b6932cb9a8d1a3d2fd329f9b4d0c2425897c72436e
Instruction Fuzzy Hash: 3631C23250021A6BDB14EFB4EC4AFEE77ACDF4A325F144165F919E20A0DB30DA858A24

Function 00CA979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00CA97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00CA9819
FindClose.KERNEL32(00000000), ref: 00CA9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00CA9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA9890
SetCurrentDirectoryW.KERNEL32(00CF6B7C), ref: 00CA98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CA98B8
FindClose.KERNEL32(00000000), ref: 00CA98C5
FindClose.KERNEL32(00000000), ref: 00CA98D5

Part of subcall function 00C9DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C9DB00

Strings

*.*, xrefs: 00CA983B

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 7a49a6e13adccc279f3fc65f8e342fa572332b2fd7ab323edb012e5865b9def7
Instruction ID: f0b7842897e026fd12b0ad6f6b8309d6f88136fef60f05da33071361a32545d6
Opcode Fuzzy Hash: 7a49a6e13adccc279f3fc65f8e342fa572332b2fd7ab323edb012e5865b9def7
Instruction Fuzzy Hash: 5C31C33150021A6ADB14EFB4EC8AFEE77BCDF07324F144165E924A20E0DB38DA85DB24

Function 00CBBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CBB6AE,?,?), ref: 00CBC9B5
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBC9F1
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA68
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CBBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00CBBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00CBBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CBC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CBC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CBC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CBC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00CBC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CBC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CBC382
RegCloseKey.ADVAPI32(00000000), ref: 00CBC38F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: fd60a88ce1cd8bf788a270ba14ab939d20b1e800804cac750113319edca2eaca
Instruction ID: c79f2c2d2c69eb3ed82031d6ddbf7406ab907f00b9ba4c5b80998a94a9e800cf
Opcode Fuzzy Hash: fd60a88ce1cd8bf788a270ba14ab939d20b1e800804cac750113319edca2eaca
Instruction Fuzzy Hash: B8025C71604200AFC714DF28C8D1E6ABBE5EF89314F58849DF85ADB2A2D731ED46CB51

Function 00CA8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CA8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00CA8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CA8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CA8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CA838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8395

Strings

*.*, xrefs: 00CA839B

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: a04ef559797f03ccfec54563893c4a66c821198c4cf9ae21547b17da956a1920
Instruction ID: c0867a33f70080b35fa71ccff9f8df3143e80f74185ddfc9317465c78b705fa6
Opcode Fuzzy Hash: a04ef559797f03ccfec54563893c4a66c821198c4cf9ae21547b17da956a1920
Instruction Fuzzy Hash: 06617D725043469FCB10EF64C884AAEB3E8FF89314F04491EF999D7251DB35EA49CB92

Function 00C9D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C33A97,?,?,00C32E7F,?,?,?,00000000), ref: 00C33AC2

Part of subcall function 00C9E199: GetFileAttributesW.KERNEL32(?,00C9CF95), ref: 00C9E19A

FindFirstFileW.KERNEL32(?,?), ref: 00C9D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00C9D1DD
MoveFileW.KERNEL32(?,?), ref: 00C9D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C9D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C9D237

Part of subcall function 00C9D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00C9D21C,?,?), ref: 00C9D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00C9D253
FindClose.KERNEL32(00000000), ref: 00C9D264

Strings

\*.*, xrefs: 00C9D0CD, 00C9D0D6, 00C9D0EB

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: b44896854a47fffeb46d7856cba45571664df3427d003798a2f8a774e5b93969
Instruction ID: c7bcb1e1aaf336db823ef01537114edc43f517cd16828ac4ed47fde46a8994f9
Opcode Fuzzy Hash: b44896854a47fffeb46d7856cba45571664df3427d003798a2f8a774e5b93969
Instruction Fuzzy Hash: 1D618C31C0524DAFCF05EBE0DA96AEDB7B5AF55300F204165E452771A2EB30AF09EB61

Function 00CAED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00CAED91
EmptyClipboard.USER32 ref: 00CAED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00CAEDAC
CloseClipboard.USER32 ref: 00CAEEA3

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 79dc26607cb9b09661432544bc4b8c969cf667951d8d75335edc0c54a307fc0c
Instruction ID: 43323a45b548cfcea29792304399f6d4e302e9a2d70ebdef41009e320877a3f9
Opcode Fuzzy Hash: 79dc26607cb9b09661432544bc4b8c969cf667951d8d75335edc0c54a307fc0c
Instruction Fuzzy Hash: D341AB35604612AFE720CF19D888F19BBE5EF45329F14C099E4298B762C735ED42CBD0

Function 00C9E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C9170D
Part of subcall function 00C916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C9173A
Part of subcall function 00C916C3: GetLastError.KERNEL32 ref: 00C9174A

ExitWindowsEx.USER32(?,00000000), ref: 00C9E932

Strings

, xrefs: 00C9E920
@, xrefs: 00C9E925
, xrefs: 00C9E95C
SeShutdownPrivilege, xrefs: 00C9E902

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 4d147147ecc6578e71af8b0dd8b88eb20b765267737d660ed9eb6fc1447b147a
Instruction ID: f608c4dccc0d5a6efde3a8a7b06838669a2417a4ed17164bde79dd0e1a108c69
Opcode Fuzzy Hash: 4d147147ecc6578e71af8b0dd8b88eb20b765267737d660ed9eb6fc1447b147a
Instruction Fuzzy Hash: 0401F972A10211AFEF54A6B59CCEFFF726CA724750F1A0421FD13E21D1D9A15D409290

Function 00CB1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00CB1276
WSAGetLastError.WSOCK32 ref: 00CB1283
bind.WSOCK32(00000000,?,00000010), ref: 00CB12BA
WSAGetLastError.WSOCK32 ref: 00CB12C5
closesocket.WSOCK32(00000000), ref: 00CB12F4
listen.WSOCK32(00000000,00000005), ref: 00CB1303
WSAGetLastError.WSOCK32 ref: 00CB130D
closesocket.WSOCK32(00000000), ref: 00CB133C

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: d65d5c8ef04cda3e442d154ac2aa295d2e78e9c1fd8fe3124cef3c5dcb789afb
Instruction ID: cfcfa6c6a7a70eda4ad1e03bbf81097d3d403c13cb8e3d8bb738dde989849e05
Opcode Fuzzy Hash: d65d5c8ef04cda3e442d154ac2aa295d2e78e9c1fd8fe3124cef3c5dcb789afb
Instruction Fuzzy Hash: 50417071A001409FD710DF68C4D8B6ABBE5AF46318F588198E8669F2E2C771ED81CBE1

Function 00C6B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C6B9D4
_free.LIBCMT ref: 00C6B9F8
_free.LIBCMT ref: 00C6BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00CD3700), ref: 00C6BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00D0121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00C6BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00D01270,000000FF,?,0000003F,00000000,?), ref: 00C6BC36
_free.LIBCMT ref: 00C6BD4B

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 82a52de488806b1b8882d9451645e762fe91b65245b27d988027e19e35a2c262
Instruction ID: 444dbcb292cb047bcee3d105cc88fc2b84b9d3ed0a2bcc26762162f20025fecd
Opcode Fuzzy Hash: 82a52de488806b1b8882d9451645e762fe91b65245b27d988027e19e35a2c262
Instruction Fuzzy Hash: 33C1E575A04205AFDB349F7988C1BAEBBB9EF41350F1441AAE4A4D7252EB309F81DB50

Function 00C9D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C33A97,?,?,00C32E7F,?,?,?,00000000), ref: 00C33AC2

Part of subcall function 00C9E199: GetFileAttributesW.KERNEL32(?,00C9CF95), ref: 00C9E19A

FindFirstFileW.KERNEL32(?,?), ref: 00C9D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C9D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C9D481
FindClose.KERNEL32(00000000), ref: 00C9D498
FindClose.KERNEL32(00000000), ref: 00C9D4A1

Strings

\*.*, xrefs: 00C9D3F2

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 11c31d4e7428f38cab0ee553f25d736f9c739ba44c062d4075a13e1ca79e0f49
Instruction ID: 912bf9d1bd0d2ed7e7e8a8cecbd7fc6310c662e1c171ffe7546d1395e63db35f
Opcode Fuzzy Hash: 11c31d4e7428f38cab0ee553f25d736f9c739ba44c062d4075a13e1ca79e0f49
Instruction Fuzzy Hash: 26316E710183859BC704EF64D8959AFB7A8AE91314F444E1DF4E6A31A1EB30AA09DB63

Function 00C6E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00C6E645

Strings

1#INF, xrefs: 00C6F852
1#QNAN, xrefs: 00C6F84B
1#SNAN, xrefs: 00C6F844
1#IND, xrefs: 00C6F83D

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 26d28540a205294ee9ff2d8ead1c11f4a2b3415d95cb1da93d8d39d8c1892a91
Instruction ID: 8e118b7cfbca4355724f648e610ca9696a7ecf25a45fc1fbe25829ddfd9b84b0
Opcode Fuzzy Hash: 26d28540a205294ee9ff2d8ead1c11f4a2b3415d95cb1da93d8d39d8c1892a91
Instruction Fuzzy Hash: 09C25D75E086288FDB35CE28DD807EAB7B5EB49305F1441EAD85DE7241E774AE828F40

Function 00CA648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CA64DC
CoInitialize.OLE32(00000000), ref: 00CA6639
CoCreateInstance.OLE32(00CCFCF8,00000000,00000001,00CCFB68,?), ref: 00CA6650
CoUninitialize.OLE32 ref: 00CA68D4

Strings

.lnk, xrefs: 00CA64BA, 00CA6524, 00CA65E0

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: ee39bca5d99eb3bc1c4dc48a42a2018cb9db4d637b01869ef973ba4769a3a1d3
Instruction ID: c53e9470c0b6288a0bec416b908ae3e124527bc4c31f106821add060dba6e65f
Opcode Fuzzy Hash: ee39bca5d99eb3bc1c4dc48a42a2018cb9db4d637b01869ef973ba4769a3a1d3
Instruction Fuzzy Hash: 81D14871518301AFC314EF24C881E6BB7E9FF99708F04496DF5958B2A1EB70EA45CB92

Function 00CB22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00CB22E8

Part of subcall function 00CAE4EC: GetWindowRect.USER32(?,?), ref: 00CAE504

GetDesktopWindow.USER32 ref: 00CB2312
GetWindowRect.USER32(00000000), ref: 00CB2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00CB2355
GetCursorPos.USER32(?), ref: 00CB2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00CB23DF

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: c80f3091de3b48d0dc4a86a3ff572cf71e15cd5a8c5b3abeafbe2ae6a1b58e7f
Instruction ID: 400405644868166f56dad20541fcc8b0a4c9832968c6775080024181e5fe2d36
Opcode Fuzzy Hash: c80f3091de3b48d0dc4a86a3ff572cf71e15cd5a8c5b3abeafbe2ae6a1b58e7f
Instruction Fuzzy Hash: 5531EF72504315ABCB20DF54C848F9BB7EDFF88310F000919F899971A1DB34EA08CB92

Function 00CA9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00CA9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00CA9C8B

Part of subcall function 00CA3874: GetInputState.USER32 ref: 00CA38CB
Part of subcall function 00CA3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CA3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00CA9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00CA9C75

Strings

*.*, xrefs: 00CA9B5D

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: c9a6ac3737eb10fa57b27077cb69567d9cc9dbd4dcdcc574f583f8ce1c40a802
Instruction ID: 90e38e5eab3ebcfd9358e3f4bbe35d881489415652d7324842ebcd7d63280205
Opcode Fuzzy Hash: c9a6ac3737eb10fa57b27077cb69567d9cc9dbd4dcdcc574f583f8ce1c40a802
Instruction Fuzzy Hash: 6041A37194460A9FCF14DFA4CC8ABEEBBB4EF06318F248055E815A2191EB309F85DF61

Function 00C4997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C49A4E
GetSysColor.USER32(0000000F), ref: 00C49B23
SetBkColor.GDI32(?,00000000), ref: 00C49B36

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 19559c6a15127461ae533dd316b55fd296a0a069ec2a5814a9f1ff7816ee54a2
Instruction ID: 8fb498c10ffcaf4e20de71fde263d2651e0637e71eac1ae2275b174208bb181d
Opcode Fuzzy Hash: 19559c6a15127461ae533dd316b55fd296a0a069ec2a5814a9f1ff7816ee54a2
Instruction Fuzzy Hash: 8BA11770108564BEE729AA2D9C88F7F2A9DFB42354B244309F422C66A1DA35DF01E379

Function 00CB1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB304E: inet_addr.WSOCK32(?), ref: 00CB307A
Part of subcall function 00CB304E: _wcslen.LIBCMT ref: 00CB309B

socket.WSOCK32(00000002,00000002,00000011), ref: 00CB185D
WSAGetLastError.WSOCK32 ref: 00CB1884
bind.WSOCK32(00000000,?,00000010), ref: 00CB18DB
WSAGetLastError.WSOCK32 ref: 00CB18E6
closesocket.WSOCK32(00000000), ref: 00CB1915

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 6cc04712c9b4f434900eea5261df457fae72fd284d0815a67ced42fae3963f3f
Instruction ID: d8656081d6c33dea3bdabf1552b691806f1d3e1a2f280d7c14cfdc1fcc37f5e6
Opcode Fuzzy Hash: 6cc04712c9b4f434900eea5261df457fae72fd284d0815a67ced42fae3963f3f
Instruction Fuzzy Hash: 7751C375A00200AFDB10AF24C8D6F6A77E5AB44718F58805CFA1AAF3D3C771AD41DBA1

Function 00CC1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00CC1CC0
IsWindowEnabled.USER32 ref: 00CC1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00CC1CDB
IsIconic.USER32 ref: 00CC1CE9
IsZoomed.USER32 ref: 00CC1CF7

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 48a4da1d833a20096058d7639f5550c3b481e547ae91488173fb6378d0aa45a3
Instruction ID: b879912ef53daf0c859cc80cd9b0cd925d26ee08b324d9ea0d7b5540f667cb13
Opcode Fuzzy Hash: 48a4da1d833a20096058d7639f5550c3b481e547ae91488173fb6378d0aa45a3
Instruction Fuzzy Hash: FD217E317402105FD7218F1BC884F6A7BA5AF96325F1D805CE85A8B252C771D942CB90

Function 00C38060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00C3843C
VUUU, xrefs: 00C75DF0
VUUU, xrefs: 00C383FA
VUUU, xrefs: 00C383E8
ERCP, xrefs: 00C3813C

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1334b0f2b2693b1262675bcd14d2bb32a7a7f5421d456ea108a00f2aef820fa2
Instruction ID: a4086a948c4f2a9066655de6980e0c89f716e178858833eb9e916f1744b734c5
Opcode Fuzzy Hash: 1334b0f2b2693b1262675bcd14d2bb32a7a7f5421d456ea108a00f2aef820fa2
Instruction Fuzzy Hash: AAA29071E1061ACBDF24CF59C9417AEB7B1BF54310F2481AAE829A7385DB709E85CF90

Function 00C9AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00C9AAAC
SetKeyboardState.USER32(00000080), ref: 00C9AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00C9AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00C9AB88

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e8312ac68e49e1ad7e3ff743f40a92acc91c97996e82af512d2b51ed30f9e5f8
Instruction ID: 08845d7284067b3250dd9d3504a6180eeb63ac237e611950607613207f2aadb9
Opcode Fuzzy Hash: e8312ac68e49e1ad7e3ff743f40a92acc91c97996e82af512d2b51ed30f9e5f8
Instruction Fuzzy Hash: 82314630A40248AFFF34CB69CC0DBFE7BA6AB44320F04421AF1A5921D0D7748A81D7E6

Function 00CACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00CACE89
GetLastError.KERNEL32(?,00000000), ref: 00CACEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00CACEFE

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 7f2b1156f20d9bc3ab9ad0490ae7e66b28b4f4e7963135b3c4021e8e60092829
Instruction ID: 626dd01abfb36b3218e45270340fc438ab8b5f0606d08a9527d7d68e4445ad30
Opcode Fuzzy Hash: 7f2b1156f20d9bc3ab9ad0490ae7e66b28b4f4e7963135b3c4021e8e60092829
Instruction Fuzzy Hash: 3521BD75500306AFEB20CFA5C988BAA77F8EB11358F10442EE65692151EB70EE48DB94

Function 00C98298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C982AA

Strings

(, xrefs: 00C982F0
|, xrefs: 00C982DA

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 85e0e87e8445fb24456571419ec1556506b231ce6f7545034073929b2b1a62bd
Instruction ID: f14d614bede32793dd67e1769ac5bd79c20f40f6869435429abb67bc9963686b
Opcode Fuzzy Hash: 85e0e87e8445fb24456571419ec1556506b231ce6f7545034073929b2b1a62bd
Instruction Fuzzy Hash: 99324475A00605DFCB28CF59C484A6AB7F0FF48710B15C46EE5AADB3A1EB70E981CB40

Function 00CA5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CA5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00CA5D17
FindClose.KERNEL32(?), ref: 00CA5D5F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1adc0994fa59973c71f515cb6d591600cbe953c3bfd0ae492da07bd0df6bf267
Instruction ID: 3c2bfcb892d31285956a038e9bcaf61f8b319bbcfdd571de67da37dd86a23192
Opcode Fuzzy Hash: 1adc0994fa59973c71f515cb6d591600cbe953c3bfd0ae492da07bd0df6bf267
Instruction Fuzzy Hash: BD519C75A046029FC714CF28C494E9AB7E4FF4A328F14855DE9AA8B3A1CB30ED45CF91

Function 00C62622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00C6271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C62724
UnhandledExceptionFilter.KERNEL32(?), ref: 00C62731

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1e0c5cdaa9d9c9018ee5aa521da4a3add9821a272d78db04ba3f7599b1482750
Instruction ID: a43acf1f06de243735044788ad7cc01bc2c088d722a64a1b4737d99535cfc7d0
Opcode Fuzzy Hash: 1e0c5cdaa9d9c9018ee5aa521da4a3add9821a272d78db04ba3f7599b1482750
Instruction Fuzzy Hash: C831B37491121CABCB21DF68DD89BDDBBB8AF08310F5041EAE81CA7261E7309F859F45

Function 00CA51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CA51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00CA5238
SetErrorMode.KERNEL32(00000000), ref: 00CA52A1

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 2db74d651e4d6a4925f387b19fad454dc68eb17575d4841c9759b2ee546e7195
Instruction ID: 38dad3f3b11e8565229805b857f96b091d6b35f7df94eb953854a84a3226fcb5
Opcode Fuzzy Hash: 2db74d651e4d6a4925f387b19fad454dc68eb17575d4841c9759b2ee546e7195
Instruction Fuzzy Hash: 46315A75A00509DFDB00DF95D884FADBBB4FF49318F088099E809AB3A2CB31E845CB90

Function 00C916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C50668
Part of subcall function 00C4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C50685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C9170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C9173A
GetLastError.KERNEL32 ref: 00C9174A

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: c633b95505f7d037231c3150ab901d48dd899eaf847e6c2bb802e58a5672dd6b
Instruction ID: a315a4bdd2490ec3831e76ebf65a3591f8e805b87a3d73b9ae7b3e47ff6e1826
Opcode Fuzzy Hash: c633b95505f7d037231c3150ab901d48dd899eaf847e6c2bb802e58a5672dd6b
Instruction Fuzzy Hash: 301191B2814305AFE7189F54ECCAE6AB7B9FF44714B24852EF45657641EB70BC428A20

Function 00C9D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C9D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00C9D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C9D650

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 2768affdd73bf55b2ffa1c06bef544f1928fdc31ea74dc4eddf83af7eaf98eec
Instruction ID: faafc4ac55dc0a4c8bca80dd4a27a3a32113350b93389912c21cc42d73979c6c
Opcode Fuzzy Hash: 2768affdd73bf55b2ffa1c06bef544f1928fdc31ea74dc4eddf83af7eaf98eec
Instruction Fuzzy Hash: 22118E71E01228BFDB108F95EC88FAFBBBCEB45B60F108115F918F7290C2704A018BA1

Function 00C91663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C9168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C916A1
FreeSid.ADVAPI32(?), ref: 00C916B1

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: df95b5d3ba38f97991a9a5ba3ad475ac498412397410125119cc5b1a4586e270
Instruction ID: b5326772929f73a584ee4c00fe9ab7bba2de5c74c85fc9e28af3706742892ed1
Opcode Fuzzy Hash: df95b5d3ba38f97991a9a5ba3ad475ac498412397410125119cc5b1a4586e270
Instruction Fuzzy Hash: AAF0F471950309FBDF00DFE4DC89EAEBBBCFB08604F504565E901E2181E774AA448A54

Function 00C6C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00C6C36C

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 3f60c5495f715f77d7b73f64987365ceda519b2d4210a4d076e2f82f58edf277
Instruction ID: dfc272ddacb0d0121f4e510800be225a2b855169285ada2e122adb25bd92868a
Opcode Fuzzy Hash: 3f60c5495f715f77d7b73f64987365ceda519b2d4210a4d076e2f82f58edf277
Instruction Fuzzy Hash: 7F413676900219ABCB349FB9CCC8EBB77B8EB84314F1042A9F955C7290E6309E81CB50

Function 00C8D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C8D28C

Strings

X64, xrefs: 00C8D2A8

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 9c762bf99b59f10fa75ce19e409a1f64f8c70ca56c71fe3180b2bb096111bfa9
Instruction ID: 7a0fd52630d0927456032b315873476880dd4d0abe0e452a7b500e0ded48764f
Opcode Fuzzy Hash: 9c762bf99b59f10fa75ce19e409a1f64f8c70ca56c71fe3180b2bb096111bfa9
Instruction Fuzzy Hash: 31D0C9B480111DEACB90DB90ECC8EDDB77CBB04305F100191F106A2040D73095488F10

Function 00C5CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 7e0f3c2bfa45d1ee8fa32d049a49d368d9e2c55044db4c5ce44fc5035c6868a6
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: CA021C75E002199FDF14CFA9C8C06ADBBF1EF48315F25826AD829E7380D731AA45CB94

Function 00CA68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CA6918
FindClose.KERNEL32(00000000), ref: 00CA6961

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 9fbdaab7c8e54dc23aea5b04032cb7c0de971e383201ee38fb21b515133959d0
Instruction ID: 3a0dd52f770706c6df0028b219e6dcb61f4ff0b9547a697a2c197956a9e98e5b
Opcode Fuzzy Hash: 9fbdaab7c8e54dc23aea5b04032cb7c0de971e383201ee38fb21b515133959d0
Instruction Fuzzy Hash: 691190756142019FC710DF69D4C8A1ABBE5FF89328F18C699E4698F7A2CB30EC05CB91

Function 00CA37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00CB4891,?,?,00000035,?), ref: 00CA37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00CB4891,?,?,00000035,?), ref: 00CA37F4

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: adcd0becdc0e4d65479e7bc7328cf99a74e0af65872578629f292cb487efa646
Instruction ID: bfcbc2d38f66744642b08d3c5a82970ef6471c82f2b06e02b5f716815aa44271
Opcode Fuzzy Hash: adcd0becdc0e4d65479e7bc7328cf99a74e0af65872578629f292cb487efa646
Instruction Fuzzy Hash: 30F0E5B17043292AE72057A69C8DFEB3AAEEFC5765F000165F509D22D1D9A09904C6B0

Function 00C9B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C9B25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00C9B270

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 4e1769ec42bce2317eb77d17681fcc4b81f667d6d606c9706da483495ceb419e
Instruction ID: a061a4573e2f08a6a0b54b7bc0f1dcc4a62c021e771b9e0f0255b7ae5e66235d
Opcode Fuzzy Hash: 4e1769ec42bce2317eb77d17681fcc4b81f667d6d606c9706da483495ceb419e
Instruction Fuzzy Hash: 40F01D7180424EABDF059FA1D849BAE7BB4FF04305F00801AF965A5192C37996119F94

Function 00C910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C911FC), ref: 00C910D4
CloseHandle.KERNEL32(?,?,00C911FC), ref: 00C910E9

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: cd896ca630f18e8391b375c5c74c2e072c750c51f3d5b6cb305821597bd2301a
Instruction ID: 5abb3359b0f96b21fdd7361cc147e233e661537826719ed40d41d342d1543bd8
Opcode Fuzzy Hash: cd896ca630f18e8391b375c5c74c2e072c750c51f3d5b6cb305821597bd2301a
Instruction Fuzzy Hash: 3BE0BF72014651AEE7252B51FC49F7777A9FB04321B14882DF5A6804B1DB62AC91EB50

Function 00C3CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00C80C40

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 669db810c69ddc749bae9a4bd336bd39484dc8ea0a81406ac5a4154d71bfe4e0
Instruction ID: 8b870baed2aa72c65dafceffa43cdbd44640c8b4b75798b7a4b1c82d992c876a
Opcode Fuzzy Hash: 669db810c69ddc749bae9a4bd336bd39484dc8ea0a81406ac5a4154d71bfe4e0
Instruction Fuzzy Hash: 4632AD34920218DBCF14EF94D8C5BEDB7B5BF08308F244069E816BB292D735AE49DB61

Function 00C6676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C66766,?,?,00000008,?,?,00C6FEFE,00000000), ref: 00C66998

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: fc573107e1ff50a94afbb4627ee56d86e95fb4f5ee4ff98110857f5d6c272fcb
Instruction ID: a11760153e740219a5f3887fea6af427b543f26858021b3f0c974d88227e01dd
Opcode Fuzzy Hash: fc573107e1ff50a94afbb4627ee56d86e95fb4f5ee4ff98110857f5d6c272fcb
Instruction Fuzzy Hash: D5B10B716106099FD725CF28C4C6B657BE0FF45368F258658E8A9CF2A2C735EA91CB40

Function 00C4B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00C8851F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5247f5399b5ba632f2cef3dea32582a263974da7957720b9931830a713e50e4f
Instruction ID: 42f2d55abe1d1e94ba59b680a1d4a46932ad957d1d1fc90b7812402fd115c629
Opcode Fuzzy Hash: 5247f5399b5ba632f2cef3dea32582a263974da7957720b9931830a713e50e4f
Instruction Fuzzy Hash: CB126E719002299BDB24DF59C880AEEB7F5FF48310F54819AE849EB251DB30DE85DF94

Function 00CAEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00CAEABD

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 0f65881710ccc08439cc2bceca86b25e781a034761341585089f68e052e09447
Instruction ID: 7c68ec8407bd084c9e59d3a9a6a81f0b54d8105698baef41ed2074199e2a5641
Opcode Fuzzy Hash: 0f65881710ccc08439cc2bceca86b25e781a034761341585089f68e052e09447
Instruction Fuzzy Hash: F1E04F362102059FC710EF5AD844E9AFBE9AF99764F00841AFD49DB351DB70EC409B90

Function 00C509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00C503EE), ref: 00C509DA

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: de11f30a421806d52a60ebbce604578256c5f066e54c39db4ab014a8796e32c2
Instruction ID: 33caccf2bd8d2aaab26b858305ba9659f2c99387ca15dfa7a4cc4f550007fe82
Opcode Fuzzy Hash: de11f30a421806d52a60ebbce604578256c5f066e54c39db4ab014a8796e32c2
Instruction Fuzzy Hash:

Function 00C5781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00C5798B

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 1986b509d04622fc88b2e319ecd962d18c20ebb083548df47dec8106570e57bb
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 3F51696D60C6055BDB384569A95D7BE23899B12303F180709DCA2FB2C2C615DFCDE36E

Function 00C66DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbd51be2846ba9b45df43ee43222c868d0409dbe9c319251488080b408cef5c1
Instruction ID: 7d9de333c31d5a80e375f64ad5cff8984bf307eb59f572b6070495226bd1f563
Opcode Fuzzy Hash: fbd51be2846ba9b45df43ee43222c868d0409dbe9c319251488080b408cef5c1
Instruction Fuzzy Hash: D4320422D2AF414DD7239634CC62339A749AFB73C9F15DB37E82AB5DA5EB29C5834100

Function 00C4CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c613124ffe8047933fe6889796e7c217bf92a8ce0b0c0f579caa8ea016909555
Instruction ID: 0c6713bb3590a92ebc28e42a9f74d088fc3ad5eda76e09d3f83ce68fee69181c
Opcode Fuzzy Hash: c613124ffe8047933fe6889796e7c217bf92a8ce0b0c0f579caa8ea016909555
Instruction Fuzzy Hash: 6F323831A001558BCF28EF2DC4D46BD77A1FF45308F28856AD56ADB2A1D330DE81EB69

Function 00C37920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c570ce9804feb7066e8672a0b4e4110b048de3974c0f15f8ad6e8c7c48494a
Instruction ID: 99f39b8aa88ad5b87c93271d462084c025984f9bbf2a5636d25bdd582a773279
Opcode Fuzzy Hash: f9c570ce9804feb7066e8672a0b4e4110b048de3974c0f15f8ad6e8c7c48494a
Instruction Fuzzy Hash: 9522C3B0A04609DFDF14CF65C881AAEB7F5FF44300F208629E816E72A1EB75AE55DB50

Function 00C391C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1414e4f88224534ccd907326054359ddfc825ad1477ff208548028126c7155f1
Instruction ID: 41b8aa9b5011852da5ccb5e40b4ae271269796f2f6c9dab7759ef2f658e72c4e
Opcode Fuzzy Hash: 1414e4f88224534ccd907326054359ddfc825ad1477ff208548028126c7155f1
Instruction Fuzzy Hash: 0002D7B1E10205EBCB05DF55D881AAEBBB1FF48300F108169E81A9B290EB71EE55DB95

Function 00C69EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94de0200a4f8b1eea1c05909d982efa8bd802c88eb3b62073f0b015f62aa772e
Instruction ID: 1f790d89480d3f25e874ea2848c21863b7d18efed61fd68bf662a3c114d77f08
Opcode Fuzzy Hash: 94de0200a4f8b1eea1c05909d982efa8bd802c88eb3b62073f0b015f62aa772e
Instruction Fuzzy Hash: 0DB1F120D2AF814DC3239639897133AB75CAFBB6D5F91D31BFC2674D62EB2286834141

Function 00C57A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f318c20050a19d7bd96bfa08b88bc01cd88272bb019be704881c7cfe4e5a71
Instruction ID: a7a047fe7188a04d4b1c7f164a2fc66da8709257784051b5555166f6c1bd9a3c
Opcode Fuzzy Hash: e6f318c20050a19d7bd96bfa08b88bc01cd88272bb019be704881c7cfe4e5a71
Instruction Fuzzy Hash: 5461773C60830957EE349A28B899BBE2384DF41703F141B19EC53DB281DA11AFCEA35D

Function 00C57CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491290d893089b78657c299bc054a9f0e07c55325e35fac0a1a47e00b974b6b3
Instruction ID: f6d8344e51e3b0fa874393910b1e7b051b446a5657f1bf36d38d44e2bb5b0774
Opcode Fuzzy Hash: 491290d893089b78657c299bc054a9f0e07c55325e35fac0a1a47e00b974b6b3
Instruction Fuzzy Hash: 7F616D7D2087095ADE344A287856BBF23A4DF41703F100B59EC53DB281EA529FCE925D

Function 00CA2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e91d2f2bcec35446d52ee00e4f82563b572145f1a56670e2256e9f96414411
Instruction ID: 0af34ae44d9ea5f02ce21d44717716aeb9b7212aa057300e84f7f6dc497c8e2c
Opcode Fuzzy Hash: 18e91d2f2bcec35446d52ee00e4f82563b572145f1a56670e2256e9f96414411
Instruction Fuzzy Hash: EE21E7322216118BD728CF79C82377E77E5AB54314F14862EE4A7C33D0DE3AAA04CB90

Function 00CB2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CB2B30
DeleteObject.GDI32(00000000), ref: 00CB2B43
DestroyWindow.USER32 ref: 00CB2B52
GetDesktopWindow.USER32 ref: 00CB2B6D
GetWindowRect.USER32(00000000), ref: 00CB2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00CB2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00CB2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2CF8
GetClientRect.USER32(00000000,?), ref: 00CB2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CB2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2D80
GlobalLock.KERNEL32(00000000), ref: 00CB2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2D98
GlobalUnlock.KERNEL32(00000000), ref: 00CB2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2DA8
GlobalFree.KERNEL32(00000000), ref: 00CB2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CCFC38,00000000), ref: 00CB2DDB
GlobalFree.KERNEL32(00000000), ref: 00CB2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00CB2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00CB2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB303F

Strings

, xrefs: 00CB2FC5
DISPLAY, xrefs: 00CB2EA2
AutoIt v3, xrefs: 00CB2CF2
static, xrefs: 00CB2D3A, 00CB2E91

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 635ec1e4683893c236f2dd53ac1b6c41672dfaebddab3fd9f07188207011c8bd
Instruction ID: 6cebde7c9baeb297aec7842ad268323151d1850fa1831b9c4f4042cfab5ad802
Opcode Fuzzy Hash: 635ec1e4683893c236f2dd53ac1b6c41672dfaebddab3fd9f07188207011c8bd
Instruction Fuzzy Hash: 82025975900219AFDB14DFA4CD89FAE7BB9EF48311F048158F919AB2A1CB74ED01CB60

Function 00CC70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00CC712F
GetSysColorBrush.USER32(0000000F), ref: 00CC7160
GetSysColor.USER32(0000000F), ref: 00CC716C
SetBkColor.GDI32(?,000000FF), ref: 00CC7186
SelectObject.GDI32(?,?), ref: 00CC7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00CC71C0
GetSysColor.USER32(00000010), ref: 00CC71C8
CreateSolidBrush.GDI32(00000000), ref: 00CC71CF
FrameRect.USER32(?,?,00000000), ref: 00CC71DE
DeleteObject.GDI32(00000000), ref: 00CC71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00CC7230
FillRect.USER32(?,?,?), ref: 00CC7262
GetWindowLongW.USER32(?,000000F0), ref: 00CC7284

Part of subcall function 00CC73E8: GetSysColor.USER32(00000012), ref: 00CC7421
Part of subcall function 00CC73E8: SetTextColor.GDI32(?,?), ref: 00CC7425
Part of subcall function 00CC73E8: GetSysColorBrush.USER32(0000000F), ref: 00CC743B
Part of subcall function 00CC73E8: GetSysColor.USER32(0000000F), ref: 00CC7446
Part of subcall function 00CC73E8: GetSysColor.USER32(00000011), ref: 00CC7463
Part of subcall function 00CC73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CC7471
Part of subcall function 00CC73E8: SelectObject.GDI32(?,00000000), ref: 00CC7482
Part of subcall function 00CC73E8: SetBkColor.GDI32(?,00000000), ref: 00CC748B
Part of subcall function 00CC73E8: SelectObject.GDI32(?,?), ref: 00CC7498
Part of subcall function 00CC73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00CC74B7
Part of subcall function 00CC73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CC74CE
Part of subcall function 00CC73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00CC74DB

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: bd4a030887e88cca5d68decb3ae1a4c5ac11c6c9bd44417262e4db80f799adae
Instruction ID: 5101c1bc06ac51c53b4f8e58ce2206f6ed38b1d135b2964ae64a90ad2a5bcd76
Opcode Fuzzy Hash: bd4a030887e88cca5d68decb3ae1a4c5ac11c6c9bd44417262e4db80f799adae
Instruction Fuzzy Hash: D9A18B72408301AFDB009F60DC88F6EBBA9FB89320F140B19F96A961A1D771E9459F51

Function 00CB2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00CB273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00CB286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00CB28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00CB28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00CB2900
GetClientRect.USER32(00000000,?), ref: 00CB290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00CB2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CB2964
GetStockObject.GDI32(00000011), ref: 00CB2974
SelectObject.GDI32(00000000,00000000), ref: 00CB2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00CB2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CB2991
DeleteDC.GDI32(00000000), ref: 00CB299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00CB29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00CB29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00CB2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00CB2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00CB2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00CB2A77
GetStockObject.GDI32(00000011), ref: 00CB2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00CB2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00CB2A97

Strings

DISPLAY, xrefs: 00CB295A
msctls_progress32, xrefs: 00CB2A13
AutoIt v3, xrefs: 00CB28F8
static, xrefs: 00CB294F, 00CB2A71

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e88b14bc90707006d071f30873d501f79aba64d1b1a4810584c256af9406dcb4
Instruction ID: 9054f189cf9bb734ffd3f25c44ea9790bb842978c3331234f6bef34dcd8dea5b
Opcode Fuzzy Hash: e88b14bc90707006d071f30873d501f79aba64d1b1a4810584c256af9406dcb4
Instruction Fuzzy Hash: BFB14E75A10215AFEB14DFA9CC89FAE7BA9EB48710F004215F919E7290DB74ED40CBA4

Function 00CA4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CA4AED
GetDriveTypeW.KERNEL32(?,00CCCB68,?,\\.\,00CCCC08), ref: 00CA4BCA
SetErrorMode.KERNEL32(00000000,00CCCB68,?,\\.\,00CCCC08), ref: 00CA4D36

Strings

SATA, xrefs: 00CA4CD0
PhysicalDrive, xrefs: 00CA4B76
Network, xrefs: 00CA4C02
SAS, xrefs: 00CA4CC9
USB, xrefs: 00CA4CB4
Fixed, xrefs: 00CA4C09
CDROM, xrefs: 00CA4BFB
FileBackedVirtual, xrefs: 00CA4CEC
\\.\, xrefs: 00CA4B3F
Fibre, xrefs: 00CA4CAD
ATA, xrefs: 00CA4C98
Virtual, xrefs: 00CA4CE5
SCSI, xrefs: 00CA4C8A
iSCSI, xrefs: 00CA4CC2
SSD, xrefs: 00CA4C4A
RAMDisk, xrefs: 00CA4BF4
Unknown, xrefs: 00CA4BED, 00CA4C83
1394, xrefs: 00CA4C9F
Removable, xrefs: 00CA4C10, 00CA4C15
MMC, xrefs: 00CA4CDE
RAID, xrefs: 00CA4CBB
SSA, xrefs: 00CA4CA6
ATAPI, xrefs: 00CA4C91

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: c2d0d99a98d57218e1c1537e9d78431cae42350f317c0eb87aee2b5108af1d10
Instruction ID: cadd76c1e48a61d4bfff32810608a569ba8f43d407bbea03b51c8ed99cb24cfd
Opcode Fuzzy Hash: c2d0d99a98d57218e1c1537e9d78431cae42350f317c0eb87aee2b5108af1d10
Instruction Fuzzy Hash: EE61C43060520BDBCB4CDF25CA81D7C77B0EB8635CB248425F90AAB691DBB1DE41EB52

Function 00CC73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00CC7421
SetTextColor.GDI32(?,?), ref: 00CC7425
GetSysColorBrush.USER32(0000000F), ref: 00CC743B
GetSysColor.USER32(0000000F), ref: 00CC7446
CreateSolidBrush.GDI32(?), ref: 00CC744B
GetSysColor.USER32(00000011), ref: 00CC7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CC7471
SelectObject.GDI32(?,00000000), ref: 00CC7482
SetBkColor.GDI32(?,00000000), ref: 00CC748B
SelectObject.GDI32(?,?), ref: 00CC7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00CC74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CC74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00CC74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CC752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CC7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00CC7572
DrawFocusRect.USER32(?,?), ref: 00CC757D
GetSysColor.USER32(00000011), ref: 00CC758E
SetTextColor.GDI32(?,00000000), ref: 00CC7596
DrawTextW.USER32(?,00CC70F5,000000FF,?,00000000), ref: 00CC75A8
SelectObject.GDI32(?,?), ref: 00CC75BF
DeleteObject.GDI32(?), ref: 00CC75CA
SelectObject.GDI32(?,?), ref: 00CC75D0
DeleteObject.GDI32(?), ref: 00CC75D5
SetTextColor.GDI32(?,?), ref: 00CC75DB
SetBkColor.GDI32(?,?), ref: 00CC75E5

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b6fcb763afe55e36d2d7f53680e1308782819a95f09f54b70a623bb466f3b255
Instruction ID: dd2ff192614e34f33b1cc0d4566f3db5828cc1d24cb62a813b1d31cba26d364e
Opcode Fuzzy Hash: b6fcb763afe55e36d2d7f53680e1308782819a95f09f54b70a623bb466f3b255
Instruction Fuzzy Hash: 23613B72904218AFDF019FA4DC89FEEBFB9EB08320F154215F915AB2A1D7759A40DF90

Function 00CC0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CC1128
GetDesktopWindow.USER32 ref: 00CC113D
GetWindowRect.USER32(00000000), ref: 00CC1144
GetWindowLongW.USER32(?,000000F0), ref: 00CC1199
DestroyWindow.USER32(?), ref: 00CC11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CC11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CC120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CC121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00CC1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00CC1245
IsWindowVisible.USER32(00000000), ref: 00CC12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00CC12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00CC12D0
GetWindowRect.USER32(00000000,?), ref: 00CC12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00CC130E
GetMonitorInfoW.USER32(00000000,?), ref: 00CC1328
CopyRect.USER32(?,?), ref: 00CC133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00CC13AA

Strings

(, xrefs: 00CC131B
tooltips_class32, xrefs: 00CC11E6
0, xrefs: 00CC10D3

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 56f8a30a3e3c9f0a0535b36e05a32da034616b68eacd501ce1585f95a4f60f15
Instruction ID: 9f3d35d78ef0d77ec14900378caf231cb2d21ac72a189f33305bb5ddc2832f85
Opcode Fuzzy Hash: 56f8a30a3e3c9f0a0535b36e05a32da034616b68eacd501ce1585f95a4f60f15
Instruction Fuzzy Hash: E2B18871608341AFD710DF65C884F6EBBE4EF89314F04891CF9999B2A2C771E845DB92

Function 00CC0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CC02E5
_wcslen.LIBCMT ref: 00CC031F
_wcslen.LIBCMT ref: 00CC0389
_wcslen.LIBCMT ref: 00CC03F1
_wcslen.LIBCMT ref: 00CC0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00CC04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CC0504

Part of subcall function 00C4F9F2: _wcslen.LIBCMT ref: 00C4F9FD

Part of subcall function 00C9223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C92258
Part of subcall function 00C9223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C9228A

Strings

SELECTINVERT, xrefs: 00CC057E
SELECTALL, xrefs: 00CC0515
GETSELECTEDCOUNT, xrefs: 00CC0470, 00CC048B
ISSELECTED, xrefs: 00CC04DD
GETSELECTED, xrefs: 00CC05E1
DESELECT, xrefs: 00CC059C
SELECTCLEAR, xrefs: 00CC052D
GETSUBITEMCOUNT, xrefs: 00CC0384, 00CC039F
SELECT, xrefs: 00CC0548
VIEWCHANGE, xrefs: 00CC0675
GETITEMCOUNT, xrefs: 00CC0316, 00CC0337
FINDITEM, xrefs: 00CC0627
GETTEXT, xrefs: 00CC03EC, 00CC0407

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 66855da311e01684adfd79b4783016db4788506218b5510683c9d1f7fb62ac63
Instruction ID: 8ed45f422042d8228f22accf42f7f13b6eaea80d62773c0c48c7f70997627421
Opcode Fuzzy Hash: 66855da311e01684adfd79b4783016db4788506218b5510683c9d1f7fb62ac63
Instruction Fuzzy Hash: 47E18E31218301DBCB18DF24C591E2EB3E5BF98714F244A5CF9A69B2A1DB30EE45DB52

Function 00C48891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C48968
GetSystemMetrics.USER32(00000007), ref: 00C48970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C4899B
GetSystemMetrics.USER32(00000008), ref: 00C489A3
GetSystemMetrics.USER32(00000004), ref: 00C489C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C489E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C489F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C48A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C48A3C
GetClientRect.USER32(00000000,000000FF), ref: 00C48A5A
GetStockObject.GDI32(00000011), ref: 00C48A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C48A81

Part of subcall function 00C4912D: GetCursorPos.USER32(?), ref: 00C49141
Part of subcall function 00C4912D: ScreenToClient.USER32(00000000,?), ref: 00C4915E
Part of subcall function 00C4912D: GetAsyncKeyState.USER32(00000001), ref: 00C49183
Part of subcall function 00C4912D: GetAsyncKeyState.USER32(00000002), ref: 00C4919D

SetTimer.USER32(00000000,00000000,00000028,00C490FC), ref: 00C48AA8

Strings

AutoIt v3 GUI, xrefs: 00C48A20

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 683ee98a772c8cd5a311f81a2ff9ee6bb3ed70eb5b68c7450c06bc11c0967e2c
Instruction ID: 4a6f14506e080131aad5e3064fc4186a79f556866b72c38f47c378dd709cb509
Opcode Fuzzy Hash: 683ee98a772c8cd5a311f81a2ff9ee6bb3ed70eb5b68c7450c06bc11c0967e2c
Instruction Fuzzy Hash: 94B17B35A00209AFDB14DFA8DC85FAE3BB5FB48314F104229FA19E7290DB74A941CF65

Function 00C90D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C91114
Part of subcall function 00C910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C91120
Part of subcall function 00C910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C9112F
Part of subcall function 00C910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C91136
Part of subcall function 00C910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C9114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C90DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C90E29
GetLengthSid.ADVAPI32(?), ref: 00C90E40
GetAce.ADVAPI32(?,00000000,?), ref: 00C90E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C90E96
GetLengthSid.ADVAPI32(?), ref: 00C90EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C90EB5
HeapAlloc.KERNEL32(00000000), ref: 00C90EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C90EDD
CopySid.ADVAPI32(00000000), ref: 00C90EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C90F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C90F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C90F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90F6E
HeapFree.KERNEL32(00000000), ref: 00C90F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90F7E
HeapFree.KERNEL32(00000000), ref: 00C90F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C90F8E
HeapFree.KERNEL32(00000000), ref: 00C90F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00C90FA1
HeapFree.KERNEL32(00000000), ref: 00C90FA8

Part of subcall function 00C91193: GetProcessHeap.KERNEL32(00000008,00C90BB1,?,00000000,?,00C90BB1,?), ref: 00C911A1
Part of subcall function 00C91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C90BB1,?), ref: 00C911A8
Part of subcall function 00C91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C90BB1,?), ref: 00C911B7

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: a6c3e9dbf80e52bd969c5749c62dd5df4bf75261c9fb003e23ef2aeddb67ddef
Instruction ID: c2e5371e303c79f073a1beab75f27eae9ee390506ecabe8d8fa281b0d4112f9e
Opcode Fuzzy Hash: a6c3e9dbf80e52bd969c5749c62dd5df4bf75261c9fb003e23ef2aeddb67ddef
Instruction Fuzzy Hash: 9F71597290020AAFDF20DFA5DC89FAEBBB8FF05301F244115F969A6191D731DA15CB60

Function 00CBC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CBC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00CCCC08,00000000,?,00000000,?,?), ref: 00CBC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00CBC5A4
_wcslen.LIBCMT ref: 00CBC5F4
_wcslen.LIBCMT ref: 00CBC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00CBC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00CBC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00CBC84D
RegCloseKey.ADVAPI32(?), ref: 00CBC881
RegCloseKey.ADVAPI32(00000000), ref: 00CBC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00CBC960

Strings

REG_QWORD, xrefs: 00CBC8C3
REG_DWORD, xrefs: 00CBC804
REG_BINARY, xrefs: 00CBC913
REG_EXPAND_SZ, xrefs: 00CBC5CD
REG_MULTI_SZ, xrefs: 00CBC6F5
REG_SZ, xrefs: 00CBC644

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 3a5fe882e1e4ba221648093526c9a76e2c783d170a8da4977232572d8cc9e41a
Instruction ID: e2134fb8216e4bd626afbe9d5d0bcf1c48ca0380f6b683c1a6f93e6c0e99bf09
Opcode Fuzzy Hash: 3a5fe882e1e4ba221648093526c9a76e2c783d170a8da4977232572d8cc9e41a
Instruction Fuzzy Hash: B21277756042019FDB24DF24C881F6AB7E5EF88714F04895DF89A9B3A2DB31ED41DB81

Function 00CC091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CC09C6
_wcslen.LIBCMT ref: 00CC0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CC0A54
_wcslen.LIBCMT ref: 00CC0A8A
_wcslen.LIBCMT ref: 00CC0B06
_wcslen.LIBCMT ref: 00CC0B81

Part of subcall function 00C4F9F2: _wcslen.LIBCMT ref: 00C4F9FD

Part of subcall function 00C92BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C92BFA

Strings

SELECT, xrefs: 00CC0D11
UNCHECK, xrefs: 00CC0D3E
EXPAND, xrefs: 00CC0BF8
GETTOTALCOUNT, xrefs: 00CC09F2, 00CC0A17
EXISTS, xrefs: 00CC0B7C, 00CC0B97
GETITEMCOUNT, xrefs: 00CC0C1E
COLLAPSE, xrefs: 00CC0B01, 00CC0B1C
GETSELECTED, xrefs: 00CC0C4E
CHECK, xrefs: 00CC0A85, 00CC0AA0
ISCHECKED, xrefs: 00CC0CE1
GETTEXT, xrefs: 00CC0C97

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 84f06513cb091a455e23d28e2d0b4d188075f3e19108142227ac2f8c38b26eff
Instruction ID: 11386db4f2bf1042fbfb3f3e11522feb4bab24b2255985b349f6569000074858
Opcode Fuzzy Hash: 84f06513cb091a455e23d28e2d0b4d188075f3e19108142227ac2f8c38b26eff
Instruction Fuzzy Hash: 86E17975208301DFCB14DF29C451A2AB7E1BF98314F25895CF8A69B3A2D731EE45DB82

Function 00CBC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CBB6AE,?,?), ref: 00CBC9B5
_wcslen.LIBCMT ref: 00CBC9F1
_wcslen.LIBCMT ref: 00CBCA68
_wcslen.LIBCMT ref: 00CBCA9E
_wcslen.LIBCMT ref: 00CBCAF9
_wcslen.LIBCMT ref: 00CBCB2F
_wcslen.LIBCMT ref: 00CBCB7F

Strings

HKCR, xrefs: 00CBCB29, 00CBCB2E
HKCC, xrefs: 00CBCBAC
HKEY_CURRENT_USER, xrefs: 00CBCBBD
HKLM, xrefs: 00CBCA98, 00CBCA9D
HKCU, xrefs: 00CBCBCE
HKEY_CLASSES_ROOT, xrefs: 00CBCAF3, 00CBCAF8
HKEY_LOCAL_MACHINE, xrefs: 00CBCA62, 00CBCA67
HKEY_USERS, xrefs: 00CBCBDF
HKEY_CURRENT_CONFIG, xrefs: 00CBCB79, 00CBCB7E
HKU, xrefs: 00CBCBF0

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 469913f197a9500db99b9d9f723ebcc67d011b3e11173b4d4153ea324608358f
Instruction ID: 7cc5d0b57ea01649b4bdd3cc86bce7bf9af79095d20dfdcb05307527f8695374
Opcode Fuzzy Hash: 469913f197a9500db99b9d9f723ebcc67d011b3e11173b4d4153ea324608358f
Instruction Fuzzy Hash: 9871E53261012A8BCF20DF7DCDD16FF3795AB60754F250529FC66AB284E631CE85A3A1

Function 00CC833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CC835A
_wcslen.LIBCMT ref: 00CC836E
_wcslen.LIBCMT ref: 00CC8391
_wcslen.LIBCMT ref: 00CC83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CC83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00CC5BF2), ref: 00CC844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CC8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CC84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CC8501
FreeLibrary.KERNEL32(?), ref: 00CC850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CC851D
DestroyIcon.USER32(?,?,?,?,?,00CC5BF2), ref: 00CC852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CC8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CC8555

Strings

.icl, xrefs: 00CC8368
.dll, xrefs: 00CC83AB
.exe, xrefs: 00CC8388

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: e3f6dc8ff0c469a3d13eff0e09aa687a833390c56e206ba7f5e5e11633c340d7
Instruction ID: 5203741b909b12f6caa056c8c2acaf1bd56b4c8d4ec01d5dd403a17e5ad23da0
Opcode Fuzzy Hash: e3f6dc8ff0c469a3d13eff0e09aa687a833390c56e206ba7f5e5e11633c340d7
Instruction Fuzzy Hash: D461D071940219BEEB18DF64CC81FBF77A8BB08711F10460AF925D60D1DBB4AA94DBA0

Function 00C37778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include, xrefs: 00C37847
#ce, xrefs: 00C378ED
#comments-end, xrefs: 00C378D9
#requireadmin, xrefs: 00C377FF
#cs, xrefs: 00C37873, 00C378C5
#OnAutoItStartRegister, xrefs: 00C37817
', xrefs: 00C75169
#pragma compile, xrefs: 00C377D3
Cannot parse #include, xrefs: 00C75279
", xrefs: 00C75153
#comments-start, xrefs: 00C3785F, 00C378B1
#include-once, xrefs: 00C3782F
Bad directive syntax error, xrefs: 00C7519A
Unterminated group of comments, xrefs: 00C7528C
#notrayicon, xrefs: 00C377E7

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: f28ca60f362bcc937ffc896f19cac551737231da7f322cfcdb24c3035ea78c64
Instruction ID: 6a9f4a18636b5f8bd5a7f700428570c447515f378418e211d61a0fdf4723834c
Opcode Fuzzy Hash: f28ca60f362bcc937ffc896f19cac551737231da7f322cfcdb24c3035ea78c64
Instruction Fuzzy Hash: 5D81F7B1A14605BBDF21AF60CC43FAE37B9AF15300F044128F919BA192EBB0DA55D791

Function 00CA3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00CA3EF8
_wcslen.LIBCMT ref: 00CA3F03
_wcslen.LIBCMT ref: 00CA3F5A
_wcslen.LIBCMT ref: 00CA3F98
GetDriveTypeW.KERNEL32(?), ref: 00CA3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CA401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CA4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CA4087

Strings

close cd wait, xrefs: 00CA4072
wait, xrefs: 00CA4044
open, xrefs: 00CA3F54, 00CA3F59
closed, xrefs: 00CA3F08, 00CA3F2D, 00CA3F46, 00CA3F7E, 00CA3F97
type cdaudio alias cd wait, xrefs: 00CA4001
close, xrefs: 00CA3EFE, 00CA3F18
open , xrefs: 00CA3FE5
set cd door , xrefs: 00CA4028

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: d391b67710b1b969cd68da86d2fe955d079292079957041ebcffb79aad172026
Instruction ID: 2cc481fdd57dd083008584df9fbf4af4c8025b46b57e72a1f35ad009c1276116
Opcode Fuzzy Hash: d391b67710b1b969cd68da86d2fe955d079292079957041ebcffb79aad172026
Instruction Fuzzy Hash: 737102726142029FC710EF24C89187EB7F4EF95758F10492DF9A6932A1EB30EE45DB92

Function 00C95A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C95A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C95A40
SetWindowTextW.USER32(?,?), ref: 00C95A57
GetDlgItem.USER32(?,000003EA), ref: 00C95A6C
SetWindowTextW.USER32(00000000,?), ref: 00C95A72
GetDlgItem.USER32(?,000003E9), ref: 00C95A82
SetWindowTextW.USER32(00000000,?), ref: 00C95A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C95AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C95AC3
GetWindowRect.USER32(?,?), ref: 00C95ACC
_wcslen.LIBCMT ref: 00C95B33
SetWindowTextW.USER32(?,?), ref: 00C95B6F
GetDesktopWindow.USER32 ref: 00C95B75
GetWindowRect.USER32(00000000), ref: 00C95B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C95BD3
GetClientRect.USER32(?,?), ref: 00C95BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00C95C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C95C2F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 6d05d8ee6bf140cb1e6eb764f78fb797a6547f909143821014949f402c5e4166
Instruction ID: a4f4cb3037d4bdb7504dd43a6886a1b979323dfeabe8da0e404999edffe53442
Opcode Fuzzy Hash: 6d05d8ee6bf140cb1e6eb764f78fb797a6547f909143821014949f402c5e4166
Instruction Fuzzy Hash: 26716A31900B09AFDF21DFA9CE89FAEBBF5FF48704F104518E596A25A0D775AA40CB50

Function 00CAFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00CAFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00CAFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00CAFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00CAFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00CAFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00CAFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00CAFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00CAFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00CAFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00CAFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00CAFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00CAFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00CAFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00CAFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00CAFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00CAFECC
GetCursorInfo.USER32(?), ref: 00CAFEDC
GetLastError.KERNEL32 ref: 00CAFF1E

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 4cf43d7c8290e2657dd4c4aefb7f23c709008f6b02554eb86c07cf972f9c02a0
Instruction ID: cbc499ca9500d3a0e4751d30ff4de4fd323edc58e79fcc400a02bbabcbc89069
Opcode Fuzzy Hash: 4cf43d7c8290e2657dd4c4aefb7f23c709008f6b02554eb86c07cf972f9c02a0
Instruction Fuzzy Hash: F14151B0D0431A6EDB109FBA8C89D5EBFE8FF05354B54452AE11DE7281DB78A9018F91

Function 00C500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00C500C6

Part of subcall function 00C500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00D0070C,00000FA0,F5CDB0B6,?,?,?,?,00C723B3,000000FF), ref: 00C5011C
Part of subcall function 00C500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00C723B3,000000FF), ref: 00C50127
Part of subcall function 00C500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00C723B3,000000FF), ref: 00C50138
Part of subcall function 00C500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00C5014E
Part of subcall function 00C500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00C5015C
Part of subcall function 00C500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00C5016A
Part of subcall function 00C500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C50195
Part of subcall function 00C500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C501A0

___scrt_fastfail.LIBCMT ref: 00C500E7

Part of subcall function 00C500A3: __onexit.LIBCMT ref: 00C500A9

Strings

WakeAllConditionVariable, xrefs: 00C50162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00C50122
kernel32.dll, xrefs: 00C50133
InitializeConditionVariable, xrefs: 00C50148
SleepConditionVariableCS, xrefs: 00C50154

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 50fd9eee3b083fa8cbb3a74cb94fa06dbeeb8fc44ef2de8e4e689b1d8e4ac081
Instruction ID: 4f34280b2d806b6c25027bc8bcfbf1ab8989643a1ce79c7b09b5aa032a4d63d3
Opcode Fuzzy Hash: 50fd9eee3b083fa8cbb3a74cb94fa06dbeeb8fc44ef2de8e4e689b1d8e4ac081
Instruction Fuzzy Hash: 3B21F637A44B106FE7115F64EC46F6E3794EB44B62F24013EFC0AE22D1DF7498858AA9

Function 00C930F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C9318D
_wcslen.LIBCMT ref: 00C931F8

Strings

NAME, xrefs: 00C93335, 00C93346
CLASS, xrefs: 00C93188, 00C931A5
TEXT, xrefs: 00C9347C
CLASSNN, xrefs: 00C931F3, 00C93204
REGEXPCLASS, xrefs: 00C93255, 00C93266
INSTANCE, xrefs: 00C93453

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: d8f735499af96bb13076370ffe81d2b8986626fb3c2415605498672b0e7bb044
Instruction ID: 8a29a8d34c8af82206c5af37a696e839060b87af08869c0b0c46b5082daac922
Opcode Fuzzy Hash: d8f735499af96bb13076370ffe81d2b8986626fb3c2415605498672b0e7bb044
Instruction Fuzzy Hash: ABE11532A00556ABCF189FB8C8497FEFBB0BF44710F558129E966B7250DB30AF859790

Function 00CA44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00CCCC08), ref: 00CA4527
_wcslen.LIBCMT ref: 00CA453B
_wcslen.LIBCMT ref: 00CA4599
_wcslen.LIBCMT ref: 00CA45F4
_wcslen.LIBCMT ref: 00CA463F
_wcslen.LIBCMT ref: 00CA46A7

Part of subcall function 00C4F9F2: _wcslen.LIBCMT ref: 00C4F9FD

GetDriveTypeW.KERNEL32(?,00CF6BF0,00000061), ref: 00CA4743

Strings

ramdisk, xrefs: 00CA46F1
unknown, xrefs: 00CA4708
network, xrefs: 00CA469D, 00CA46A2
all, xrefs: 00CA4531, 00CA4536
removable, xrefs: 00CA45EA, 00CA45EF
fixed, xrefs: 00CA4635, 00CA463A
cdrom, xrefs: 00CA458F, 00CA4594

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 692e3f0ae7898b6c794ca578b6d2d42687f533bd562fdd449951804b8f0580d4
Instruction ID: 2d6a901c19548e8eb16380eea132014eb7ecdf774c494a155e1f8fddc7d7480b
Opcode Fuzzy Hash: 692e3f0ae7898b6c794ca578b6d2d42687f533bd562fdd449951804b8f0580d4
Instruction Fuzzy Hash: 6EB101716083029FC718DF28C890A6EB7E5AFE6728F10491DF4A6C7291D7B0DA44CB52

Function 00CB3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00CCCC08), ref: 00CB40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00CB40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00CCCC08), ref: 00CB40F2
FreeLibrary.KERNEL32(00000000,?,00CCCC08), ref: 00CB413E
StringFromGUID2.OLE32(?,?,00000028,?,00CCCC08), ref: 00CB41A8
SysFreeString.OLEAUT32(00000009), ref: 00CB4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00CB42C8
SysFreeString.OLEAUT32(?), ref: 00CB42F2

Strings

GetModuleHandleExW, xrefs: 00CB40C7
kernel32.dll, xrefs: 00CB40B6

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: c8bd07759afaa24fcade4976c849396509d7b56c9bf6d38b5ac4e224deaec622
Instruction ID: d6ca829cb8234db067a1b1c1e9f0610b7534433fab4a9874e47aa350568d50df
Opcode Fuzzy Hash: c8bd07759afaa24fcade4976c849396509d7b56c9bf6d38b5ac4e224deaec622
Instruction Fuzzy Hash: 4D125B71A04115EFDB18DF94C884EAEB7B9FF45314F248098E9199B252C731EE46CFA0

Function 00C3326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00D01990), ref: 00C72F8D
GetMenuItemCount.USER32(00D01990), ref: 00C7303D
GetCursorPos.USER32(?), ref: 00C73081
SetForegroundWindow.USER32(00000000), ref: 00C7308A
TrackPopupMenuEx.USER32(00D01990,00000000,?,00000000,00000000,00000000), ref: 00C7309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C730A9

Strings

0, xrefs: 00C3327D

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 86e1210e16a2be5542413234f31da9bfd8810f0fc3b377dd81d641aff786c6e3
Instruction ID: 7ac9067b95b6bc76d64000c9ebb7fc3ec99d50a7217f553951810b15d77947fb
Opcode Fuzzy Hash: 86e1210e16a2be5542413234f31da9bfd8810f0fc3b377dd81d641aff786c6e3
Instruction Fuzzy Hash: DC712A30644255BFEB219F65CC89F9ABF64FF04364F208216F52CAA1E1C7B1AE10E750

Function 00CC6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00CC6DEB

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CC6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CC6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CC6E94
DestroyWindow.USER32(?), ref: 00CC6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C30000,00000000), ref: 00CC6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CC6EFD
GetDesktopWindow.USER32 ref: 00CC6F16
GetWindowRect.USER32(00000000), ref: 00CC6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CC6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CC6F4D

Part of subcall function 00C49944: GetWindowLongW.USER32(?,000000EB), ref: 00C49952

Strings

tooltips_class32, xrefs: 00CC6E58, 00CC6EDD
0, xrefs: 00CC6D98

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: c99b5b4ac5dd3bee9d8219a25d8ab36bd76fe9c489a7d56a5970c0d58103aad6
Instruction ID: 76ee9ebe49d5602eaa908c164c00e03a62e4af4289d5797065fa148244d38cbd
Opcode Fuzzy Hash: c99b5b4ac5dd3bee9d8219a25d8ab36bd76fe9c489a7d56a5970c0d58103aad6
Instruction Fuzzy Hash: 42715674104344AFDB21CF58D988FAABBE9FF89304F04041EF9A987261C770AA46DF11

Function 00CC911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

DragQueryPoint.SHELL32(?,?), ref: 00CC9147

Part of subcall function 00CC7674: ClientToScreen.USER32(?,?), ref: 00CC769A
Part of subcall function 00CC7674: GetWindowRect.USER32(?,?), ref: 00CC7710
Part of subcall function 00CC7674: PtInRect.USER32(?,?,00CC8B89), ref: 00CC7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00CC91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CC91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CC91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CC9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00CC923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00CC9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00CC9277
DragFinish.SHELL32(?), ref: 00CC927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CC9371

Strings

@GUI_DRAGID, xrefs: 00CC92E9
@GUI_DROPID, xrefs: 00CC929E
@GUI_DRAGFILE, xrefs: 00CC9320

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 7c011850c6b0d6f1f58ee4c0b1f87c4eef0cf093adb5cffc5ef7bda533026bb0
Instruction ID: 020658d3686902dbb057d85b468db9b898940ee03f963e76476b107bc2069cb5
Opcode Fuzzy Hash: 7c011850c6b0d6f1f58ee4c0b1f87c4eef0cf093adb5cffc5ef7bda533026bb0
Instruction Fuzzy Hash: E6614B71108301AFD705DF64DC89EAFBBE8EF89750F00092EF595932A1DB709A49DB62

Function 00CAC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CAC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CAC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CAC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00CAC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00CAC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00CAC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CAC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CAC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CAC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CAC5F0
InternetCloseHandle.WININET(00000000), ref: 00CAC5FB

Strings

, xrefs: 00CAC575

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 6bc194396b1d907f85e3dac418b55320342b7ef98b0fb36b07d7345bf54ba828
Instruction ID: e89be8476363def0bf6cc2548e9988027c9a9a1bcc68e3ecbe9994ad5bf2dc87
Opcode Fuzzy Hash: 6bc194396b1d907f85e3dac418b55320342b7ef98b0fb36b07d7345bf54ba828
Instruction Fuzzy Hash: E9513BB1500606BFDB219F65C9C8BAA7BFCEF09758F004419F95AD6610DB34EA44AB60

Function 00CC856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00CC8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CC85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CC85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CC85BA
GlobalLock.KERNEL32(00000000), ref: 00CC85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CC85D7
GlobalUnlock.KERNEL32(00000000), ref: 00CC85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CC85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CC85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00CCFC38,?), ref: 00CC8611
GlobalFree.KERNEL32(00000000), ref: 00CC8621
GetObjectW.GDI32(?,00000018,?), ref: 00CC8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00CC8671
DeleteObject.GDI32(?), ref: 00CC8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CC86AF

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 0a385d8aac2545fda91704f6cbc65997a9e2a1d337947c049f7a70ac2631d049
Instruction ID: cf242096906c706a3e61995bfd5c5b7ecd9ae719addf02f72892983c59729dd8
Opcode Fuzzy Hash: 0a385d8aac2545fda91704f6cbc65997a9e2a1d337947c049f7a70ac2631d049
Instruction Fuzzy Hash: ED41F975600204AFDB119FA5DC88FAF7BB8FF89B11F144059F919E7260DB709A05DB60

Function 00CA14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00CA1502
VariantCopy.OLEAUT32(?,?), ref: 00CA150B
VariantClear.OLEAUT32(?), ref: 00CA1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00CA15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00CA1657
VariantInit.OLEAUT32(?), ref: 00CA1708
SysFreeString.OLEAUT32(?), ref: 00CA178C
VariantClear.OLEAUT32(?), ref: 00CA17D8
VariantClear.OLEAUT32(?), ref: 00CA17E7
VariantInit.OLEAUT32(00000000), ref: 00CA1823

Strings

Default, xrefs: 00CA16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00CA1625

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: a383ba8f1b3d8cd37c47c96d85e79eaa2009eafc04e1edcd24dfe9de0cf6f74d
Instruction ID: 7b9ced0b221c57a45316895c3523fbe373e255a57bbfd81c88b8adcc7e02c802
Opcode Fuzzy Hash: a383ba8f1b3d8cd37c47c96d85e79eaa2009eafc04e1edcd24dfe9de0cf6f74d
Instruction Fuzzy Hash: 5CD10131E0051AEBDB00DFA6D895B7DB7B5BF46708F18805AF846AB190DB30DD41EB61

Function 00CBB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00CBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CBB6AE,?,?), ref: 00CBC9B5
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBC9F1
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA68
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CBB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CBB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00CBB80A
RegCloseKey.ADVAPI32(?), ref: 00CBB87E
RegCloseKey.ADVAPI32(?), ref: 00CBB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00CBB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CBB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00CBB922
FreeLibrary.KERNEL32(00000000), ref: 00CBB983
RegCloseKey.ADVAPI32(00000000), ref: 00CBB994

Strings

advapi32.dll, xrefs: 00CBB8ED
RegDeleteKeyExW, xrefs: 00CBB8FE

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 318225d550eeb26c653eb313d1cd9f9bc2381ecac485b89361b1496e7e72a52f
Instruction ID: dea2e48b0fc18eff5d1116de37f29b419ae7b366078786e1134f2868f2b146ab
Opcode Fuzzy Hash: 318225d550eeb26c653eb313d1cd9f9bc2381ecac485b89361b1496e7e72a52f
Instruction Fuzzy Hash: F4C1AE34608201AFD714DF14C494F6ABBE5FF84318F14859CF4AA9B2A2CBB1ED45CB91

Function 00CB255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CB25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00CB25E8
CreateCompatibleDC.GDI32(?), ref: 00CB25F4
SelectObject.GDI32(00000000,?), ref: 00CB2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00CB266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00CB26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00CB26D0
SelectObject.GDI32(?,?), ref: 00CB26D8
DeleteObject.GDI32(?), ref: 00CB26E1
DeleteDC.GDI32(?), ref: 00CB26E8
ReleaseDC.USER32(00000000,?), ref: 00CB26F3

Strings

(, xrefs: 00CB268D

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 4fef38e3d3d77a6696798433e55e6efa7cd0f1280e4181f16351cbc42de313a3
Instruction ID: 13bb2c5c1c8ac15d1ae0df3bb9c554352918d6b23bee1783ee62439b74e455df
Opcode Fuzzy Hash: 4fef38e3d3d77a6696798433e55e6efa7cd0f1280e4181f16351cbc42de313a3
Instruction Fuzzy Hash: 6D61D1B5D00219EFCF14CFA8D984EAEBBB5FF48310F248529E959A7250D770A941DFA0

Function 00C6DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00C6DAA1

Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D659
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D66B
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D67D
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D68F
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D6A1
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D6B3
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D6C5
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D6D7
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D6E9
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D6FB
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D70D
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D71F
Part of subcall function 00C6D63C: _free.LIBCMT ref: 00C6D731

_free.LIBCMT ref: 00C6DA96

Part of subcall function 00C629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000), ref: 00C629DE
Part of subcall function 00C629C8: GetLastError.KERNEL32(00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000,00000000), ref: 00C629F0

_free.LIBCMT ref: 00C6DAB8
_free.LIBCMT ref: 00C6DACD
_free.LIBCMT ref: 00C6DAD8
_free.LIBCMT ref: 00C6DAFA
_free.LIBCMT ref: 00C6DB0D
_free.LIBCMT ref: 00C6DB1B
_free.LIBCMT ref: 00C6DB26
_free.LIBCMT ref: 00C6DB5E
_free.LIBCMT ref: 00C6DB65
_free.LIBCMT ref: 00C6DB82
_free.LIBCMT ref: 00C6DB9A

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 69b0585546c20d49acd7797c7c64bea47a01e4082ea58973f12c7821f2699c85
Instruction ID: eee826972668ecf58427a70fe00f56ad8562f28018b539670f61034a27e73efc
Opcode Fuzzy Hash: 69b0585546c20d49acd7797c7c64bea47a01e4082ea58973f12c7821f2699c85
Instruction Fuzzy Hash: EC315A31B086049FEB35AA79E8C5B6A77E9FF80350F154419F46AD7192DA30AE80A720

Function 00C9365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C9369C
_wcslen.LIBCMT ref: 00C936A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C93797
GetClassNameW.USER32(?,?,00000400), ref: 00C9380C
GetDlgCtrlID.USER32(?), ref: 00C9385D
GetWindowRect.USER32(?,?), ref: 00C93882
GetParent.USER32(?), ref: 00C938A0
ScreenToClient.USER32(00000000), ref: 00C938A7
GetClassNameW.USER32(?,?,00000100), ref: 00C93921
GetWindowTextW.USER32(?,?,00000400), ref: 00C9395D

Strings

%s%u, xrefs: 00C93734

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 5489698e083e11d5df696405c052089069ebe4c4657c4f65823a93b246f4d3d2
Instruction ID: 2c22fd02838c459ebb0cadc7b9b70d132df8d93048b011bce977b9986c14faf9
Opcode Fuzzy Hash: 5489698e083e11d5df696405c052089069ebe4c4657c4f65823a93b246f4d3d2
Instruction Fuzzy Hash: 3691D371204746AFDB19DF64C889FAAF7A8FF44350F008629F9A9C2190DB30EB55CB91

Function 00C94954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00C94994
GetWindowTextW.USER32(?,?,00000400), ref: 00C949DA
_wcslen.LIBCMT ref: 00C949EB
CharUpperBuffW.USER32(?,00000000), ref: 00C949F7
_wcsstr.LIBVCRUNTIME ref: 00C94A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00C94A64
GetWindowTextW.USER32(?,?,00000400), ref: 00C94A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00C94AE6
GetClassNameW.USER32(?,?,00000400), ref: 00C94B20
GetWindowRect.USER32(?,?), ref: 00C94B8B

Strings

ThumbnailClass, xrefs: 00C94A6F, 00C94AF1

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a827a6d108dca4ebeedd8323c92b8d5f57306076eeec27cff4b5111569f3e134
Instruction ID: d3ea08fc8d8905f28c6b9fdf1ce2bed39dcea3660af7ad3d028d49678c9ddc0c
Opcode Fuzzy Hash: a827a6d108dca4ebeedd8323c92b8d5f57306076eeec27cff4b5111569f3e134
Instruction Fuzzy Hash: A991C0711082059FDF08DF14C989FAA77E8FF84315F048469FD999A196EB30EE46CBA1

Function 00CC8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CC8D5A
GetFocus.USER32 ref: 00CC8D6A
GetDlgCtrlID.USER32(00000000), ref: 00CC8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00CC8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00CC8ECF
GetMenuItemCount.USER32(?), ref: 00CC8EEC
GetMenuItemID.USER32(?,00000000), ref: 00CC8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00CC8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00CC8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CC8FA1

Strings

0, xrefs: 00CC8E9F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 807c3ace2a507606aaaf4c3f88650606b91346a412b5e6e438997e724fb770b5
Instruction ID: b2cdb8c0f1286a858e8b89a41300138d79fe507564bff311c24ed14c42b6c3d8
Opcode Fuzzy Hash: 807c3ace2a507606aaaf4c3f88650606b91346a412b5e6e438997e724fb770b5
Instruction Fuzzy Hash: A281AC71508301AFDB10CF24D884FABBBE9FB88354F04095DF9A997291DB30DA09DBA1

Function 00C9BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00D01990,000000FF,00000000,00000030), ref: 00C9BFAC
SetMenuItemInfoW.USER32(00D01990,00000004,00000000,00000030), ref: 00C9BFE1
Sleep.KERNEL32(000001F4), ref: 00C9BFF3
GetMenuItemCount.USER32(?), ref: 00C9C039
GetMenuItemID.USER32(?,00000000), ref: 00C9C056
GetMenuItemID.USER32(?,-00000001), ref: 00C9C082
GetMenuItemID.USER32(?,?), ref: 00C9C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C9C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C9C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C9C145

Strings

0, xrefs: 00C9BF3D

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: adf574502c489a7cc082b756855320d946d43659ec5e82e02f2d4e51b2f7d9e9
Instruction ID: 524f10aaedc03b00bcfdcc33144a1277458854515f79be525dc8ab134131631f
Opcode Fuzzy Hash: adf574502c489a7cc082b756855320d946d43659ec5e82e02f2d4e51b2f7d9e9
Instruction Fuzzy Hash: 4A617AB090024AAFDF11CF68DDCCFAEBBB8EB05344F144159E825A3292D735AE55DB60

Function 00C9DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C9DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C9DC46
_wcslen.LIBCMT ref: 00C9DC50
_wcsstr.LIBVCRUNTIME ref: 00C9DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C9DCBC

Strings

04090000, xrefs: 00C9DCF2
%u.%u.%u.%u, xrefs: 00C9DD9A
DefaultLangCodepage, xrefs: 00C9DD1F
StringFileInfo\, xrefs: 00C9DC8F
\VarFileInfo\Translation, xrefs: 00C9DCB4

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: b4772e4145f775b3e32748cb4191ce42f829420165da1e67672da37340f84cbe
Instruction ID: 0480883967c16d3d184e483d9286c8372bcf4aec0836862dd0ec5d9acac08235
Opcode Fuzzy Hash: b4772e4145f775b3e32748cb4191ce42f829420165da1e67672da37340f84cbe
Instruction Fuzzy Hash: 5D4122329402047ADB14AB74DC8BFBF37BCEF46751F100069F906B6182EB749A01A7B9

Function 00CBCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CBCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00CBCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CBCD48

Part of subcall function 00CBCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00CBCCAA
Part of subcall function 00CBCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00CBCCBD
Part of subcall function 00CBCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CBCCCF
Part of subcall function 00CBCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CBCD05
Part of subcall function 00CBCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CBCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00CBCCF3

Strings

advapi32.dll, xrefs: 00CBCCB8
RegDeleteKeyExW, xrefs: 00CBCCC9

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 0a27f74ed5ca1acf784a192a1f7f61246ce1243d7057fd34cd188f1d91985056
Instruction ID: fa53cd59e5fe6d5e09fdb61b7fa5e5f35d0438a2175404b85d78debcab95fb4e
Opcode Fuzzy Hash: 0a27f74ed5ca1acf784a192a1f7f61246ce1243d7057fd34cd188f1d91985056
Instruction Fuzzy Hash: 9E316C75901129BBDB208B65DCC8FFFBB7CEF55750F000169E91AE3240DB349B45AAA0

Function 00CA3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CA3D40
_wcslen.LIBCMT ref: 00CA3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00CA3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00CA3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00CA3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00CA3E55
CloseHandle.KERNEL32(00000000), ref: 00CA3E60
CloseHandle.KERNEL32(00000000), ref: 00CA3E6B

Strings

\, xrefs: 00CA3D77
\??\%s, xrefs: 00CA3D5B
:, xrefs: 00CA3D82

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: b7cb6275d13ac094cd05c5886aa317f173aef6f78bbb8084d52b48f6b9f8af06
Instruction ID: 191030bef1034a2b00bca88ae3a3e879205918733d48a1de4849519280b12f78
Opcode Fuzzy Hash: b7cb6275d13ac094cd05c5886aa317f173aef6f78bbb8084d52b48f6b9f8af06
Instruction Fuzzy Hash: E731D27291024AABDB219FA0DC89FEF37BCEF89754F1040B5F919D2060E77497848B24

Function 00C9E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C9E6B4

Part of subcall function 00C4E551: timeGetTime.WINMM(?,?,00C9E6D4), ref: 00C4E555

Sleep.KERNEL32(0000000A), ref: 00C9E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00C9E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C9E727
SetActiveWindow.USER32 ref: 00C9E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C9E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C9E773
Sleep.KERNEL32(000000FA), ref: 00C9E77E
IsWindow.USER32 ref: 00C9E78A
EndDialog.USER32(00000000), ref: 00C9E79B

Strings

BUTTON, xrefs: 00C9E719

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: bda0b6f8ea20c0f329bf1c20de3bd84b8f56ace7ad2b28b33bc27b1c9626d15b
Instruction ID: cd45e4e5db4f20501300cf2bd5c0f00cf099a4ee16faca958c57f6017ba471b9
Opcode Fuzzy Hash: bda0b6f8ea20c0f329bf1c20de3bd84b8f56ace7ad2b28b33bc27b1c9626d15b
Instruction Fuzzy Hash: D7215EB0200345AFEF00AFA1EDCEF3A3B69F764749B540425F519C26A1DB72AD50EB25

Function 00C9E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C9EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C9EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C9EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C9EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C9EAA7

Strings

close PlayMe, xrefs: 00C9EA6E, 00C9EA9B
play PlayMe, xrefs: 00C9EAA2
alias PlayMe, xrefs: 00C9EA36
status PlayMe mode, xrefs: 00C9EA58
play PlayMe wait, xrefs: 00C9EA91
open , xrefs: 00C9EA0C

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: b0420acd62008288cd3a8114bdadffc6833249f7c288e4369043f81bbc57c348
Instruction ID: b2ad9aa8846fdd925e87f0fb17bae494919ba5015bcf1951e1d8e3d5fa05e3b5
Opcode Fuzzy Hash: b0420acd62008288cd3a8114bdadffc6833249f7c288e4369043f81bbc57c348
Instruction Fuzzy Hash: BE117731AA026D79DB50E762DC4AEFF6A7CEBD1B00F400439B511A20E1DEB05E05D6B1

Function 00C99F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C9A012
SetKeyboardState.USER32(?), ref: 00C9A07D
GetAsyncKeyState.USER32(000000A0), ref: 00C9A09D
GetKeyState.USER32(000000A0), ref: 00C9A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00C9A0E3
GetKeyState.USER32(000000A1), ref: 00C9A0F4
GetAsyncKeyState.USER32(00000011), ref: 00C9A120
GetKeyState.USER32(00000011), ref: 00C9A12E
GetAsyncKeyState.USER32(00000012), ref: 00C9A157
GetKeyState.USER32(00000012), ref: 00C9A165
GetAsyncKeyState.USER32(0000005B), ref: 00C9A18E
GetKeyState.USER32(0000005B), ref: 00C9A19C

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b366e4bff0fc7244a7be8572f4052602e90943ba67cb65f51dfecfc2688587f7
Instruction ID: 9383fb1b77909d0b3abae8524fe02377186379651d4ac595a565f011c3787643
Opcode Fuzzy Hash: b366e4bff0fc7244a7be8572f4052602e90943ba67cb65f51dfecfc2688587f7
Instruction Fuzzy Hash: 0451F9309047886AFF35DBA489197EEFFB49F12380F08859DD5D2571C2DA64AB4CC7A2

Function 00C95CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C95CE2
GetWindowRect.USER32(00000000,?), ref: 00C95CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00C95D59
GetDlgItem.USER32(?,00000002), ref: 00C95D69
GetWindowRect.USER32(00000000,?), ref: 00C95D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00C95DCF
GetDlgItem.USER32(?,000003E9), ref: 00C95DDD
GetWindowRect.USER32(00000000,?), ref: 00C95DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C95E31
GetDlgItem.USER32(?,000003EA), ref: 00C95E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C95E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00C95E67

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: a23af6f11acb98a5cb3107af1085130223c962fe5c48dcbea3d05fdc62233a81
Instruction ID: a23b49855374f0905aaa96abb56373b5d90a5e6a033e6d938e86348b6a4df9eb
Opcode Fuzzy Hash: a23af6f11acb98a5cb3107af1085130223c962fe5c48dcbea3d05fdc62233a81
Instruction Fuzzy Hash: B351FDB1A00605AFDF19CF68DE89FAEBBB5FB48300F148129F519E6690D7709E04CB50

Function 00C48BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C48F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C48BE8,?,00000000,?,?,?,?,00C48BBA,00000000,?), ref: 00C48FC5

DestroyWindow.USER32(?), ref: 00C48C81
KillTimer.USER32(00000000,?,?,?,?,00C48BBA,00000000,?), ref: 00C48D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00C86973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00C48BBA,00000000,?), ref: 00C869A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00C48BBA,00000000,?), ref: 00C869B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00C48BBA,00000000), ref: 00C869D4
DeleteObject.GDI32(00000000), ref: 00C869E6

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: a8a17af914abd0d5fb7a0cdd059017995ac58551be6789ea833d69045c0d250d
Instruction ID: 197ab7981988fb35f231a276bf5f0e51a5e27fa3eb40c9d25cca7fc4bd757ba5
Opcode Fuzzy Hash: a8a17af914abd0d5fb7a0cdd059017995ac58551be6789ea833d69045c0d250d
Instruction Fuzzy Hash: AC618C34902710DFDB25EF15D988B2D77F1FB44316F144518E0669BAA0CB35AE88DFA4

Function 00C49838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00C49944: GetWindowLongW.USER32(?,000000EB), ref: 00C49952

GetSysColor.USER32(0000000F), ref: 00C49862

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 4b4fc46e203b179a77553062c7493be83bcbc1587173817401f89a0215a93042
Instruction ID: 13fd49a9aabe7521d9e8e1066f1cdb4b776158fa37e8f11ffe84157187769deb
Opcode Fuzzy Hash: 4b4fc46e203b179a77553062c7493be83bcbc1587173817401f89a0215a93042
Instruction Fuzzy Hash: 91417C31504660AFDB209B3DDC88BBA3BA5FB56334F284615FAB6872E1D7319942DB10

Function 00C996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00C7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00C99717
LoadStringW.USER32(00000000,?,00C7F7F8,00000001), ref: 00C99720

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00C7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00C99742
LoadStringW.USER32(00000000,?,00C7F7F8,00000001), ref: 00C99745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00C99866

Strings

Line %d:, xrefs: 00C997A0
Error: , xrefs: 00C9981D
Line %d (File "%s"):, xrefs: 00C9978F
^ ERROR, xrefs: 00C997FB
%s (%d) : ==> %s: %s %s, xrefs: 00C9984A

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 23c023c50eb66bef9d46d1a1da17cb0e511615602d56a40368edea724616a990
Instruction ID: 2c87e68857936f1da04da4370a909305c679038d0069cbe799e4a015b0a1a53b
Opcode Fuzzy Hash: 23c023c50eb66bef9d46d1a1da17cb0e511615602d56a40368edea724616a990
Instruction Fuzzy Hash: D5414D72800209AACF04FBE4DD86EEEB778EF55340F104069F605720A2EA756F49EB61

Function 00C906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C907A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C907BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C907DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C90804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00C9082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C90837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C9083C

Strings

\IPC$, xrefs: 00C90784
\CLSID, xrefs: 00C90724
SOFTWARE\Classes\, xrefs: 00C9070E

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 4bcb7dd266ccbb47a800759242efbc356388b1cc36e988fd23d35f601107329e
Instruction ID: 7dedc0959c869c83bd11def9ffcc31dc4da1d9d5cf92b4523f1aafcb38fa028c
Opcode Fuzzy Hash: 4bcb7dd266ccbb47a800759242efbc356388b1cc36e988fd23d35f601107329e
Instruction Fuzzy Hash: 1B411572C10229AFCF15EBA4DC89DEDB7B8FF44350F144129E915A31A0EB709E05DBA0

Function 00CC3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00CC403B
CreateCompatibleDC.GDI32(00000000), ref: 00CC4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00CC4055
SelectObject.GDI32(00000000,00000000), ref: 00CC405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00CC4068
DeleteDC.GDI32(00000000), ref: 00CC4072
GetWindowLongW.USER32(?,000000EC), ref: 00CC407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00CC4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00CC409E

Strings

static, xrefs: 00CC3FD3

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: bf294800ee8b11a80fde9f577498b3977a228534a8742338381ff2ed808e4c81
Instruction ID: 432f7f510a131006598d80f5f9b2aef46a974dda496ccd15d66cb75ef7b709d4
Opcode Fuzzy Hash: bf294800ee8b11a80fde9f577498b3977a228534a8742338381ff2ed808e4c81
Instruction Fuzzy Hash: B4317A32540219ABDF219FA8DC49FDE3BA8FF0D320F004219FA29E61A0C775D951DBA0

Function 00CB3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CB3C5C
CoInitialize.OLE32(00000000), ref: 00CB3C8A
CoUninitialize.OLE32 ref: 00CB3C94
_wcslen.LIBCMT ref: 00CB3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00CB3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00CB3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00CB3F0E
CoGetObject.OLE32(?,00000000,00CCFB98,?), ref: 00CB3F2D
SetErrorMode.KERNEL32(00000000), ref: 00CB3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CB3FC4
VariantClear.OLEAUT32(?), ref: 00CB3FD8

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: f1a7e4330351e7c5705c123fb1cfe3e17fbb1d9379a5d12bf4d77846513c18be
Instruction ID: 7082f2b46015d4fd7cf0acfeaf525fbc880c67e9030293b1d5b7908681b7e5f9
Opcode Fuzzy Hash: f1a7e4330351e7c5705c123fb1cfe3e17fbb1d9379a5d12bf4d77846513c18be
Instruction Fuzzy Hash: EEC15571608341AFC700DF69C884A6BBBE9FF89748F10495DF98A9B250DB30EE45CB52

Function 00CA7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CA7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00CA7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00CA7BA3
CoCreateInstance.OLE32(00CCFD08,00000000,00000001,00CF6E6C,?), ref: 00CA7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00CA7C74
CoTaskMemFree.OLE32(?,?), ref: 00CA7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00CA7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00CA7D7A
CoTaskMemFree.OLE32(00000000), ref: 00CA7D81
CoTaskMemFree.OLE32(00000000), ref: 00CA7DD6
CoUninitialize.OLE32 ref: 00CA7DDC

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 3cb58c310fe8631e1efc408e67cf67cd613ee96d574a973e82332ef0cb577e0c
Instruction ID: be05cf0ff53d5009b44717256cfc1eef7ce8effdd2602c997b484ce3e306c38e
Opcode Fuzzy Hash: 3cb58c310fe8631e1efc408e67cf67cd613ee96d574a973e82332ef0cb577e0c
Instruction Fuzzy Hash: C1C11C75A04109AFCB14DF64C888DAEBBF9FF49318F148599F81A9B261D730EE45CB90

Function 00CC541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CC5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CC5515
CharNextW.USER32(00000158), ref: 00CC5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CC5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CC559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CC55AC

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 370f9ace6715d5b4ba07ea41870ef632ceed845b31aa95bb6915256223218a05
Instruction ID: 791242672ea3dd2d79083ade72438c1886f6ad25b1d93a92edfdfec76b46ebb3
Opcode Fuzzy Hash: 370f9ace6715d5b4ba07ea41870ef632ceed845b31aa95bb6915256223218a05
Instruction Fuzzy Hash: 96616C75904608AFDF10DF95CC84FFE7BB9EB09720F108189F925AA291D774AAC1DB60

Function 00C8FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C8FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00C8FB08
VariantInit.OLEAUT32(?), ref: 00C8FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C8FB3A
VariantCopy.OLEAUT32(?,?), ref: 00C8FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C8FBA1
VariantClear.OLEAUT32(?), ref: 00C8FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00C8FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C8FBCC
VariantClear.OLEAUT32(?), ref: 00C8FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C8FBE9

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 4f6d7a007e31443de754eb99929acc1709b308507a85de97343dac3f75e906f7
Instruction ID: 2d3dd3619af9f18c677900395bd8292e46f6b251ed13a8b97f3cc6642f441600
Opcode Fuzzy Hash: 4f6d7a007e31443de754eb99929acc1709b308507a85de97343dac3f75e906f7
Instruction Fuzzy Hash: 50414235A002199FCB04EF64D898EFEBBB9FF48354F008069E955A7261D730AA46DF94

Function 00C99C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C99CA1
GetAsyncKeyState.USER32(000000A0), ref: 00C99D22
GetKeyState.USER32(000000A0), ref: 00C99D3D
GetAsyncKeyState.USER32(000000A1), ref: 00C99D57
GetKeyState.USER32(000000A1), ref: 00C99D6C
GetAsyncKeyState.USER32(00000011), ref: 00C99D84
GetKeyState.USER32(00000011), ref: 00C99D96
GetAsyncKeyState.USER32(00000012), ref: 00C99DAE
GetKeyState.USER32(00000012), ref: 00C99DC0
GetAsyncKeyState.USER32(0000005B), ref: 00C99DD8
GetKeyState.USER32(0000005B), ref: 00C99DEA

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 1c74b527f0d64dcb9cb84e5920d708db85869799362a3462838b7aa914086f2c
Instruction ID: 634897ceb85ba9b3a9bbaf558ab7f8a794f2690b2476d20536f68626460cf8cf
Opcode Fuzzy Hash: 1c74b527f0d64dcb9cb84e5920d708db85869799362a3462838b7aa914086f2c
Instruction Fuzzy Hash: 6941A6345047C969FF319668C88C7B5BEA0EF12344F08805EDAD6565C2EBB59BC8C7A2

Function 00CB055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00CB05BC
inet_addr.WSOCK32(?), ref: 00CB061C
gethostbyname.WSOCK32(?), ref: 00CB0628
IcmpCreateFile.IPHLPAPI ref: 00CB0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CB06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CB06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00CB07B9
WSACleanup.WSOCK32 ref: 00CB07BF

Strings

Ping, xrefs: 00CB0676

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 67876c55e09e10249ef77e4b3c68f54f8a5253353d2d30da0b1997e6d4fa382f
Instruction ID: ea73bba154a684358a0c7821facedc9d554d8750ce115a07785215523e52cd48
Opcode Fuzzy Hash: 67876c55e09e10249ef77e4b3c68f54f8a5253353d2d30da0b1997e6d4fa382f
Instruction Fuzzy Hash: 25916B756082019FD720DF15C888F5BBBE4BF48318F2485A9F46A9B6A2CB30ED45CF91

Function 00CB8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00CB8CF3

Part of subcall function 00C98E54: _wcslen.LIBCMT ref: 00C98E77

_wcslen.LIBCMT ref: 00CB8D4E
_wcslen.LIBCMT ref: 00CB8D9C
_wcslen.LIBCMT ref: 00CB8DDC
_wcslen.LIBCMT ref: 00CB8E6E

Strings

winapi, xrefs: 00CB8D96, 00CB8D9B
cdecl, xrefs: 00CB8D48, 00CB8D4D
stdcall, xrefs: 00CB8DD6, 00CB8DDB
none, xrefs: 00CB8E65, 00CB8E6A

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: e53d062c54ed02d39b28b2ce7daee1ad639489be196a9b5e339a62368e197141
Instruction ID: ec01d7a3cd890be0ceef6f94f7070bce1e275f99bce6a199d0b1eceede1035fd
Opcode Fuzzy Hash: e53d062c54ed02d39b28b2ce7daee1ad639489be196a9b5e339a62368e197141
Instruction Fuzzy Hash: 0851AE35A041179BCF24DF68C9419FEB7A9BF65724F20422AE826E72C4DB30DE48D790

Function 00CB372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00CB3774
CoUninitialize.OLE32 ref: 00CB377F
CoCreateInstance.OLE32(?,00000000,00000017,00CCFB78,?), ref: 00CB37D9
IIDFromString.OLE32(?,?), ref: 00CB384C
VariantInit.OLEAUT32(?), ref: 00CB38E4
VariantClear.OLEAUT32(?), ref: 00CB3936

Strings

Failed to create object, xrefs: 00CB37E4, 00CB389A
NULL Pointer assignment, xrefs: 00CB381E
Invalid parameter, xrefs: 00CB3865

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: f52c27187bdda15b9198c51dd9a1e9b1eb06d3e4ef86ee88483b1d369e7060b9
Instruction ID: 97a6344da60d176cca4b5b50050bafdf9f5eb1540332937f411beb00b3b5b348
Opcode Fuzzy Hash: f52c27187bdda15b9198c51dd9a1e9b1eb06d3e4ef86ee88483b1d369e7060b9
Instruction Fuzzy Hash: 1461CF70608351AFD710DF55C888FAABBE8EF48714F10491EF9959B291DB70EE48CB92

Function 00CA3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00CA33CF

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00CA33F0

Strings

Error: , xrefs: 00CA34D1
Line %d (File "%s"):, xrefs: 00CA3443, 00CA345C
"%s" (%d) : ==> %s:, xrefs: 00CA3522
"%s" (%d) : ==> %s:%s%s, xrefs: 00CA3504
Incorrect parameters to object property !, xrefs: 00CA34AB
^ ERROR , xrefs: 00CA349E

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 442f52b83d57a283845c124303d6faf8170c369a0c3dbe683fcb5ffd50a2c934
Instruction ID: 3d073f2e510d12db7d98bfcb40ea612764e75f56e83c53f0275d3d3639323d2f
Opcode Fuzzy Hash: 442f52b83d57a283845c124303d6faf8170c369a0c3dbe683fcb5ffd50a2c934
Instruction Fuzzy Hash: FB518B7190024AAADF15EBE0CD56EEEB778EF05340F104065F509B21A2EB712F58EB61

Function 00C9B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C9B5FC
_wcslen.LIBCMT ref: 00C9B608
_wcslen.LIBCMT ref: 00C9B64D
_wcslen.LIBCMT ref: 00C9B68C
_wcslen.LIBCMT ref: 00C9B6C7

Strings

REMOVE, xrefs: 00C9B602, 00C9B607
KEYS, xrefs: 00C9B647, 00C9B64C
EXISTS, xrefs: 00C9B686, 00C9B68B
APPEND, xrefs: 00C9B6C1, 00C9B6C6

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 52d64da1318188823130da9290ccdf7878160d2eb55dfdf8530628708b423e35
Instruction ID: 57f28d40c7966128c90c2e92c8754c11667e633b54f50be273618750fd6b6036
Opcode Fuzzy Hash: 52d64da1318188823130da9290ccdf7878160d2eb55dfdf8530628708b423e35
Instruction Fuzzy Hash: BA41E632A00026AACF146F7DDA955BEB7B5AFA0754B244229F435D7284E731EE81C790

Function 00CA5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CA53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00CA5416
GetLastError.KERNEL32 ref: 00CA5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00CA54A7

Strings

READY, xrefs: 00CA5460, 00CA5468
INVALID, xrefs: 00CA5459
READONLY, xrefs: 00CA5452
UNKNOWN, xrefs: 00CA5444
NOTREADY, xrefs: 00CA544B

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4aa4d0da5c2feb1ed8adeef05baa8c87cdda347e6ebdd5f26311daea850380d7
Instruction ID: 2484d8b41de93cde7e0d3760b48d266e907f163913f96ed06dcdbafd7f634a81
Opcode Fuzzy Hash: 4aa4d0da5c2feb1ed8adeef05baa8c87cdda347e6ebdd5f26311daea850380d7
Instruction Fuzzy Hash: FD31D275A0060A9FCB10DF69C484FAE7BB4EF1A309F18C065E515DB292D770DE82CB91

Function 00CC3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00CC3C79
SetMenu.USER32(?,00000000), ref: 00CC3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CC3D10
IsMenu.USER32(?), ref: 00CC3D24
CreatePopupMenu.USER32 ref: 00CC3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CC3D5B
DrawMenuBar.USER32 ref: 00CC3D63

Strings

F, xrefs: 00CC3D4E
0, xrefs: 00CC3C54

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b0e2b1b99f2dda3268184ab3cada5d7abee60550113e3c187200b861f607123e
Instruction ID: 7a7539688dc4c70ee8a78f37cc5ed0e22eb297ae08912d25ca9309f1287f6995
Opcode Fuzzy Hash: b0e2b1b99f2dda3268184ab3cada5d7abee60550113e3c187200b861f607123e
Instruction Fuzzy Hash: 63414879A11209AFDB14CF64E888FAA7BB5FF49350F14402DF95AA7360D730AA10DF94

Function 00C91EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00C91F64
GetDlgCtrlID.USER32 ref: 00C91F6F
GetParent.USER32 ref: 00C91F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C91F8E
GetDlgCtrlID.USER32(?), ref: 00C91F97
GetParent.USER32(?), ref: 00C91FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C91FAE

Strings

ListBox, xrefs: 00C91F21
ComboBox, xrefs: 00C91EEC

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: ef22336fff6a66b70e9404ce9c7c6b1a0b9125cf989537849a84ef898694d849
Instruction ID: c40358af39ccde74ba1cb4fc16fd58bf777901f439eda89ff8f1c6a13e5c92bf
Opcode Fuzzy Hash: ef22336fff6a66b70e9404ce9c7c6b1a0b9125cf989537849a84ef898694d849
Instruction Fuzzy Hash: 8521D470A00218BBCF05AFA0DC89EFEBBB8EF05350F000115FA65A72D1CB755905DB60

Function 00C91FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00C92043
GetDlgCtrlID.USER32 ref: 00C9204E
GetParent.USER32 ref: 00C9206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C9206D
GetDlgCtrlID.USER32(?), ref: 00C92076
GetParent.USER32(?), ref: 00C9208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C9208D

Strings

ListBox, xrefs: 00C92002
ComboBox, xrefs: 00C91FCD

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: f0ce066ef57fceaa2e106543e9920d1cebabdd129616cd62cfce714b2b6eeb16
Instruction ID: b68613a45392e40c7c73b562e6114c535da1d6aef3e0c1d03b5e4c4d30fa4032
Opcode Fuzzy Hash: f0ce066ef57fceaa2e106543e9920d1cebabdd129616cd62cfce714b2b6eeb16
Instruction Fuzzy Hash: B1219F75A00218BBCF10AFA0DC89FFEBBB8EF05340F005015FA95A72A1DA754915EB60

Function 00CC3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CC3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CC3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00CC3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CC3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CC3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00CC3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00CC3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00CC3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00CC3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00CC3C13

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 10bf6cbdf3c068b93cae9f7ebf836893b92a69afa1e6e6ba18e204a49a3d4f1b
Instruction ID: fa824d12b5febc66e699ecbbcb44c0d832a19d401e37f7db7aa60d7f6d01bbca
Opcode Fuzzy Hash: 10bf6cbdf3c068b93cae9f7ebf836893b92a69afa1e6e6ba18e204a49a3d4f1b
Instruction Fuzzy Hash: B2615775A00248AFDB10DFA8DC81FEE77B8EB09700F104199FA15E72A1D770AE45DB60

Function 00C62C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C62C94

Part of subcall function 00C629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000), ref: 00C629DE
Part of subcall function 00C629C8: GetLastError.KERNEL32(00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000,00000000), ref: 00C629F0

_free.LIBCMT ref: 00C62CA0
_free.LIBCMT ref: 00C62CAB
_free.LIBCMT ref: 00C62CB6
_free.LIBCMT ref: 00C62CC1
_free.LIBCMT ref: 00C62CCC
_free.LIBCMT ref: 00C62CD7
_free.LIBCMT ref: 00C62CE2
_free.LIBCMT ref: 00C62CED
_free.LIBCMT ref: 00C62CFB

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3b5824a33d81623762a14f5b6c6095dfd869ea30d0406d34fa10bc82d04fc148
Instruction ID: 19a5b3c5bf18948c0f89bb6d76a124afb027e18e9d058c24dc2c44a4402b58a0
Opcode Fuzzy Hash: 3b5824a33d81623762a14f5b6c6095dfd869ea30d0406d34fa10bc82d04fc148
Instruction Fuzzy Hash: A411C876600508BFCB16EF54D882CDD3BA5FF45390F4144A5FA489F232DA31EE50AB90

Function 00CA7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CA7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA7FC1
GetFileAttributesW.KERNEL32(?), ref: 00CA7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00CA8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00CA8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CA80B0

Strings

*.*, xrefs: 00CA8066

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: cb1c2bdc66b7512ca3ddf45a2f58c1fbeea41d39f3adca5797b8594c3cc922f2
Instruction ID: 739ebc4d9b67878f2bc7896a7fe67a25a66b7ad8f8a2b0f9e56af53c740b71ac
Opcode Fuzzy Hash: cb1c2bdc66b7512ca3ddf45a2f58c1fbeea41d39f3adca5797b8594c3cc922f2
Instruction Fuzzy Hash: B481C1725082429FCB20DF15C884AAEB3E8BF8A318F144D5EF895D7250EB34DE498B52

Function 00C35BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C35C7A

Part of subcall function 00C35D0A: GetClientRect.USER32(?,?), ref: 00C35D30
Part of subcall function 00C35D0A: GetWindowRect.USER32(?,?), ref: 00C35D71
Part of subcall function 00C35D0A: ScreenToClient.USER32(?,?), ref: 00C35D99

GetDC.USER32 ref: 00C746F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C74708
SelectObject.GDI32(00000000,00000000), ref: 00C74716
SelectObject.GDI32(00000000,00000000), ref: 00C7472B
ReleaseDC.USER32(?,00000000), ref: 00C74733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C747C4

Strings

U, xrefs: 00C74693

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 6af13b0a18038bf0e68e34f325aa0321de0c5f5709fe3e2f35d3036aee2a6676
Instruction ID: fb01aa279bc40e079f04e6260b744d9f757800b2ede3c68f386a5192dc9a66fd
Opcode Fuzzy Hash: 6af13b0a18038bf0e68e34f325aa0321de0c5f5709fe3e2f35d3036aee2a6676
Instruction Fuzzy Hash: 5F71D135400205DFCF298F64C984EBA7BB5FF4A354F148269FD699A2A6C3319E41DF60

Function 00CA359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00CA35E4

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

LoadStringW.USER32(00D02390,?,00000FFF,?), ref: 00CA360A

Strings

Error: , xrefs: 00CA36EF
Line %d (File "%s"):, xrefs: 00CA366B
"%s" (%d) : ==> %s:, xrefs: 00CA3742
"%s" (%d) : ==> %s:%s%s, xrefs: 00CA3724
^ ERROR, xrefs: 00CA36C9

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 0c009c2fe95bfb557fff55415f2c2df1363cd661d7a48cb80c61a1ea4d2a821e
Instruction ID: a3aedb8e3ccf35b47e553cd97afdd2d4b9976e96a5f3d77ca9fdb0c836629680
Opcode Fuzzy Hash: 0c009c2fe95bfb557fff55415f2c2df1363cd661d7a48cb80c61a1ea4d2a821e
Instruction Fuzzy Hash: 22518F7190024ABBCF14EBA0CD56EEDBB38EF05304F144125F105B21A1EB711B99EF61

Function 00CC8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

Part of subcall function 00C4912D: GetCursorPos.USER32(?), ref: 00C49141
Part of subcall function 00C4912D: ScreenToClient.USER32(00000000,?), ref: 00C4915E
Part of subcall function 00C4912D: GetAsyncKeyState.USER32(00000001), ref: 00C49183
Part of subcall function 00C4912D: GetAsyncKeyState.USER32(00000002), ref: 00C4919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00CC8B6B
ImageList_EndDrag.COMCTL32 ref: 00CC8B71
ReleaseCapture.USER32 ref: 00CC8B77
SetWindowTextW.USER32(?,00000000), ref: 00CC8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00CC8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00CC8CFF

Strings

@GUI_DROPID, xrefs: 00CC8C51
@GUI_DRAGFILE, xrefs: 00CC8C9A

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: b0f4ee6c960fd50161ae6181d097ab4fef6c99bdd51dbf6d7578a769faec2262
Instruction ID: 95aaf25f8ad3d618acaf518ca97476ef1ddbe269235248b21f4e67edb718b1ba
Opcode Fuzzy Hash: b0f4ee6c960fd50161ae6181d097ab4fef6c99bdd51dbf6d7578a769faec2262
Instruction Fuzzy Hash: CB514975104304AFD704DF24D896FAA77E4FB88714F40062DF9AAA72E1DB709A48DB62

Function 00CAC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CAC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CAC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CAC2CA
GetLastError.KERNEL32 ref: 00CAC322
SetEvent.KERNEL32(?), ref: 00CAC336
InternetCloseHandle.WININET(00000000), ref: 00CAC341

Strings

, xrefs: 00CAC2BB

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: dfc70eefbde7f983da328b653fa2bf12ab546d3cc9fa7e97b3e2d1df6a770b12
Instruction ID: 0e0acfbe63e2b9c6c7ea69539c6ab7db945dcdd4a332cc93f4227f6f9a8384c6
Opcode Fuzzy Hash: dfc70eefbde7f983da328b653fa2bf12ab546d3cc9fa7e97b3e2d1df6a770b12
Instruction Fuzzy Hash: 6F318DB1501205AFDB219F65CCC8BAB7AFCEB4A748F14851EF45AD2210DB34DE459B60

Function 00C9989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C73AAF,?,?,Bad directive syntax error,00CCCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C998BC
LoadStringW.USER32(00000000,?,00C73AAF,?), ref: 00C998C3

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C99987

Strings

., xrefs: 00C9996D
Line %d:, xrefs: 00C99912
Line %d (File "%s"):, xrefs: 00C9992D
%s (%d) : ==> %s.: %s %s, xrefs: 00C998F1
Error: , xrefs: 00C99955

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b3a459d137120f5138f1a16c69a1dfe6e9c88d4d271fae5c1a13a8bee22385f0
Instruction ID: b831a317822eb54da77459f7d4925c2c6fad4f4985a6e031821f12ccc69391e6
Opcode Fuzzy Hash: b3a459d137120f5138f1a16c69a1dfe6e9c88d4d271fae5c1a13a8bee22385f0
Instruction Fuzzy Hash: 5A217C3295021EABCF15EF90CC4AEEE7779FF18300F044469F619660A2EB719A18EB51

Function 00C9209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C920AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00C920C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C9214D

Strings

smallicons, xrefs: 00C92115
largeicons, xrefs: 00C920E1
details, xrefs: 00C920FB
list, xrefs: 00C9212F
SHELLDLL_DefView, xrefs: 00C920CC

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 49b8ee0119ca6dbd753dbfda5924474fe902b13995090c38d368d66e58e5edcd
Instruction ID: 7822dcddb52bd253cb452f1599a9ef8174f66b58bc9591fd050a6e99f26e1964
Opcode Fuzzy Hash: 49b8ee0119ca6dbd753dbfda5924474fe902b13995090c38d368d66e58e5edcd
Instruction Fuzzy Hash: 67112C7A688706BAFE052220DC0FDFE379CCB04325F201026FB45A50D1FE619D956618

Function 00C68D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b93fcb73c07b1e4d906699e3df26494c4330d966db708230e4a75a6670ddf05
Instruction ID: b0cc3335abb296b2843dc711ad484b46156377a714f1b8340a3794825246207c
Opcode Fuzzy Hash: 2b93fcb73c07b1e4d906699e3df26494c4330d966db708230e4a75a6670ddf05
Instruction Fuzzy Hash: 2AC1E378904249AFCF21DFA8D881BADBFB4EF0D310F044159E925A7392CB349A46DB61

Function 00C6CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00C6CEB7
_free.LIBCMT ref: 00C6CF22
_free.LIBCMT ref: 00C6CF48
_free.LIBCMT ref: 00C6CF71
_free.LIBCMT ref: 00C6CFA9
_free.LIBCMT ref: 00C6CFDA
_free.LIBCMT ref: 00C6D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00C6D09C
_free.LIBCMT ref: 00C6D0B5

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: e62fbf50954d7252bb017e216ca15171ea2f9787d7d9a8739f891671579dc736
Instruction ID: f7c2941e7035b1e8e7d540fb1f8769c955e8ecc9f18e4ed022b54bb17cd3c45c
Opcode Fuzzy Hash: e62fbf50954d7252bb017e216ca15171ea2f9787d7d9a8739f891671579dc736
Instruction Fuzzy Hash: B7612471A04301AFDB35AFF498C1B7A7BA5EF05360F08416DF995D7282DA329A0197B2

Function 00CC50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00CC5186
ShowWindow.USER32(?,00000000), ref: 00CC51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00CC51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00CC51D1

Part of subcall function 00CC6FBA: DeleteObject.GDI32(00000000), ref: 00CC6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00CC520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CC521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CC524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00CC5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00CC5296

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 6b36995c78112d93f0958f60fdaecd6a2bc3ba4d27a431ac2634c72c7faac99e
Instruction ID: c1a967ca3031439b0d5c0a4bfe02eca75e12bbfd7920225f7b139e1a0bc11450
Opcode Fuzzy Hash: 6b36995c78112d93f0958f60fdaecd6a2bc3ba4d27a431ac2634c72c7faac99e
Instruction Fuzzy Hash: 46519E34A50A08BEEF209F25CC4AF9D7BA5FB05325F584119F629962E1C775BAC0EB40

Function 00C48B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00C86890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00C868A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C868B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00C868D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C868F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C48874,00000000,00000000,00000000,000000FF,00000000), ref: 00C86901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C8691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C48874,00000000,00000000,00000000,000000FF,00000000), ref: 00C8692D

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 4dc371066f7f3be7b99d0bc1e731d7ba40d7f7082103860ed31dd5653fb77fef
Instruction ID: 34da6a89a5124219a16fbc3c576f8681dd7dcf6de42207e1bb8c60efb2cbc443
Opcode Fuzzy Hash: 4dc371066f7f3be7b99d0bc1e731d7ba40d7f7082103860ed31dd5653fb77fef
Instruction Fuzzy Hash: 25514570A00209AFDB20DF25CC95FAE7BB6FB58754F104518F96A972E0DB70AA90DB50

Function 00CAC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CAC182
GetLastError.KERNEL32 ref: 00CAC195
SetEvent.KERNEL32(?), ref: 00CAC1A9

Part of subcall function 00CAC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CAC272
Part of subcall function 00CAC253: GetLastError.KERNEL32 ref: 00CAC322
Part of subcall function 00CAC253: SetEvent.KERNEL32(?), ref: 00CAC336
Part of subcall function 00CAC253: InternetCloseHandle.WININET(00000000), ref: 00CAC341

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: fa6d8246b56fa1d35527906a573df8b6eac7a92c286b5426202518df57e16044
Instruction ID: 4ceab9a97dc417c0065d889e10c9bca4950dfb6be2b11290a73c0e5e69e446dc
Opcode Fuzzy Hash: fa6d8246b56fa1d35527906a573df8b6eac7a92c286b5426202518df57e16044
Instruction Fuzzy Hash: 40319071200606AFDB219FA5DD84B6ABBF8FF1A304B04451DF96A82610D735E914EBA0

Function 00C925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C93A57
Part of subcall function 00C93A3D: GetCurrentThreadId.KERNEL32 ref: 00C93A5E
Part of subcall function 00C93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C925B3), ref: 00C93A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C925BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C925DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00C925DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C925E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C92601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00C92605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C9260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C92623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00C92627

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e839c8557cfc65523c4c1fba5b647fbd4e466591ad250cdd0a926b347d16cfb9
Instruction ID: 62a9f704e459f6071e138aaf5f99a35c5603e4799d7e0e25f948423d147b3bbf
Opcode Fuzzy Hash: e839c8557cfc65523c4c1fba5b647fbd4e466591ad250cdd0a926b347d16cfb9
Instruction Fuzzy Hash: 1F01DF30790610BBFB206769DCCEF5D3F59DB4EB12F110001F358AE1E1C9E224549AAA

Function 00C91803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C91449,?,?,00000000), ref: 00C9180C
HeapAlloc.KERNEL32(00000000,?,00C91449,?,?,00000000), ref: 00C91813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C91449,?,?,00000000), ref: 00C91828
GetCurrentProcess.KERNEL32(?,00000000,?,00C91449,?,?,00000000), ref: 00C91830
DuplicateHandle.KERNEL32(00000000,?,00C91449,?,?,00000000), ref: 00C91833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C91449,?,?,00000000), ref: 00C91843
GetCurrentProcess.KERNEL32(00C91449,00000000,?,00C91449,?,?,00000000), ref: 00C9184B
DuplicateHandle.KERNEL32(00000000,?,00C91449,?,?,00000000), ref: 00C9184E
CreateThread.KERNEL32(00000000,00000000,00C91874,00000000,00000000,00000000), ref: 00C91868

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 8ea98b84eac71af9aa10a0365c3d8882bc2e9f6c63bdb5aa1ad46298ab83cb3a
Instruction ID: 4cc800479394be671c6f26c7db283c61982da70bd8b40e04fc29cf1160818493
Opcode Fuzzy Hash: 8ea98b84eac71af9aa10a0365c3d8882bc2e9f6c63bdb5aa1ad46298ab83cb3a
Instruction Fuzzy Hash: F901BFB5240344BFE710AB66DC8DF5F3B6CEB89B11F054411FA05DB1A1C674D810CB20

Function 00CBA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00C9D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00C9D501
Part of subcall function 00C9D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00C9D50F
Part of subcall function 00C9D4DC: CloseHandle.KERNELBASE(00000000), ref: 00C9D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CBA16D
GetLastError.KERNEL32 ref: 00CBA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CBA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CBA268
GetLastError.KERNEL32(00000000), ref: 00CBA273
CloseHandle.KERNEL32(00000000), ref: 00CBA2C4

Strings

SeDebugPrivilege, xrefs: 00CBA18F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1007a146c250d43938d9718f9635fc9da5796373056a9b424492afdb59c82f22
Instruction ID: e34fdf879a09884743685ace708a8732bbca8014e7b9ca95b36301af1ee9e2a4
Opcode Fuzzy Hash: 1007a146c250d43938d9718f9635fc9da5796373056a9b424492afdb59c82f22
Instruction Fuzzy Hash: 8161A170204242AFD720DF19C4D4F59BBE1AF44318F18849CE4AA8BBA3C772ED45CB92

Function 00CC3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CC3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00CC393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CC3954
_wcslen.LIBCMT ref: 00CC3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00CC39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CC39F4

Strings

SysListView32, xrefs: 00CC38F7

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 26173699170afc64ae0d2091c92976150c329ab56a0b2a98b9619ebc26c9cac6
Instruction ID: aa22bc1aa69e10ce97a4ba0dee18609cff3bd93929d706304c1a74e0853c3911
Opcode Fuzzy Hash: 26173699170afc64ae0d2091c92976150c329ab56a0b2a98b9619ebc26c9cac6
Instruction Fuzzy Hash: 1A41A371A00219ABDF219F64DC45FEE77A9EF08354F10452AF958E72C1D7719A84CB90

Function 00C9BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C9BCFD
IsMenu.USER32(00000000), ref: 00C9BD1D
CreatePopupMenu.USER32 ref: 00C9BD53
GetMenuItemCount.USER32(00FA53B0), ref: 00C9BDA4
InsertMenuItemW.USER32(00FA53B0,?,00000001,00000030), ref: 00C9BDCC

Strings

0, xrefs: 00C9BCA8
2, xrefs: 00C9BD37

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 131fca6b991917928e453e8c989fc582b4863177c3e8e34545fac42e09b53603
Instruction ID: 9b655219a787ceac8efb51de5072ae7f7ca13b5cd09b5bd226ae483b1b9f22cb
Opcode Fuzzy Hash: 131fca6b991917928e453e8c989fc582b4863177c3e8e34545fac42e09b53603
Instruction Fuzzy Hash: F851AF72A00209ABDF10CFA9EACCBAEBBF4AF45314F144159F425D7298D770AE41CB51

Function 00C9C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C9C913

Strings

stop, xrefs: 00C9C8E4
blank, xrefs: 00C9C895
info, xrefs: 00C9C8B4
question, xrefs: 00C9C8CC
warning, xrefs: 00C9C8FC

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 8e631b5b7a4f3222ade7915ef4a8f2ab25604e6ebd38d3530c5d1663b9fabb8d
Instruction ID: 4d2f8b7b2893eaaa2cd2b36906eec083deab31e3599ff9cf5f255d252c4d6c49
Opcode Fuzzy Hash: 8e631b5b7a4f3222ade7915ef4a8f2ab25604e6ebd38d3530c5d1663b9fabb8d
Instruction Fuzzy Hash: 3D112B3668930ABAAB04AB15DCC6DAE779CDF15319B21003BF900A61C2D7605F806369

Function 00C9DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C9DE42
gethostname.WSOCK32(?,00000100), ref: 00C9DE5C
gethostbyname.WSOCK32(?), ref: 00C9DE69
inet_ntoa.WSOCK32(?), ref: 00C9DEAB
_strcat.LIBCMT ref: 00C9DEB9
WSACleanup.WSOCK32 ref: 00C9DEDE

Strings

0.0.0.0, xrefs: 00C9DE87

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 320790c6c8c6e5fd371ae898d852654f705066a92fb8a230294f3e893aecca9b
Instruction ID: e28968e9ab8818408b93433a71aa142c79ccd21d2cbc810751b5e281d8e8fa9e
Opcode Fuzzy Hash: 320790c6c8c6e5fd371ae898d852654f705066a92fb8a230294f3e893aecca9b
Instruction Fuzzy Hash: 0A110371904109ABCF24AB60DC8EFEF77ACDF10751F0001A9F55AEA091EF708AC19B60

Function 00CC9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

GetSystemMetrics.USER32(0000000F), ref: 00CC9FC7
GetSystemMetrics.USER32(0000000F), ref: 00CC9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00CCA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00CCA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00CCA263
ShowWindow.USER32(00000003,00000000), ref: 00CCA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00CCA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00CCA2CA

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: efd2a94c80fd201de49a451af48fa325aaa4d3969c1e8c30ec6354b334c1b25a
Instruction ID: 14f648c4695bfc6479a83523fde8a81be652c00a6b99a414e686ccb8556f4108
Opcode Fuzzy Hash: efd2a94c80fd201de49a451af48fa325aaa4d3969c1e8c30ec6354b334c1b25a
Instruction Fuzzy Hash: 51B19B35600229DFDF14CF68C9C9BAE7BB2FF44705F088069ED599B295D731AA40CB61

Function 00C9ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C9ED2A
_wcslen.LIBCMT ref: 00C9ED3B
_wcslen.LIBCMT ref: 00C9ED79
_wcslen.LIBCMT ref: 00C9EDAF
_wcslen.LIBCMT ref: 00C9EDDF
_wcslen.LIBCMT ref: 00C9EDEF
_wcslen.LIBCMT ref: 00C9EE2B
_wcslen.LIBCMT ref: 00C9EE5A

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 793adb262f3a4090cdd251939dbac3414f4749b8537df4d14e6930e637716786
Instruction ID: 26ccc5bddb32c7179f1b8ff8bdd34c35e17c62314bfeb9a2ac3588262ba430d3
Opcode Fuzzy Hash: 793adb262f3a4090cdd251939dbac3414f4749b8537df4d14e6930e637716786
Instruction Fuzzy Hash: F941A469C1021875CB11EBF4CC8A9CFB7BCAF45311F508466E914E3121FB34D689C3A9

Function 00C4F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C8682C,00000004,00000000,00000000), ref: 00C4F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00C8682C,00000004,00000000,00000000), ref: 00C8F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C8682C,00000004,00000000,00000000), ref: 00C8F454

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 241aefd858d5e02f1d506053074c4a7843443ccf8bb93aea7e1b3bd4df37bfde
Instruction ID: b70429c082014242762177395a719fa72ce6e2c47cf4b287f9c909dcf2cec8d4
Opcode Fuzzy Hash: 241aefd858d5e02f1d506053074c4a7843443ccf8bb93aea7e1b3bd4df37bfde
Instruction Fuzzy Hash: BF410A31608680FAD7399F29D9C8B2E7B91BFA6314F14443DE0AB57660C771AA83DB11

Function 00CC2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CC2D1B
GetDC.USER32(00000000), ref: 00CC2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CC2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00CC2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CC2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CC2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CC5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00CC2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CC2DE1

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: aac2d1b9c21fefcfb07bfa6087d61855b4fd5749e6bbd76851bb540c71cf35bb
Instruction ID: c877ab8a0c88270b3a2c38bf107f5b99f7e94e624c05f3972ec28bc4188eed95
Opcode Fuzzy Hash: aac2d1b9c21fefcfb07bfa6087d61855b4fd5749e6bbd76851bb540c71cf35bb
Instruction Fuzzy Hash: 80318972201614BFEB218F54CC8AFEB3FADEF19715F084069FE099A291C6759C51CBA4

Function 00C95622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C95637
_memcmp.LIBVCRUNTIME ref: 00C95659
_memcmp.LIBVCRUNTIME ref: 00C95671
_memcmp.LIBVCRUNTIME ref: 00C95684
_memcmp.LIBVCRUNTIME ref: 00C9569E
_memcmp.LIBVCRUNTIME ref: 00C956B1
_memcmp.LIBVCRUNTIME ref: 00C956C9
_memcmp.LIBVCRUNTIME ref: 00C956E4

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e139b586c7d31098b3076fad34d2a65a9ffa13ac121be37ae486334cc6ef7817
Instruction ID: 0ce3bf81c29a46a96dd766501167fdecdd47c113aac9d96c932e39d5474b7570
Opcode Fuzzy Hash: e139b586c7d31098b3076fad34d2a65a9ffa13ac121be37ae486334cc6ef7817
Instruction Fuzzy Hash: 9B21F965741A09B7DA165E21DD9AFFA335DAF20385F480038FD049A781F720EF1593A9

Function 00CB4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00CB502E, 00CB5383
Not an Object type, xrefs: 00CB5007

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: b20911faffac848781fd0e7fa848594cd367605045bdcfa720daeb9f32ca7043
Instruction ID: 6c32751428fde7134f91ee556d084f65ae3f76b18b0127bfac90df9ca55fb27f
Opcode Fuzzy Hash: b20911faffac848781fd0e7fa848594cd367605045bdcfa720daeb9f32ca7043
Instruction Fuzzy Hash: A2D1BF71A0060A9FDF14DFA8D881FEEB7B5BF48344F148069E925AB291E771DE41CB90

Function 00C71522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00C717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00C715CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00C717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C71651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00C717FB,?,00C717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C716E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00C717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C716FB

Part of subcall function 00C63820: RtlAllocateHeap.NTDLL(00000000,?,00D01444,?,00C4FDF5,?,?,00C3A976,00000010,00D01440,00C313FC,?,00C313C6,?,00C31129), ref: 00C63852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00C717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C71777
__freea.LIBCMT ref: 00C717A2
__freea.LIBCMT ref: 00C717AE

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: b193bda199e66be3aa097c1dda90f4443abda9cb7dfa96c5c1ac4e7fe6766ecb
Instruction ID: 0f6e990703c1e5f1b12e3dd35d17ca9f1b0f8320f3e7e5888dde07f8a91d0de6
Opcode Fuzzy Hash: b193bda199e66be3aa097c1dda90f4443abda9cb7dfa96c5c1ac4e7fe6766ecb
Instruction Fuzzy Hash: F3919371E002169ADB288E7DC881AEE7BF5EF49710F1C8659ED19E7181D735DE40CBA0

Function 00CB4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CB4648
VariantInit.OLEAUT32(?), ref: 00CB4749
VariantClear.OLEAUT32(?), ref: 00CB4753
VariantClear.OLEAUT32(?), ref: 00CB47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00CB472C
Null Object assignment in FOR..IN loop, xrefs: 00CB45D8, 00CB4706, 00CB47BE

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: d5dc97d191ccc452db1ad451e7e30bbb880d69a7f26521bfed6ca6190cc20d55
Instruction ID: 492a1c98a5b038184de15d2d6a7aa9a3f51b0b5a6b98268b2c11b7b13703ad70
Opcode Fuzzy Hash: d5dc97d191ccc452db1ad451e7e30bbb880d69a7f26521bfed6ca6190cc20d55
Instruction Fuzzy Hash: 6291B470A04219AFDF28CFA5C884FEE7BB8EF46714F108559F515AB282DB709945CFA0

Function 00CA1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00CA125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00CA1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00CA12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CA12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CA135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CA13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CA1430

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: dc88d7d5404a25bb69407aacd0a1da1532fb8a27c5f866a38f3e5eeb011ceb71
Instruction ID: a56d0c57284eba2ca348de43fb0cbb102e80537ae2eb6f2e144d104ee84ccd1a
Opcode Fuzzy Hash: dc88d7d5404a25bb69407aacd0a1da1532fb8a27c5f866a38f3e5eeb011ceb71
Instruction Fuzzy Hash: 21911571A0021AAFDB00DF98C884BBEB7B5FF46329F194029ED51EB291D774E941DB90

Function 00C4948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 43ae2e8a7ea0bc66b84873dfbf69ddf87e97fa8f795e2291ee6028d1bdb74123
Instruction ID: 96249ac001a33ca38a0c0445f482a65a9bdb3c99c4163b132d18507e9f75fa10
Opcode Fuzzy Hash: 43ae2e8a7ea0bc66b84873dfbf69ddf87e97fa8f795e2291ee6028d1bdb74123
Instruction Fuzzy Hash: D7912871D00219EFCB10CFA9CC88AEEBBB8FF49320F248559E515B7251D774AA42DB60

Function 00CB3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CB396B
CharUpperBuffW.USER32(?,?), ref: 00CB3A7A
_wcslen.LIBCMT ref: 00CB3A8A
VariantClear.OLEAUT32(?), ref: 00CB3C1F

Part of subcall function 00CA0CDF: VariantInit.OLEAUT32(00000000), ref: 00CA0D1F
Part of subcall function 00CA0CDF: VariantCopy.OLEAUT32(?,?), ref: 00CA0D28
Part of subcall function 00CA0CDF: VariantClear.OLEAUT32(?), ref: 00CA0D34

Strings

Incorrect Parameter format, xrefs: 00CB39A6, 00CB3BA1
AUTOIT.ERROR, xrefs: 00CB3A80, 00CB3A85

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 9667e7be86073f1420fdacb3a25ce8ed46a55154b5cc6ea952782e217e371d56
Instruction ID: 0e835d264982d0ce0c88879b50867cafd3a3df3a1a621b4c40452ebdd0393552
Opcode Fuzzy Hash: 9667e7be86073f1420fdacb3a25ce8ed46a55154b5cc6ea952782e217e371d56
Instruction Fuzzy Hash: AB918C756083459FCB04DF68C48096AB7E4FF88714F14892DF89A9B351DB30EE45DB92

Function 00CB4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00C9000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?,?,00C9035E), ref: 00C9002B
Part of subcall function 00C9000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?), ref: 00C90046
Part of subcall function 00C9000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?), ref: 00C90054
Part of subcall function 00C9000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?), ref: 00C90064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00CB4C51
_wcslen.LIBCMT ref: 00CB4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00CB4DCF
CoTaskMemFree.OLE32(?), ref: 00CB4DDA

Strings

NULL Pointer assignment, xrefs: 00CB4E23, 00CB4E52

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 9f542e9fe810675cf1b07d46b1a1924e680c28edd4153e40a7557dc98f3ac55c
Instruction ID: 46d9c1ac6ac1675cccc34fa79f6c989acb35b44f3f46d73a9a71126b944415f9
Opcode Fuzzy Hash: 9f542e9fe810675cf1b07d46b1a1924e680c28edd4153e40a7557dc98f3ac55c
Instruction Fuzzy Hash: 0E911571D0421DEFDF14DFA4C891AEEBBB9BF08314F108169E915A7291EB709A44DFA0

Function 00CC20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00CC2183
GetMenuItemCount.USER32(00000000), ref: 00CC21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CC21DD
_wcslen.LIBCMT ref: 00CC2213
GetMenuItemID.USER32(?,?), ref: 00CC224D
GetSubMenu.USER32(?,?), ref: 00CC225B

Part of subcall function 00C93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C93A57
Part of subcall function 00C93A3D: GetCurrentThreadId.KERNEL32 ref: 00C93A5E
Part of subcall function 00C93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C925B3), ref: 00C93A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CC22E3

Part of subcall function 00C9E97B: Sleep.KERNEL32 ref: 00C9E9F3

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 0f49014cb9b16404f2a1e6678ed86557732be7bca73cec226bd8e61d0aec24fc
Instruction ID: 67cffa5b33bb4d670db8cb5574ac71260d375755d3d3d03fba1e8fa9b9dbf830
Opcode Fuzzy Hash: 0f49014cb9b16404f2a1e6678ed86557732be7bca73cec226bd8e61d0aec24fc
Instruction Fuzzy Hash: F7715E75A00205AFCB14EFA5C885FAEB7B5EF48320F14845DE916EB351D734AE419B90

Function 00CC7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00FA5158), ref: 00CC7F37
IsWindowEnabled.USER32(00FA5158), ref: 00CC7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00CC801E
SendMessageW.USER32(00FA5158,000000B0,?,?), ref: 00CC8051
IsDlgButtonChecked.USER32(?,?), ref: 00CC8089
GetWindowLongW.USER32(00FA5158,000000EC), ref: 00CC80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CC80C3

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: b0bb653bc8363be675946fe4094893ab7d791d27aea1fca8eb368ece566f69d4
Instruction ID: 746042568aeeb6284a63aa620cb2bf9d5d40c53ba121b63a9a3e163bee420c44
Opcode Fuzzy Hash: b0bb653bc8363be675946fe4094893ab7d791d27aea1fca8eb368ece566f69d4
Instruction Fuzzy Hash: 7C716D34608204AFEB259FA4C8D4FAABBB9EF09340F14455DF965972A1CB31AA45DF20

Function 00C9AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C9AEF9
GetKeyboardState.USER32(?), ref: 00C9AF0E
SetKeyboardState.USER32(?), ref: 00C9AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C9AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C9AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C9AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C9B020

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 155ef03426c384b61fea1cfb2d6dd5d5a1beab40142ec756eed6b64b2fb642e8
Instruction ID: 60d3eaa37baa0016693db8744c947aa21cb740df4d517a0c78dfcef5f0de866b
Opcode Fuzzy Hash: 155ef03426c384b61fea1cfb2d6dd5d5a1beab40142ec756eed6b64b2fb642e8
Instruction Fuzzy Hash: 7C51C2E06047D53DFF368274CD4DBBA7EA95B06304F088589E1E9458C2C398AED4D791

Function 00C9ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C9AD19
GetKeyboardState.USER32(?), ref: 00C9AD2E
SetKeyboardState.USER32(?), ref: 00C9AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C9ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C9ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C9AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C9AE38

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6306c56eded3ce44bdee259c2d6551e6f3b4a3dc2348e1d183a48893cf352205
Instruction ID: 551e9ea9e3e6e1267e2f3c1b4d70c09e75ce702e8c66799b2c92ce965541274e
Opcode Fuzzy Hash: 6306c56eded3ce44bdee259c2d6551e6f3b4a3dc2348e1d183a48893cf352205
Instruction Fuzzy Hash: 4C51E7A15047D53DFF378334CC99B7A7EA85B46300F088488E1E5468C2D394EE94E792

Function 00C6542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00C73CD6,?,?,?,?,?,?,?,?,00C65BA3,?,?,00C73CD6,?,?), ref: 00C65470
__fassign.LIBCMT ref: 00C654EB
__fassign.LIBCMT ref: 00C65506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00C73CD6,00000005,00000000,00000000), ref: 00C6552C
WriteFile.KERNEL32(?,00C73CD6,00000000,00C65BA3,00000000,?,?,?,?,?,?,?,?,?,00C65BA3,?), ref: 00C6554B
WriteFile.KERNEL32(?,?,00000001,00C65BA3,00000000,?,?,?,?,?,?,?,?,?,00C65BA3,?), ref: 00C65584

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 7173984d73b866e9b6c8c0f3d24fa3fdef2c641cc768297702d50a5506428aae
Instruction ID: cc3101e8493f277a012217dca332614440bf6a8bb737db603e9e29bcd1b7da05
Opcode Fuzzy Hash: 7173984d73b866e9b6c8c0f3d24fa3fdef2c641cc768297702d50a5506428aae
Instruction Fuzzy Hash: 03519671900649AFDB21CFA8D885BEEBBF9EF09300F24455EF556E7291D7309A41CB60

Function 00C52D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00C52D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00C52D53
_ValidateLocalCookies.LIBCMT ref: 00C52DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00C52E0C
_ValidateLocalCookies.LIBCMT ref: 00C52E61

Strings

csm, xrefs: 00C52DF6

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9c2be39763740ca817ae01518e0248fb5078d963672240feb65afbda13f9a310
Instruction ID: d361477581fd0bc6e05aecb2bae057828415b6ce3c799279ea852de5f4cf39eb
Opcode Fuzzy Hash: 9c2be39763740ca817ae01518e0248fb5078d963672240feb65afbda13f9a310
Instruction Fuzzy Hash: 6341D638A00208DBCF14DF68C885A9EBBF4BF46366F148155EC146B392D731AA89CBD4

Function 00CB10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB304E: inet_addr.WSOCK32(?), ref: 00CB307A
Part of subcall function 00CB304E: _wcslen.LIBCMT ref: 00CB309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00CB1112
WSAGetLastError.WSOCK32 ref: 00CB1121
WSAGetLastError.WSOCK32 ref: 00CB11C9
closesocket.WSOCK32(00000000), ref: 00CB11F9

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 145ed8a7a93bf94de9f4a39cda5cd15df0bca4697ae232d9c7c6819d4f4a77a6
Instruction ID: fe87b39096ce670a5246fb1c7e449af0b02603d589ddb29a4b840c00a2608cf3
Opcode Fuzzy Hash: 145ed8a7a93bf94de9f4a39cda5cd15df0bca4697ae232d9c7c6819d4f4a77a6
Instruction Fuzzy Hash: 1041E535600204AFDB109F58C894BEEB7E9EF45364F588059FD19AB292C770EE41CBE1

Function 00C9CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C9CF22,?), ref: 00C9DDFD

Part of subcall function 00C9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C9CF22,?), ref: 00C9DE16

lstrcmpiW.KERNEL32(?,?), ref: 00C9CF45
MoveFileW.KERNEL32(?,?), ref: 00C9CF7F
_wcslen.LIBCMT ref: 00C9D005
_wcslen.LIBCMT ref: 00C9D01B
SHFileOperationW.SHELL32(?), ref: 00C9D061

Strings

\*.*, xrefs: 00C9CFF3

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: b04e8f0e845a80878c4e2e4e0155554bc3069d766f1061bde3c25ba6f31d8b23
Instruction ID: 9e9e141e35814c0103f49bb3a4b74da0c1c3ad4035e154954f2bac1f785090f4
Opcode Fuzzy Hash: b04e8f0e845a80878c4e2e4e0155554bc3069d766f1061bde3c25ba6f31d8b23
Instruction Fuzzy Hash: 304154719052189FDF12EFE4D9C5EDEB7B8AF18380F0000E6E509EB142EA34A788DB50

Function 00CC2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00CC2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00CC2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00CC2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00CC2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00CC2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00CC2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CC2F0B

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 109664d367ce1c6fd3535f5522f90be7ab2048878ceb73db65f993dc2c87b218
Instruction ID: 733f5f469fd09dacc16548601d285a209e9b41ac2aa399b65d1a8be597177b08
Opcode Fuzzy Hash: 109664d367ce1c6fd3535f5522f90be7ab2048878ceb73db65f993dc2c87b218
Instruction Fuzzy Hash: F6311334604254AFDB20DF58EC84FA937E0EB8A711F140168F928EB2B1CB71ED40DB10

Function 00C97726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C97769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C9778F
SysAllocString.OLEAUT32(00000000), ref: 00C97792
SysAllocString.OLEAUT32(?), ref: 00C977B0
SysFreeString.OLEAUT32(?), ref: 00C977B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00C977DE
SysAllocString.OLEAUT32(?), ref: 00C977EC

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d5e183700076b7e698d38895794c01b0bcb52759b19344779e09e7d682b76598
Instruction ID: 5fbeb223ca602ec111faf27cd97e0eeb8cd8a334bc506c35cdfc90ca13b5259d
Opcode Fuzzy Hash: d5e183700076b7e698d38895794c01b0bcb52759b19344779e09e7d682b76598
Instruction Fuzzy Hash: 7421B076605219AFDF11DFA9CC88EBF73ACEB093647048125FA18DB2A0D670DD41C760

Function 00C977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C97842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C97868
SysAllocString.OLEAUT32(00000000), ref: 00C9786B
SysAllocString.OLEAUT32 ref: 00C9788C
SysFreeString.OLEAUT32 ref: 00C97895
StringFromGUID2.OLE32(?,?,00000028), ref: 00C978AF
SysAllocString.OLEAUT32(?), ref: 00C978BD

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 63745c830bd8529290cb5418919ff80d185120674e7acd643ff65c266fd52abd
Instruction ID: dbbe10a204f33595719186b9c5649093a2caef09bef67106868eab8fc3502e23
Opcode Fuzzy Hash: 63745c830bd8529290cb5418919ff80d185120674e7acd643ff65c266fd52abd
Instruction Fuzzy Hash: 50219D31609204AFDF10AFA9DC8CEBA77ACFB087607148225F915DB2A1DA74DD41CB68

Function 00CA04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00CA04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CA052E

Strings

nul, xrefs: 00CA0567

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 95f1af0de67db6e0f990bf0d8262361b0b9afebcb7934a59b432f605d2540485
Instruction ID: d5a86422a4c6e58ebc69a45a0fdbe7e373a9962217dd8dca25700747250dda90
Opcode Fuzzy Hash: 95f1af0de67db6e0f990bf0d8262361b0b9afebcb7934a59b432f605d2540485
Instruction Fuzzy Hash: F7217E71900306ABDF209F69DC44B9A7BB4AF467A8F304A19E8B1D62E0D770DA50CF24

Function 00CA05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00CA05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CA0601

Strings

nul, xrefs: 00CA0639

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 11edb952d8dc87781814c55215717197e5c7a16ddf57b6414c6dec1063783e85
Instruction ID: f99e83b9c722983a25e486d41b7284f7be33ee887695f869ad9018fff2b1d6a7
Opcode Fuzzy Hash: 11edb952d8dc87781814c55215717197e5c7a16ddf57b6414c6dec1063783e85
Instruction Fuzzy Hash: F9214F755003069BDB209F69DC44B9A77A4AF967A9F300A19FDB1E72E0E7709960CB10

Function 00CC40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C3604C
Part of subcall function 00C3600E: GetStockObject.GDI32(00000011), ref: 00C36060
Part of subcall function 00C3600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C3606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CC4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CC411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CC412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CC4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CC4145

Strings

Msctls_Progress32, xrefs: 00CC40E3

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 786d27e49af99d8c5193a1d9d6e2bb142650fb906374ae83f37e78a62d7c446f
Instruction ID: 35bb10f8a01db39807c5a18946da924dd4533d710d44a8ea618a9a4683104e03
Opcode Fuzzy Hash: 786d27e49af99d8c5193a1d9d6e2bb142650fb906374ae83f37e78a62d7c446f
Instruction Fuzzy Hash: DE1190B2150219BEEF118F64CC86EEB7FADEF08798F008111FA58A2150C6729C219BA4

Function 00C6D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C6D7A3: _free.LIBCMT ref: 00C6D7CC

_free.LIBCMT ref: 00C6D82D

Part of subcall function 00C629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000), ref: 00C629DE
Part of subcall function 00C629C8: GetLastError.KERNEL32(00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000,00000000), ref: 00C629F0

_free.LIBCMT ref: 00C6D838
_free.LIBCMT ref: 00C6D843
_free.LIBCMT ref: 00C6D897
_free.LIBCMT ref: 00C6D8A2
_free.LIBCMT ref: 00C6D8AD
_free.LIBCMT ref: 00C6D8B8

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 9ac63cfe9ab8302a4d09b88cff2714998a0e03bb3ca402b4c8970c141bf23066
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D7115B71B40B04AADA31BFB0CC87FCB7BDCAF44700F440825B29AE6092DA65B505A662

Function 00C9DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C9DA74
LoadStringW.USER32(00000000), ref: 00C9DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C9DA91
LoadStringW.USER32(00000000), ref: 00C9DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C9DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C9DAB9

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 5cd2fddd132f95d71b02e7c44e190eff9032f4bcdcbc449a64cf0814fae3a4a1
Instruction ID: 39b395a5670787c9579a2a90d0d35db1ad1d1a419bdad7a9d44e9cf1cb62a420
Opcode Fuzzy Hash: 5cd2fddd132f95d71b02e7c44e190eff9032f4bcdcbc449a64cf0814fae3a4a1
Instruction Fuzzy Hash: 2C0162F25002087FEB10ABA4DDC9FEB366CE708701F400495F74AE2041EA749E854F74

Function 00CA096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00F9EA50,00F9EA50), ref: 00CA097B
EnterCriticalSection.KERNEL32(00F9EA30,00000000), ref: 00CA098D
TerminateThread.KERNEL32(?,000001F6), ref: 00CA099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00CA09A9
CloseHandle.KERNEL32(?), ref: 00CA09B8
InterlockedExchange.KERNEL32(00F9EA50,000001F6), ref: 00CA09C8
LeaveCriticalSection.KERNEL32(00F9EA30), ref: 00CA09CF

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: fe733dfc93fdef0f2ad0bd8e573f06e06312ad15b994403d3e9abc21a58cdd2b
Instruction ID: 378ae11c8e7a82eb560df4d455fa27db790f3a0fd6d5dbb4bd2399d8c365a6f8
Opcode Fuzzy Hash: fe733dfc93fdef0f2ad0bd8e573f06e06312ad15b994403d3e9abc21a58cdd2b
Instruction Fuzzy Hash: CBF01932442A02ABD7415BA4EEC8FDABA29FF01742F542025F206908A1C7749575CF90

Function 00CB1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00CB1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00CB1DE1
WSAGetLastError.WSOCK32 ref: 00CB1DF2
htons.WSOCK32(?), ref: 00CB1EDB
inet_ntoa.WSOCK32(?), ref: 00CB1E8C

Part of subcall function 00C939E8: _strlen.LIBCMT ref: 00C939F2

Part of subcall function 00CB3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00CAEC0C), ref: 00CB3240

_strlen.LIBCMT ref: 00CB1F35

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 3b5d5bc9d2ce49f0d8532083ce3aeb6502052f7f7bf6ca221171f8900c597546
Instruction ID: 1df8fd0db4513797a183ca7bbaea27216da268024c43809e7478e9f50cf36b18
Opcode Fuzzy Hash: 3b5d5bc9d2ce49f0d8532083ce3aeb6502052f7f7bf6ca221171f8900c597546
Instruction Fuzzy Hash: 7BB1D331204340AFC724DF64C895F6A7BE5AF84318F98854CF9665B2E2CB71EE46CB91

Function 00C35D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C35D30
GetWindowRect.USER32(?,?), ref: 00C35D71
ScreenToClient.USER32(?,?), ref: 00C35D99
GetClientRect.USER32(?,?), ref: 00C35ED7
GetWindowRect.USER32(?,?), ref: 00C35EF8

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: c895bbcc17e87effcf568d3dcdfe2a208c82774718a697dcd32467396d984c7b
Instruction ID: b16f8876ca7e4bb504764d51e8f62640a6d859135b2ddcb040aca5f6556c0269
Opcode Fuzzy Hash: c895bbcc17e87effcf568d3dcdfe2a208c82774718a697dcd32467396d984c7b
Instruction Fuzzy Hash: B8B18875A10B4ADBDB14CFA9C4807EEB7F1FF48310F14841AE8AAD7290DB34AA51DB50

Function 00C601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00C600BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C600D6
__allrem.LIBCMT ref: 00C600ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C6010B
__allrem.LIBCMT ref: 00C60122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C60140

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: d7c99cd08b02066c53556db17ddc80a799f0857d7582af902cd410b8bea49f0f
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: A38127766007069BE7349E69CC82B6F73E8AF41320F24463EF861E6681E770DE419754

Function 00C661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C582D9,00C582D9,?,?,?,00C6644F,00000001,00000001,8BE85006), ref: 00C66258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00C6644F,00000001,00000001,8BE85006,?,?,?), ref: 00C662DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00C663D8
__freea.LIBCMT ref: 00C663E5

Part of subcall function 00C63820: RtlAllocateHeap.NTDLL(00000000,?,00D01444,?,00C4FDF5,?,?,00C3A976,00000010,00D01440,00C313FC,?,00C313C6,?,00C31129), ref: 00C63852

__freea.LIBCMT ref: 00C663EE
__freea.LIBCMT ref: 00C66413

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 85ff18ebbf68e30bdfb13af12c323147b6bf4c4d586fbddaf90c76626300096a
Instruction ID: b294b4f09bafa164aa5e814a349719f60f35f6e5462b7a5d91261590099edb0c
Opcode Fuzzy Hash: 85ff18ebbf68e30bdfb13af12c323147b6bf4c4d586fbddaf90c76626300096a
Instruction Fuzzy Hash: 4251DF72A00216ABEB358F64CCC1EBF7BA9EF44710F19462AFD15DA250EB34DD41D6A0

Function 00CBBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00CBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CBB6AE,?,?), ref: 00CBC9B5
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBC9F1
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA68
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CBBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CBBD25
RegCloseKey.ADVAPI32(00000000), ref: 00CBBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CBBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CBBDF3
RegCloseKey.ADVAPI32(?), ref: 00CBBDFF

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 7d5bc107d723c929bcc03ccd7d9949275858729b5e8c9a5acd27897537f383b6
Instruction ID: 7da2dc46f7f10352bfc3a28dc0b45e1f381cb70ee43facf84dcd7d35e08048ce
Opcode Fuzzy Hash: 7d5bc107d723c929bcc03ccd7d9949275858729b5e8c9a5acd27897537f383b6
Instruction Fuzzy Hash: 7681B230218241EFD714DF24C895E6ABBE5FF84308F14855CF4998B2A2DB71ED45DB92

Function 00C8F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00C8F7B9
SysAllocString.OLEAUT32(00000001), ref: 00C8F860
VariantCopy.OLEAUT32(00C8FA64,00000000), ref: 00C8F889
VariantClear.OLEAUT32(00C8FA64), ref: 00C8F8AD
VariantCopy.OLEAUT32(00C8FA64,00000000), ref: 00C8F8B1
VariantClear.OLEAUT32(?), ref: 00C8F8BB

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 5731483a6d3d5068a665522d19f356e7d35c84d863413ce594b2d287948a8196
Instruction ID: db34acecac33435f835468c365c5aea43a9bb590375def318d170320dd4cd664
Opcode Fuzzy Hash: 5731483a6d3d5068a665522d19f356e7d35c84d863413ce594b2d287948a8196
Instruction Fuzzy Hash: A651B731610310BBCF24BF66D895B29B3A4EF45318F24947EE905DF291DB708C42D7AA

Function 00CA910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00C37620: _wcslen.LIBCMT ref: 00C37625

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00CA94E5
_wcslen.LIBCMT ref: 00CA9506
_wcslen.LIBCMT ref: 00CA952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00CA9585

Strings

X, xrefs: 00CA9412

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: a9be66c5c1d764b91cdd445bcefcdc0836efc0102d3216519c011cd61ff84d6d
Instruction ID: 822043365a9c287fca6ac8956dc05c2cdf9b0a2f4cd794d966729e8ac3e858f8
Opcode Fuzzy Hash: a9be66c5c1d764b91cdd445bcefcdc0836efc0102d3216519c011cd61ff84d6d
Instruction Fuzzy Hash: 50E19F719183419FCB24DF24C882B6AB7E4FF85314F04896DF8999B2A2DB31DD05CB92

Function 00C4920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

BeginPaint.USER32(?,?,?), ref: 00C49241
GetWindowRect.USER32(?,?), ref: 00C492A5
ScreenToClient.USER32(?,?), ref: 00C492C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C492D3
EndPaint.USER32(?,?,?,?,?), ref: 00C49321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00C871EA

Part of subcall function 00C49339: BeginPath.GDI32(00000000), ref: 00C49357

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: c246c71f93bfdbe114f37742b81f46304bdec25046fb5948c755cbfac466723f
Instruction ID: ef664a2c05760cdfd398ddde6d857bac0f8c149a598caa84b0082349639a9083
Opcode Fuzzy Hash: c246c71f93bfdbe114f37742b81f46304bdec25046fb5948c755cbfac466723f
Instruction Fuzzy Hash: C741AB70104310AFD720DF25DC88FAB7BB8FB4A324F140229F9A8C72A1C7709945DB61

Function 00CA07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00CA080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00CA0847
EnterCriticalSection.KERNEL32(?), ref: 00CA0863
LeaveCriticalSection.KERNEL32(?), ref: 00CA08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00CA08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00CA0921

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 317b6bb409752e220bb53554c4f8cb7c47841eb71574cb57d8fd2bcffedf6491
Instruction ID: 49724ef1c66b838a2e01fd7986268d79cffb2ead2dc4bae40f7a33288ccdece8
Opcode Fuzzy Hash: 317b6bb409752e220bb53554c4f8cb7c47841eb71574cb57d8fd2bcffedf6491
Instruction Fuzzy Hash: 8D416A71900205EFDF149F64DC85AAAB7B8FF05304F2440A9ED049A297D730DE65DBA4

Function 00CC81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00C8F3AB,00000000,?,?,00000000,?,00C8682C,00000004,00000000,00000000), ref: 00CC824C
EnableWindow.USER32(?,00000000), ref: 00CC8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00CC82D1
ShowWindow.USER32(?,00000004), ref: 00CC82E5
EnableWindow.USER32(?,00000001), ref: 00CC830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00CC832F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f5b5a0b57026f1b45e7221ccabe5984fa13f51adc904e89e49dbdae7b1f6dbce
Instruction ID: e28c41fc9cddabab1fcf9d029e26b71629527508f34a9bfb4c4cfc2e2955d03a
Opcode Fuzzy Hash: f5b5a0b57026f1b45e7221ccabe5984fa13f51adc904e89e49dbdae7b1f6dbce
Instruction Fuzzy Hash: 88418174601644EFDF21CF15D899FA97BE0FB0A714F1851ADE5288B2B2CB31A949CF50

Function 00C94C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C94C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C94CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C94CEA
_wcslen.LIBCMT ref: 00C94D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C94D10
_wcsstr.LIBVCRUNTIME ref: 00C94D1A

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 14d9eff26181ca3cf862a60b5106699a8d3cfd565a2036d5833175e81cf76330
Instruction ID: 70b193561fc9ce008f9e76bd67d4fea3e998dd51dd2cd002c936a28ba8938863
Opcode Fuzzy Hash: 14d9eff26181ca3cf862a60b5106699a8d3cfd565a2036d5833175e81cf76330
Instruction Fuzzy Hash: 8921F636604200BBEF195B39ED4DF7F7BACDF45750F10802DF809CA191EA61DD4296A0

Function 00CA581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C33A97,?,?,00C32E7F,?,?,?,00000000), ref: 00C33AC2

_wcslen.LIBCMT ref: 00CA587B
CoInitialize.OLE32(00000000), ref: 00CA5995
CoCreateInstance.OLE32(00CCFCF8,00000000,00000001,00CCFB68,?), ref: 00CA59AE
CoUninitialize.OLE32 ref: 00CA59CC

Strings

.lnk, xrefs: 00CA5876, 00CA58C1, 00CA5985

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 79ab2ec36ccfa3df14ca1fcf57f3193a67b2c1685591788e8fff1ca3b5c7efaf
Instruction ID: 989aff05c493a282b8d60fd45e67f35e61182015b3111d21d8e7b2fc000345e6
Opcode Fuzzy Hash: 79ab2ec36ccfa3df14ca1fcf57f3193a67b2c1685591788e8fff1ca3b5c7efaf
Instruction Fuzzy Hash: 37D174756087029FC714DF25C484A2ABBE1FF8A318F14895DF8999B361CB31ED46CB92

Function 00C9175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C90FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C90FCA
Part of subcall function 00C90FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C90FD6
Part of subcall function 00C90FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C90FE5
Part of subcall function 00C90FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C90FEC
Part of subcall function 00C90FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C91002

GetLengthSid.ADVAPI32(?,00000000,00C91335), ref: 00C917AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C917BA
HeapAlloc.KERNEL32(00000000), ref: 00C917C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C917DA
GetProcessHeap.KERNEL32(00000000,00000000,00C91335), ref: 00C917EE
HeapFree.KERNEL32(00000000), ref: 00C917F5

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 1924671b53d7b501aefa88a76fbe8744edd03eb5071a36f103519eed1ef79158
Instruction ID: 698dd7145b42cffb32330c766816b50518901544b4cd8f772c370219c47626cd
Opcode Fuzzy Hash: 1924671b53d7b501aefa88a76fbe8744edd03eb5071a36f103519eed1ef79158
Instruction Fuzzy Hash: 01117C32500606FFDF109FE5CC8AFAE7BA9EB45355F184018F85597220D735AA45CB60

Function 00C914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C914FF
OpenProcessToken.ADVAPI32(00000000), ref: 00C91506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C91515
CloseHandle.KERNEL32(00000004), ref: 00C91520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C9154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C91563

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 265b37b4f204994c1c8190bf8bfef3346a1d7bf28b55ffff52666ec29338e0c0
Instruction ID: b98f569a6fb8e6ece13962732299fa3c5b05f92f509640091e5168dab6982f52
Opcode Fuzzy Hash: 265b37b4f204994c1c8190bf8bfef3346a1d7bf28b55ffff52666ec29338e0c0
Instruction Fuzzy Hash: 9C11297250024AABDF118F98ED8AFDE7BA9FF48744F098015FE19A2060C375CE61DB60

Function 00C53382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C53379,00C52FE5), ref: 00C53390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C5339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C533B7
SetLastError.KERNEL32(00000000,?,00C53379,00C52FE5), ref: 00C53409

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 4af851cba284e0643e0f82cc452e1d4e36d62903be31450b2430fc41d22e21d1
Instruction ID: f5df01df1c35c43523948c4ae24abc1bf0152adcbb01e9fea0f80b041fa99c49
Opcode Fuzzy Hash: 4af851cba284e0643e0f82cc452e1d4e36d62903be31450b2430fc41d22e21d1
Instruction Fuzzy Hash: 8D01F53A709355AFE62527747DC5BAE2A54EB153FB320022DFC20851F0EF114E8BA54C

Function 00C62D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C65686,00C73CD6,?,00000000,?,00C65B6A,?,?,?,?,?,00C5E6D1,?,00CF8A48), ref: 00C62D78
_free.LIBCMT ref: 00C62DAB
_free.LIBCMT ref: 00C62DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00C5E6D1,?,00CF8A48,00000010,00C34F4A,?,?,00000000,00C73CD6), ref: 00C62DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00C5E6D1,?,00CF8A48,00000010,00C34F4A,?,?,00000000,00C73CD6), ref: 00C62DEC
_abort.LIBCMT ref: 00C62DF2

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 67b7e3c0ee43d680624a0cf7ab76b32fb1b081598c4477c6f0560be88958be89
Instruction ID: bcc90bd086aa0b186d674df6017f5b2cea46b8733823c00756d35c581a37a4c6
Opcode Fuzzy Hash: 67b7e3c0ee43d680624a0cf7ab76b32fb1b081598c4477c6f0560be88958be89
Instruction Fuzzy Hash: E9F0C832A04E0127C2322735BCD6F6E2659AFC27A1F254418F838921E2EF248902E271

Function 00CC8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00C49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C49693
Part of subcall function 00C49639: SelectObject.GDI32(?,00000000), ref: 00C496A2
Part of subcall function 00C49639: BeginPath.GDI32(?), ref: 00C496B9
Part of subcall function 00C49639: SelectObject.GDI32(?,00000000), ref: 00C496E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00CC8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00CC8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00CC8A70
LineTo.GDI32(?,00000000,00000003), ref: 00CC8A80
EndPath.GDI32(?), ref: 00CC8A90
StrokePath.GDI32(?), ref: 00CC8AA0

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 913e04555cb23564d6194dd92f9515d21501ec0f3b57728f2ecc8c7c85f89a70
Instruction ID: b70bef24f8c6e575c903cedeba8a1d0096b7b8554c3af9bcc25f8ab97cf4b668
Opcode Fuzzy Hash: 913e04555cb23564d6194dd92f9515d21501ec0f3b57728f2ecc8c7c85f89a70
Instruction Fuzzy Hash: 0F110576400108FFEB129F90EC88FAA7F6CEB08350F048026FA599A1A1C7719E55DFA0

Function 00C951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C95218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C95229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C95230
ReleaseDC.USER32(00000000,00000000), ref: 00C95238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C9524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00C95261

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c62bbe78c5cbbfd095d5817f5fdbc5eb85731ff8f02871f5a1452e1780de1d1d
Instruction ID: 9f17664071b623ce1e952d2de5406f3fdc371e2da19d5c66a6345db6b10011aa
Opcode Fuzzy Hash: c62bbe78c5cbbfd095d5817f5fdbc5eb85731ff8f02871f5a1452e1780de1d1d
Instruction Fuzzy Hash: D5014475A01B14BBEF105BA5DD89F5EBFB8EB44751F044065FA08A7281D6709901CB60

Function 00C31BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C31BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C31BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C31C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C31C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C31C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C31C22

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 413bbed8013195024636844e4c60438e6e22cc24d418be6df479e9d131634a18
Instruction ID: cd9ec7bd3a049804802bfd62530fd02057dccf4c5c45e1ec29ddb0ea3b3c3b21
Opcode Fuzzy Hash: 413bbed8013195024636844e4c60438e6e22cc24d418be6df479e9d131634a18
Instruction Fuzzy Hash: F40167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BE15C4BA42C7F5A864CBE5

Function 00C9EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C9EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C9EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00C9EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C9EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C9EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C9EB75

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 15a9b7e13d1947610ef882aa417f4aee87405a34c8c4f3ef0ed288f0db858d6a
Instruction ID: f8c6f6b0fed7612d23d57e9bde0bd6a374dc809bcdf3226d025cecdad43f041f
Opcode Fuzzy Hash: 15a9b7e13d1947610ef882aa417f4aee87405a34c8c4f3ef0ed288f0db858d6a
Instruction Fuzzy Hash: C5F03A72A40158BBE7215B63DD4EFEF3A7CEFCAB15F000158F615E1091D7A05A01C6B5

Function 00C87439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00C87452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00C87469
GetWindowDC.USER32(?), ref: 00C87475
GetPixel.GDI32(00000000,?,?), ref: 00C87484
ReleaseDC.USER32(?,00000000), ref: 00C87496
GetSysColor.USER32(00000005), ref: 00C874B0

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: b043206e713b46a6a2a0a65290c89f675c81780275c370a19b645ed991b8d120
Instruction ID: 44fa54e587b186ed66f1bccf728feedc2aa83771afd91f00d264f33c70732c05
Opcode Fuzzy Hash: b043206e713b46a6a2a0a65290c89f675c81780275c370a19b645ed991b8d120
Instruction Fuzzy Hash: DE014631400215FFEB51AFA4DD48FAE7BB5FB04321F650164FA2AA21A1CB311E52EF60

Function 00C91874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C9187F
UnloadUserProfile.USERENV(?,?), ref: 00C9188B
CloseHandle.KERNEL32(?), ref: 00C91894
CloseHandle.KERNEL32(?), ref: 00C9189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C918A5
HeapFree.KERNEL32(00000000), ref: 00C918AC

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 1a9e555ec20b55805698043df5eeda49b1303e5b9723a3d4e5107b943e6cd7d4
Instruction ID: 564601ed26d3b5f8ca394b2a834036e0cacdc73d3d422da3dbed05c7f74b17d7
Opcode Fuzzy Hash: 1a9e555ec20b55805698043df5eeda49b1303e5b9723a3d4e5107b943e6cd7d4
Instruction Fuzzy Hash: 2BE0C236404501BBDB015BA2ED4CF4EBB29FB49B22B148220F22981470CB329420DB50

Function 00C9C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C37620: _wcslen.LIBCMT ref: 00C37625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C9C6EE
_wcslen.LIBCMT ref: 00C9C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C9C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C9C7CA

Strings

0, xrefs: 00C9C6AF

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: ba3d843e6867bb1018e92c2366879bee069dbe3c65963ef7485126f7fcec57d1
Instruction ID: 08616583d18ad73fe2446a925a53fba77c6b207ed18225bdba80d0675939ed64
Opcode Fuzzy Hash: ba3d843e6867bb1018e92c2366879bee069dbe3c65963ef7485126f7fcec57d1
Instruction Fuzzy Hash: 1551BE716143019BDB149F68C8C9B6BB7E8AF89314F040A2DF9A5D32E0DB70DA44DF62

Function 00CBAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00CBAEA3

Part of subcall function 00C37620: _wcslen.LIBCMT ref: 00C37625

GetProcessId.KERNEL32(00000000), ref: 00CBAF38
CloseHandle.KERNEL32(00000000), ref: 00CBAF67

Strings

<, xrefs: 00CBAE6B
@, xrefs: 00CBAE72

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 17c544f8b118efcf208031b9662b9acf2fb103d8339d1b067c2eb4aaf4e16801
Instruction ID: f65a1834edd79e5c1846d977c8a9d0091023992578d0c2f52bcf9d718d3f7490
Opcode Fuzzy Hash: 17c544f8b118efcf208031b9662b9acf2fb103d8339d1b067c2eb4aaf4e16801
Instruction Fuzzy Hash: AC715975A00619DFCB14DFA5C484A9EBBF0FF08314F048499E896AB3A2C774EE45DB91

Function 00C9719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C97206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C9723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C9724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C972CF

Strings

DllGetClassObject, xrefs: 00C97242

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: e38342f25bb3cbee2448e3beb655cdcfe3ab6107b1e4c3b4690574265f79a357
Instruction ID: c94af2e4c131182f2a3762feac2fabf67362df9834204e21cb4ff3cbe9314f72
Opcode Fuzzy Hash: e38342f25bb3cbee2448e3beb655cdcfe3ab6107b1e4c3b4690574265f79a357
Instruction Fuzzy Hash: A4418E71625604EFDF15CF55C888B9A7BA9EF44710F2581ADFD099F20AD7B0DA40CBA0

Function 00CC3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CC3E35
IsMenu.USER32(?), ref: 00CC3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CC3E92
DrawMenuBar.USER32 ref: 00CC3EA5

Strings

0, xrefs: 00CC3D89

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 37c7d76f29fe24a54f96367194bf450bb46aefbc49f986d0b66807661a46bc41
Instruction ID: 197cb634c908acf75219579f4c2d11b683e30326883f9c167aab2bf79d409997
Opcode Fuzzy Hash: 37c7d76f29fe24a54f96367194bf450bb46aefbc49f986d0b66807661a46bc41
Instruction Fuzzy Hash: E3414675A00249AFDB10DF50E884FAABBB9FF49354F04812DE925A7350D730AE85DFA0

Function 00C91DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C91E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C91E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C91EA9

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

Strings

ListBox, xrefs: 00C91E25
ComboBox, xrefs: 00C91DF0

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 8843edc1534e2d0a0ee6d5017267932f05dbea565c65a90de746b2f9f4bda5ea
Instruction ID: e6810aa35cc0b7628481310765fcc197df6856fc66cf271912a0487ab9b5e548
Opcode Fuzzy Hash: 8843edc1534e2d0a0ee6d5017267932f05dbea565c65a90de746b2f9f4bda5ea
Instruction Fuzzy Hash: D721F375A00104BBDF14AB64DC8EDFFB7B8EF45350F144129FD25A71E1DB744A0AA620

Function 00CC2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CC2F8D
LoadLibraryW.KERNEL32(?), ref: 00CC2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CC2FA9
DestroyWindow.USER32(?), ref: 00CC2FB1

Strings

SysAnimate32, xrefs: 00CC2F68

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 5745c1fb23d1c728b820a93630423e331855793af8e08bdf66d8c1e83fc1297a
Instruction ID: e0ab4f80ed7a7112965bd3215bed84a85248fccd720db3586187332052d84b7a
Opcode Fuzzy Hash: 5745c1fb23d1c728b820a93630423e331855793af8e08bdf66d8c1e83fc1297a
Instruction Fuzzy Hash: 2421CD71600229AFEB218FA4DC80FBB77BDEB59364F10422CFA64D2190D771DC51A760

Function 00C54D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C54D1E,00C628E9,?,00C54CBE,00C628E9,00CF88B8,0000000C,00C54E15,00C628E9,00000002), ref: 00C54D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C54DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00C54D1E,00C628E9,?,00C54CBE,00C628E9,00CF88B8,0000000C,00C54E15,00C628E9,00000002,00000000), ref: 00C54DC3

Strings

mscoree.dll, xrefs: 00C54D86
CorExitProcess, xrefs: 00C54D98

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 20e531e8b4a38674a46d969b008749eff97081a1880d04877313a8fb2dee8154
Instruction ID: a0f3e871e1c1e71c19ed9ccc0ade0286e017a9aaf424186608b7b911e0e3adb0
Opcode Fuzzy Hash: 20e531e8b4a38674a46d969b008749eff97081a1880d04877313a8fb2dee8154
Instruction Fuzzy Hash: E7F0AF34A00208BBDB149F94DC89FEEBFF4EF04712F0400A4FD09A2260CB305A84DA94

Function 00C34E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C34EDD,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C34EAE
FreeLibrary.KERNEL32(00000000,?,?,00C34EDD,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00C34EA8
kernel32.dll, xrefs: 00C34E94

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 013d85ec19c4e6e4a3a25e80dfb7a06a14bd8f73b735e240de7e0330fceb10a4
Instruction ID: 2230722403cb74e1c9c8f910f45e66a5402d8ef5cf33af1e4fbf79d46bf95cd3
Opcode Fuzzy Hash: 013d85ec19c4e6e4a3a25e80dfb7a06a14bd8f73b735e240de7e0330fceb10a4
Instruction Fuzzy Hash: 98E0CD36E115225BD2311726EC58F6FA554AFC1F62F090125FD08D2150DB60DE0240A1

Function 00C34E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C73CDE,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C34E74
FreeLibrary.KERNEL32(00000000,?,?,00C73CDE,?,00D01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C34E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00C34E6E
kernel32.dll, xrefs: 00C34E5B

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 19a05df5d95f7e3181a265b87ad88e79f545d8a0667cd592c38273fb6398ce43
Instruction ID: d77244a13622a7278372d9f0474ee81c4ad6e73069f98e9894c7e04bcf7f6f79
Opcode Fuzzy Hash: 19a05df5d95f7e3181a265b87ad88e79f545d8a0667cd592c38273fb6398ce43
Instruction Fuzzy Hash: 4AD05B379126316756361B66FC5CF9FAA18AF85F517090525F919E2114CF60DF02C5D0

Function 00CA2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CA2C05
DeleteFileW.KERNEL32(?), ref: 00CA2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CA2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CA2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CA2CC0

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: c68170915dea65d4d729f3905c2c3b43707c1b876c64180f2bc1a1f174668175
Instruction ID: a1348f93f34bec373b09833f29133a77fd68a50e5048e1a766e4c7385ecdd3f9
Opcode Fuzzy Hash: c68170915dea65d4d729f3905c2c3b43707c1b876c64180f2bc1a1f174668175
Instruction Fuzzy Hash: 7CB16E72D0012AABDF25DFA8CC85EDEB77DEF49314F1040A6FA09E6141EA319E449F61

Function 00CBA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00CBA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CBA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CBA468
CloseHandle.KERNEL32(?), ref: 00CBA63D

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 852b64321e427ef3cbe11d8fac4b667a2872fd30bb17e11e01886def7128aa72
Instruction ID: b6c3130789f53a5619f68c6bc33c205eca4be233cee6d74012a787131799cbf2
Opcode Fuzzy Hash: 852b64321e427ef3cbe11d8fac4b667a2872fd30bb17e11e01886def7128aa72
Instruction Fuzzy Hash: 5EA1A371604301AFD720DF28C886F6AB7E5AF88714F14885DF69A9B292D770ED41CB92

Function 00C6BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00CD3700), ref: 00C6BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00D0121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00C6BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00D01270,000000FF,?,0000003F,00000000,?), ref: 00C6BC36
_free.LIBCMT ref: 00C6BB7F

Part of subcall function 00C629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000), ref: 00C629DE
Part of subcall function 00C629C8: GetLastError.KERNEL32(00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000,00000000), ref: 00C629F0

_free.LIBCMT ref: 00C6BD4B

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 175076604f42216f6b73d78f7c71971516e1a225be15e4a9d3196efab1075e00
Instruction ID: fc5d9fa502b77ccb7b6652e64f803c89e0bef43c06e08dbec32b203fad23bcb8
Opcode Fuzzy Hash: 175076604f42216f6b73d78f7c71971516e1a225be15e4a9d3196efab1075e00
Instruction Fuzzy Hash: C451B775900209AFCB30DF75DDC1AAEB7B8EF40350B10426AE564D72A1EB309F819B64

Function 00C9E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C9CF22,?), ref: 00C9DDFD

Part of subcall function 00C9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C9CF22,?), ref: 00C9DE16

Part of subcall function 00C9E199: GetFileAttributesW.KERNEL32(?,00C9CF95), ref: 00C9E19A

lstrcmpiW.KERNEL32(?,?), ref: 00C9E473
MoveFileW.KERNEL32(?,?), ref: 00C9E4AC
_wcslen.LIBCMT ref: 00C9E5EB
_wcslen.LIBCMT ref: 00C9E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00C9E650

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f0a1e56b008663d0e2aac35998b12d444444886b6d810f8c22de06d4a44c7deb
Instruction ID: 24edc0ceaa930685724101d4355b36567c6e35a4cef2328b866029c57e8153e3
Opcode Fuzzy Hash: f0a1e56b008663d0e2aac35998b12d444444886b6d810f8c22de06d4a44c7deb
Instruction Fuzzy Hash: F15172B24083859BCB24EB90DC859DFB3ECAF95340F00491EF599D3191EF74A688D76A

Function 00CBB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00CBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CBB6AE,?,?), ref: 00CBC9B5
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBC9F1
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA68
Part of subcall function 00CBC998: _wcslen.LIBCMT ref: 00CBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CBBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CBBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CBBB63
RegCloseKey.ADVAPI32(?,?), ref: 00CBBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00CBBBB3

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: e3f7d7085079496f35565a1a533b180a7f3c553c8e70f243602c56b1e7a4611f
Instruction ID: 0df58c10b1fce9c61eff87069ca39fb0e307e9befd26839c67c25b417fd48006
Opcode Fuzzy Hash: e3f7d7085079496f35565a1a533b180a7f3c553c8e70f243602c56b1e7a4611f
Instruction Fuzzy Hash: 1D619F31218241AFD714DF24C890F6ABBE5FF84308F14895CF49A8B2A2DB71ED45DB92

Function 00C98BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C98BCD
VariantClear.OLEAUT32 ref: 00C98C3E
VariantClear.OLEAUT32 ref: 00C98C9D
VariantClear.OLEAUT32(?), ref: 00C98D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C98D3B

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c48b9a4aa1a6beb5cc96559c519c2a3f6e5fe570457f4dd566d3c699f51843c4
Instruction ID: 1e1e3f0a0959502abee9eb98d0b1e81a9b67c6b3b03a7ba47bc5a835ba0151d0
Opcode Fuzzy Hash: c48b9a4aa1a6beb5cc96559c519c2a3f6e5fe570457f4dd566d3c699f51843c4
Instruction Fuzzy Hash: E55159B5A0021AEFCB14CF68C894EAAB7F8FF89310B158559E919DB350E730E911CF90

Function 00CA8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00CA8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00CA8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00CA8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00CA8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CA8C5F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 36b7632bf37937e6d085a1f1092138f270a108dc8698d738c77cae73e248772c
Instruction ID: 8812142bae495b67768074fa59e336deba0e47c6c83c5e3b375ae1cfa43befa0
Opcode Fuzzy Hash: 36b7632bf37937e6d085a1f1092138f270a108dc8698d738c77cae73e248772c
Instruction Fuzzy Hash: E7513875A00219AFCB14DF65C880A6EBBF5FF49318F088058E849AB362CB31ED51DF90

Function 00CB8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00CB8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00CB8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00CB8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00CB9032
FreeLibrary.KERNEL32(00000000), ref: 00CB9052

Part of subcall function 00C4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00CA1043,?,7644E610), ref: 00C4F6E6
Part of subcall function 00C4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00C8FA64,00000000,00000000,?,?,00CA1043,?,7644E610,?,00C8FA64), ref: 00C4F70D

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 949b566d5e2d09f2fc08d080d788bfc8301b970745cae647260b59beaebcdf64
Instruction ID: e4296553283010fb5294a9131c3c8d953bed3c83b41bccb8093d004f03ff9f5b
Opcode Fuzzy Hash: 949b566d5e2d09f2fc08d080d788bfc8301b970745cae647260b59beaebcdf64
Instruction Fuzzy Hash: FE513735604205DFCB15EF58C4949EDBBB1FF49314F0880A8E91A9B362DB31EE86CB91

Function 00CC6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00CC6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00CC6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00CC6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00CAAB79,00000000,00000000), ref: 00CC6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00CC6CC7

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 7ff7d59b7c01b703bb24cfb4d3ec6e7b55bea524aaca8c4b0df5bb633d173a1a
Instruction ID: d8e3aa2ffee4f69217ff175e18781dccbd69c4a3bc906454edae5d6ea2d6a630
Opcode Fuzzy Hash: 7ff7d59b7c01b703bb24cfb4d3ec6e7b55bea524aaca8c4b0df5bb633d173a1a
Instruction Fuzzy Hash: 1441C535A04104AFD724CF29CE98FA97BA5EB09350F15026CF9A9E73E1C771EE41DA50

Function 00C62051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C620C3
_free.LIBCMT ref: 00C620E3

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3c99bab2d829d991c12d7363aa506eca89447b59b917057da368d53add887b96
Instruction ID: 0b45cfedf8bdef17851273e0d9c075bc36c69aa5973b36ddb1e820d528b205a8
Opcode Fuzzy Hash: 3c99bab2d829d991c12d7363aa506eca89447b59b917057da368d53add887b96
Instruction Fuzzy Hash: C741B232A006049FCB34DF78C9C1A6DB7E5EF89314F154569E916EB392DA31AE01DB81

Function 00C4912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C49141
ScreenToClient.USER32(00000000,?), ref: 00C4915E
GetAsyncKeyState.USER32(00000001), ref: 00C49183
GetAsyncKeyState.USER32(00000002), ref: 00C4919D

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d7fc327c22661e6a20fabe9a26759984c31db5cc2110875095b6606022a23f89
Instruction ID: 26c2f5afdc02bd5e1ee43f1f6f35938ea7a162d955f5e0f51c59c7f1e9b30fff
Opcode Fuzzy Hash: d7fc327c22661e6a20fabe9a26759984c31db5cc2110875095b6606022a23f89
Instruction Fuzzy Hash: 1141403190851AFBDF15AF64C848BEEB774FB05324F204319E439A72D0D734AA50DB51

Function 00CA3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00CA38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00CA3922
TranslateMessage.USER32(?), ref: 00CA394B
DispatchMessageW.USER32(?), ref: 00CA3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CA3966

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: eb55ccee983e85a92219e5c3c91cefaddac09ccfa7071f6f8c4bae77d620048b
Instruction ID: b8e5da05062753c603d3be1800a8c734406b83d8364946134f57ccfeb6f7f04a
Opcode Fuzzy Hash: eb55ccee983e85a92219e5c3c91cefaddac09ccfa7071f6f8c4bae77d620048b
Instruction Fuzzy Hash: E63185749043C39EEB25CB75D868BB737A8AB06308F04456DF47AC61E0E7B49785DB21

Function 00CACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00CAC21E,00000000), ref: 00CACF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00CACF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00CAC21E,00000000), ref: 00CACFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00CAC21E,00000000), ref: 00CACFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00CAC21E,00000000), ref: 00CACFF2

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: f5aac9f0a0d207fc49c31dce93ab191b25b1104ffaeb20f713a822c02f313a24
Instruction ID: 56883393f384b5514a094ab1567b609f193c736c0d86003c25f071c499595995
Opcode Fuzzy Hash: f5aac9f0a0d207fc49c31dce93ab191b25b1104ffaeb20f713a822c02f313a24
Instruction Fuzzy Hash: 7B314B71904206AFDB20DFE5CCC4AAEBBF9EB15359B10442EF51AD2150DB30AE41DB60

Function 00C91901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C91915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00C919C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00C919C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00C919DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00C919E2

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2e044a2cfe9e5b640970413cf2ab21beb15abbe51d7ad71a5094ddf957e9f6e9
Instruction ID: 6a96ed865d19a1192dc4d156b9e9f0f0d783a4bf95e03f22f6529f731b5c07a4
Opcode Fuzzy Hash: 2e044a2cfe9e5b640970413cf2ab21beb15abbe51d7ad71a5094ddf957e9f6e9
Instruction Fuzzy Hash: 8A319C71A0021AEFDB00CFA8C99EB9E3BB5EB04315F154229FD25A72D1C7709A54CB90

Function 00CC5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00CC5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00CC579D
_wcslen.LIBCMT ref: 00CC57AF
_wcslen.LIBCMT ref: 00CC57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CC5816

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 9b9d3c9032c7fb313b86ddbb526e098689559e6d40e964c04a445dac07c52032
Instruction ID: 2ce8063b1c317b2f2de324dbaa907975eeb5bec223498e023514dc5b43223898
Opcode Fuzzy Hash: 9b9d3c9032c7fb313b86ddbb526e098689559e6d40e964c04a445dac07c52032
Instruction Fuzzy Hash: 8E216F75904618AADB209FA1CC85FEE77BCFF04724F10825AF929EA180D770AAC5CF54

Function 00CB0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CB0951
GetForegroundWindow.USER32 ref: 00CB0968
GetDC.USER32(00000000), ref: 00CB09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00CB09B0
ReleaseDC.USER32(00000000,00000003), ref: 00CB09E8

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 277239350bd44a39832c5ad2bf025e2df17b44b1bf87329b505fa803ed1d1b7e
Instruction ID: 4227abba0c38bdbd7ed2fa88f04fc0b58952f15b7b27182ef079fb19324b1f16
Opcode Fuzzy Hash: 277239350bd44a39832c5ad2bf025e2df17b44b1bf87329b505fa803ed1d1b7e
Instruction Fuzzy Hash: E7218135A00204AFD704EF65C988FAEBBF9EF49740F148068F85A97752CB30AD04DB50

Function 00C6CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C6CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C6CDE9

Part of subcall function 00C63820: RtlAllocateHeap.NTDLL(00000000,?,00D01444,?,00C4FDF5,?,?,00C3A976,00000010,00D01440,00C313FC,?,00C313C6,?,00C31129), ref: 00C63852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C6CE0F
_free.LIBCMT ref: 00C6CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C6CE31

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 518ccf1167f5e0f110377b46e7bd4b81caf7af680443a7d5748e994343065e8a
Instruction ID: 520e5d7497bed13481133e2bd4dfc8a40a67dafed8a73d980125cfd5e437bf1d
Opcode Fuzzy Hash: 518ccf1167f5e0f110377b46e7bd4b81caf7af680443a7d5748e994343065e8a
Instruction Fuzzy Hash: D301D472A062157F233116B7ACC8E7F797DDEC6BA13190129F909C7201EA668E0191B0

Function 00C49639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C49693
SelectObject.GDI32(?,00000000), ref: 00C496A2
BeginPath.GDI32(?), ref: 00C496B9
SelectObject.GDI32(?,00000000), ref: 00C496E2

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7db561ce5a0cbb3b53164e08d96303524b9792648b557b037410be707195e395
Instruction ID: 7b2a34df3ef234e19b49f9a2b8cb72140a24f3ad77560a69252e470619fbb6e1
Opcode Fuzzy Hash: 7db561ce5a0cbb3b53164e08d96303524b9792648b557b037410be707195e395
Instruction Fuzzy Hash: E9213934802315EBDB119F65EC58BEE3BA9FB50365F15021AF428A62A0D3709992DFA4

Function 00C95711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C95726
_memcmp.LIBVCRUNTIME ref: 00C95744
_memcmp.LIBVCRUNTIME ref: 00C95757
_memcmp.LIBVCRUNTIME ref: 00C9576F
_memcmp.LIBVCRUNTIME ref: 00C95787

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9e718d3c7bcd77f49c31ce5d394ac2a0bbeae16c63fc471ccc3f4e915c6e6042
Instruction ID: 0b26477cae86cf08df936a467a3a4ab51a3653dd54907bcfa8f52653a18d158c
Opcode Fuzzy Hash: 9e718d3c7bcd77f49c31ce5d394ac2a0bbeae16c63fc471ccc3f4e915c6e6042
Instruction Fuzzy Hash: 730145A5341608BBDA095651ED9AFBB334D9B20395F040038FD049A640F730EF5183A4

Function 00C62DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00C5F2DE,00C63863,00D01444,?,00C4FDF5,?,?,00C3A976,00000010,00D01440,00C313FC,?,00C313C6), ref: 00C62DFD
_free.LIBCMT ref: 00C62E32
_free.LIBCMT ref: 00C62E59
SetLastError.KERNEL32(00000000,00C31129), ref: 00C62E66
SetLastError.KERNEL32(00000000,00C31129), ref: 00C62E6F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 82325e7e1fa29bf80e9aba94fb25ac567530fbf43e6fc0268105fd20d7893488
Instruction ID: 30fce1f55e9eb4f57f32697549e009b9219967923249df592822675ac97cb537
Opcode Fuzzy Hash: 82325e7e1fa29bf80e9aba94fb25ac567530fbf43e6fc0268105fd20d7893488
Instruction Fuzzy Hash: B801F436645E006BC73227356CC5F6F265DABD13A2B254038F435A22E3EB268D015120

Function 00C9000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?,?,00C9035E), ref: 00C9002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?), ref: 00C90046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?), ref: 00C90054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?), ref: 00C90064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C8FF41,80070057,?,?), ref: 00C90070

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 166fd4f53e66b26697edb8d864bd6b4a198247ce425d35b5763db28fa115e5bb
Instruction ID: ec55ff35b4a0b7f0d49321ad77de1af904a1a372fbee323594b2943ebb8ce6be
Opcode Fuzzy Hash: 166fd4f53e66b26697edb8d864bd6b4a198247ce425d35b5763db28fa115e5bb
Instruction Fuzzy Hash: E3018B72600204BFDF108F69DC88FAE7BEDEB44792F245124F909D2210E775DE408BA0

Function 00C9E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00C9E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00C9E9A5
Sleep.KERNEL32(00000000), ref: 00C9E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00C9E9B7
Sleep.KERNEL32 ref: 00C9E9F3

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 6806ac6c49335c9cd6249a2a583330c6e902b0f139060c4891d61dbdefc05438
Instruction ID: 7e650eb67f08105a2604ac07e1a5008ec795fd0854d4d6f178bcbf4bf239c1bc
Opcode Fuzzy Hash: 6806ac6c49335c9cd6249a2a583330c6e902b0f139060c4891d61dbdefc05438
Instruction Fuzzy Hash: A0011B31C01529DBCF00EBE5DC9DBDDBB78FB19701F060556E516B2151CB309A6587A1

Function 00C910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C91114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C91120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C9112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C90B9B,?,?,?), ref: 00C91136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C9114D

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 51a606f756e26903688a9b39e70d1ef07c9edae9782f4b974f8f7dc9423ff424
Instruction ID: a12901f5b3a2fd9cea489fc2cfd959c69c8acd8a4fd1bab12fffd8b0b51cecc4
Opcode Fuzzy Hash: 51a606f756e26903688a9b39e70d1ef07c9edae9782f4b974f8f7dc9423ff424
Instruction Fuzzy Hash: 1C01F675200205BFDB114FA5DC8DF6E3B6EEF892A0B284419FA49D6260DB31DD119B60

Function 00C90FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C90FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C90FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C90FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C90FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C91002

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9d996641d884b34500798d9a6552fefb450580f75ae716e0687d44884a2c5445
Instruction ID: 5aec05b60f408a881dbd5bda9915e64aa4cc75b0bf10ec12926145070bcbae9f
Opcode Fuzzy Hash: 9d996641d884b34500798d9a6552fefb450580f75ae716e0687d44884a2c5445
Instruction Fuzzy Hash: 34F03735200302EFDB214FA5EC8EF5A3BA9EF89762F184414FE5986251CA71D8508A60

Function 00C91014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C9102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C91036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C91045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C9104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C91062

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c03a1c6b25e023b6a9ba50ed474343f117fa8f32b75d345974f63f0271333c1f
Instruction ID: 2096eff65c76a88b5d559761f38e6cdc1b1c8691a58e10929df077afbaee4337
Opcode Fuzzy Hash: c03a1c6b25e023b6a9ba50ed474343f117fa8f32b75d345974f63f0271333c1f
Instruction Fuzzy Hash: 7BF06D35200302EBDB215FA5EC8DF5A3BADFF897A1F180414FE59C7250CA71D9508A60

Function 00CA030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00CA017D,?,00CA32FC,?,00000001,00C72592,?), ref: 00CA0324
CloseHandle.KERNEL32(?,?,?,?,00CA017D,?,00CA32FC,?,00000001,00C72592,?), ref: 00CA0331
CloseHandle.KERNEL32(?,?,?,?,00CA017D,?,00CA32FC,?,00000001,00C72592,?), ref: 00CA033E
CloseHandle.KERNEL32(?,?,?,?,00CA017D,?,00CA32FC,?,00000001,00C72592,?), ref: 00CA034B
CloseHandle.KERNEL32(?,?,?,?,00CA017D,?,00CA32FC,?,00000001,00C72592,?), ref: 00CA0358
CloseHandle.KERNEL32(?,?,?,?,00CA017D,?,00CA32FC,?,00000001,00C72592,?), ref: 00CA0365

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8c23446e86373e27b75551ea40867caddd50d74ef94d1e46a31339cc2a71c9f5
Instruction ID: b55387ca4953e58ac621422dc86c8ebb9b99c9e428943070025b1a28e6f98aac
Opcode Fuzzy Hash: 8c23446e86373e27b75551ea40867caddd50d74ef94d1e46a31339cc2a71c9f5
Instruction Fuzzy Hash: 3601A272801B169FCB309F66D880816F7F5BF613593258A3FD1A652931C371AA54DF80

Function 00C6D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C6D752

Part of subcall function 00C629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000), ref: 00C629DE
Part of subcall function 00C629C8: GetLastError.KERNEL32(00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000,00000000), ref: 00C629F0

_free.LIBCMT ref: 00C6D764
_free.LIBCMT ref: 00C6D776
_free.LIBCMT ref: 00C6D788
_free.LIBCMT ref: 00C6D79A

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8c070427638ae1afd4f02595af738164ccf61723c879832032a397fd6d678e6c
Instruction ID: 11e1d4673e47b3ec5c00d1d865601c391c9908df6634cec7fe33d250efef2cd6
Opcode Fuzzy Hash: 8c070427638ae1afd4f02595af738164ccf61723c879832032a397fd6d678e6c
Instruction Fuzzy Hash: FAF03632B44608AB8635EB64FAC5E2A77DDBB44750B940C05F059D7545CB30FD80D666

Function 00C95C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C95C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C95C6F
MessageBeep.USER32(00000000), ref: 00C95C87
KillTimer.USER32(?,0000040A), ref: 00C95CA3
EndDialog.USER32(?,00000001), ref: 00C95CBD

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 2ba5e4b91791abadb475487d633fd4e93a9cf1a4aa0421a738001d03d946c1b4
Instruction ID: 9257a76e6cc7fe96fa8fca62a221ce8d8021b4ab66b2bebf1588d3b113714bf7
Opcode Fuzzy Hash: 2ba5e4b91791abadb475487d633fd4e93a9cf1a4aa0421a738001d03d946c1b4
Instruction Fuzzy Hash: 7E018130500B04ABEF215B10DE8EFEA77B8BB04B05F000559F697A15E1DBF0AA848B90

Function 00C622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C622BE

Part of subcall function 00C629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000), ref: 00C629DE
Part of subcall function 00C629C8: GetLastError.KERNEL32(00000000,?,00C6D7D1,00000000,00000000,00000000,00000000,?,00C6D7F8,00000000,00000007,00000000,?,00C6DBF5,00000000,00000000), ref: 00C629F0

_free.LIBCMT ref: 00C622D0
_free.LIBCMT ref: 00C622E3
_free.LIBCMT ref: 00C622F4
_free.LIBCMT ref: 00C62305

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9b0528dea1c1aa2a9c3760d7c08ced89968f16a131cb65462f75733daf3a5e80
Instruction ID: ace9e2f7105591842ce2a267224b4b38fae66df16f3a3070db84eda6d7016f92
Opcode Fuzzy Hash: 9b0528dea1c1aa2a9c3760d7c08ced89968f16a131cb65462f75733daf3a5e80
Instruction Fuzzy Hash: 06F03074600B159BC726AF64BC82B5C3FA4BB187A1B00050AF418D63B1C7300511BBB9

Function 00C495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00C495D4
StrokeAndFillPath.GDI32(?,?,00C871F7,00000000,?,?,?), ref: 00C495F0
SelectObject.GDI32(?,00000000), ref: 00C49603
DeleteObject.GDI32 ref: 00C49616
StrokePath.GDI32(?), ref: 00C49631

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 75bfaa51788037d2469a2fecd701c4d68752d09c0554f8b5a75cd1f33a375793
Instruction ID: d789674bc78da7c305e5c217b2d11296c2737295910c6a72572f79a69608a7e3
Opcode Fuzzy Hash: 75bfaa51788037d2469a2fecd701c4d68752d09c0554f8b5a75cd1f33a375793
Instruction Fuzzy Hash: 67F0C439406308EBDB269F69ED5CBA93B65FB05322F148218F47E952F0C7348A95DF21

Function 00C60F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00C610F9
__freea.LIBCMT ref: 00C61117

Part of subcall function 00C61537: _free.LIBCMT ref: 00C6154F

Strings

am/pm, xrefs: 00C6117A
a/p, xrefs: 00C611DE

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: cbb427ce8cc57e884b8159d1ebdb11bbedca9757d063f56e0493bcb83479d97d
Instruction ID: 20e0097986e4e7330544d680253aa87985fc2a0ecc73897bceb1be608a978a1c
Opcode Fuzzy Hash: cbb427ce8cc57e884b8159d1ebdb11bbedca9757d063f56e0493bcb83479d97d
Instruction Fuzzy Hash: 14D1E131900246DADB349F69C8D57BEB7B1EF06302F2C4169ED26AB761D3359E80CB91

Function 00CB7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00C50242: EnterCriticalSection.KERNEL32(00D0070C,00D01884,?,?,00C4198B,00D02518,?,?,?,00C312F9,00000000), ref: 00C5024D
Part of subcall function 00C50242: LeaveCriticalSection.KERNEL32(00D0070C,?,00C4198B,00D02518,?,?,?,00C312F9,00000000), ref: 00C5028A

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C500A3: __onexit.LIBCMT ref: 00C500A9

__Init_thread_footer.LIBCMT ref: 00CB7BFB

Part of subcall function 00C501F8: EnterCriticalSection.KERNEL32(00D0070C,?,?,00C48747,00D02514), ref: 00C50202
Part of subcall function 00C501F8: LeaveCriticalSection.KERNEL32(00D0070C,?,00C48747,00D02514), ref: 00C50235

Strings

G, xrefs: 00CB7C7F
5, xrefs: 00CB7C78
Variable must be of type 'Object'., xrefs: 00CB7C3A

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: d867ec5bbad0621b68544678c8fce1b9b6f0c8af52d78db176b23f0e6726706d
Instruction ID: f1b049db6835b94c8651afd2c432c79406bb50b0670ba123dd406fdbd6a89b95
Opcode Fuzzy Hash: d867ec5bbad0621b68544678c8fce1b9b6f0c8af52d78db176b23f0e6726706d
Instruction Fuzzy Hash: BA91AC70A04209AFCF14EF64D895DEDBBB1FF84300F108159F8169B292DB71AE45DB51

Function 00C92716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C921D0,?,?,00000034,00000800,?,00000034), ref: 00C9B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C92760

Part of subcall function 00C9B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C9B3F8

Part of subcall function 00C9B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00C9B355
Part of subcall function 00C9B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C92194,00000034,?,?,00001004,00000000,00000000), ref: 00C9B365
Part of subcall function 00C9B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C92194,00000034,?,?,00001004,00000000,00000000), ref: 00C9B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C927CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C9281A

Strings

@, xrefs: 00C92832

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 36202684350bd372df99ee0791b4731bbfc50bdd4727617ecd3115dccf1e80ac
Instruction ID: 1bd1f3fa693d0337665e4423c3fdf301601af7dda207a1a9defad1b88b266bd6
Opcode Fuzzy Hash: 36202684350bd372df99ee0791b4731bbfc50bdd4727617ecd3115dccf1e80ac
Instruction Fuzzy Hash: 97410972900218BFDF10DBA4D985FEEBBB8AF09700F104095FA95B7191DA706E45DBA1

Function 00C6172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00C61769
_free.LIBCMT ref: 00C61834
_free.LIBCMT ref: 00C6183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00C61760, 00C61767, 00C61796, 00C617CE

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: edb4bedccc5ff8f1ba92d1dbf30bb3c4626bd1c931d52b657bd1b72483f963db
Instruction ID: 198e8ea7c9d3ecd962c8319f16e11a470ec99600c01c645ac733599fa0e3edb7
Opcode Fuzzy Hash: edb4bedccc5ff8f1ba92d1dbf30bb3c4626bd1c931d52b657bd1b72483f963db
Instruction Fuzzy Hash: 95317E75A00218EBDB31DF9A98C5E9EBBFCEB89311B18416AF814D7251D6708A41DBA0

Function 00C9C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C9C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00C9C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D01990,00FA53B0), ref: 00C9C395

Strings

0, xrefs: 00C9C2DF

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: eb5f2937f63a31392ace18222f87427af98d6e1e4f806c669d28ab0af9fc6b50
Instruction ID: e9aeb6cad25199ca9322eaa7fec9cc5d53e22351a3c4c1de0370df328183788d
Opcode Fuzzy Hash: eb5f2937f63a31392ace18222f87427af98d6e1e4f806c669d28ab0af9fc6b50
Instruction Fuzzy Hash: 3141BF712443019FDB20DF29D8C8B9ABBE8BF85320F008A5DF8A5972E1D770E904DB52

Function 00CC4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CCCC08,00000000,?,?,?,?), ref: 00CC44AA
GetWindowLongW.USER32 ref: 00CC44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CC44D7

Strings

SysTreeView32, xrefs: 00CC447C

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: efd30859a244153a7f44b296760d990e6e17070effd2ea9059e99f8771df6610
Instruction ID: 253494e1b93a039b6187cc0266705200565c960ae6555fd9b94cd063ba61b760
Opcode Fuzzy Hash: efd30859a244153a7f44b296760d990e6e17070effd2ea9059e99f8771df6610
Instruction Fuzzy Hash: 93319C31210605AFDB288F38DC95FEA7BA9EB08334F208729F979921E0D770ED519B50

Function 00CB304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00CB3077,?,?), ref: 00CB3378

inet_addr.WSOCK32(?), ref: 00CB307A
_wcslen.LIBCMT ref: 00CB309B
htons.WSOCK32(00000000), ref: 00CB3106

Strings

255.255.255.255, xrefs: 00CB3095, 00CB309A

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: ff8f41cbc1beadd93694649c1a99bfa1d0eabb49fda64a33dee5569410bab7d5
Instruction ID: 9ed496df6e18e632ded9c0e08c5ed83564bdf273f9e03e646bb5206f2f1df04d
Opcode Fuzzy Hash: ff8f41cbc1beadd93694649c1a99bfa1d0eabb49fda64a33dee5569410bab7d5
Instruction Fuzzy Hash: 6331E1396002819FCB10DF68D885EAA77E4EF54318F248059E8258B3A2DB72EF45CB60

Function 00CC3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00CC3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00CC3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CC3F78

Strings

SysMonthCal32, xrefs: 00CC3F0B

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 8c45e825696f12006024c46b1b011eb210cd9bed9325b1e4239c0940c30f5713
Instruction ID: ab29ad5064a6cfd5d271c4a4561f2913605a27f5ea4da6f5697646492cbe8aeb
Opcode Fuzzy Hash: 8c45e825696f12006024c46b1b011eb210cd9bed9325b1e4239c0940c30f5713
Instruction Fuzzy Hash: 5B21BC32610219BFDF258F90DC86FEE3B79EB48714F114258FA19AB1D0D6B1AD509BA0

Function 00CC4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CC4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CC4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CC471A

Strings

msctls_updown32, xrefs: 00CC4684

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5105a0d916c44058516ab0f221be4e9a5ff67aa4aafaf01160305cc95b252e7c
Instruction ID: 24f99df6ccbf2c6ded382081880749807d4a528ff35cc5018bf430d0cf7fc625
Opcode Fuzzy Hash: 5105a0d916c44058516ab0f221be4e9a5ff67aa4aafaf01160305cc95b252e7c
Instruction Fuzzy Hash: 87215CB5600208AFDB14DF64DCD1EAB37ADEB4A3A4B044059FA14DB351CB30ED51DB60

Function 00C995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C9961D

Strings

#requireadmin, xrefs: 00C995D9
#OnAutoItStartRegister, xrefs: 00C995F3
#notrayicon, xrefs: 00C995B7

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 2bad58a0a1d52c4b4c675f56c3ab5106971010f48521848f3ccc2102f77c4924
Instruction ID: 7d4f6ad599985fc03118a6fe757838d29c2b5726e5102a109b3d920b7fd6d5a1
Opcode Fuzzy Hash: 2bad58a0a1d52c4b4c675f56c3ab5106971010f48521848f3ccc2102f77c4924
Instruction Fuzzy Hash: 15213872104510A6DB31AB2DDC1AFB773A8DF51310F10402EF95997041EBB1EE86D2D5

Function 00CC37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CC3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CC3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CC3876

Strings

Listbox, xrefs: 00CC380F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 8202aed76fe7bb7c2e43ef5e825292366287ffad08f94f6ba78909b1ba808130
Instruction ID: 6d2a718a3ea56d4afb1a4a24450338be5da37aafab9bfa894d2212bb0657e451
Opcode Fuzzy Hash: 8202aed76fe7bb7c2e43ef5e825292366287ffad08f94f6ba78909b1ba808130
Instruction Fuzzy Hash: 3E21BE72610218BBEB219F54EC85FBB376EEF89750F118129F9149B190C671DD528BA0

Function 00CA49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CA4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00CA4A5C
SetErrorMode.KERNEL32(00000000,?,?,00CCCC08), ref: 00CA4AD0

Strings

%lu, xrefs: 00CA4A6F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: a9ee310a4edb3b921443049864cbd6d3561cfa90c9d61698489fb8038de37a54
Instruction ID: bf6b4b7f83e0fa76febc2376d90e31f91ef5b070be9edd19c77ee74782443f6e
Opcode Fuzzy Hash: a9ee310a4edb3b921443049864cbd6d3561cfa90c9d61698489fb8038de37a54
Instruction Fuzzy Hash: DA317171A00109AFDB10DF54C885EAE7BF8EF49308F1480A9F909DB252D771EE46DB61

Function 00CC41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CC424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CC4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CC4271

Strings

msctls_trackbar32, xrefs: 00CC4226

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 9d081a1ad0f4a25b998c0cb5e89fa050377d21fb2a128f2ed09a74d367530c53
Instruction ID: c0be4c41a019a79f4f143f94d32eb74c01fda5eac1dd828fbfb876eab3f8acb1
Opcode Fuzzy Hash: 9d081a1ad0f4a25b998c0cb5e89fa050377d21fb2a128f2ed09a74d367530c53
Instruction Fuzzy Hash: 1D110232240208BEEF205F29CC46FAB3BACEF85B64F014128FA55E20A0D271DC619B20

Function 00C92F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C36B57: _wcslen.LIBCMT ref: 00C36B6A

Part of subcall function 00C92DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C92DC5
Part of subcall function 00C92DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C92DD6
Part of subcall function 00C92DA7: GetCurrentThreadId.KERNEL32 ref: 00C92DDD
Part of subcall function 00C92DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C92DE4

GetFocus.USER32 ref: 00C92F78

Part of subcall function 00C92DEE: GetParent.USER32(00000000), ref: 00C92DF9

GetClassNameW.USER32(?,?,00000100), ref: 00C92FC3
EnumChildWindows.USER32(?,00C9303B), ref: 00C92FEB

Strings

%s%d, xrefs: 00C92FFF

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 8e6c9eb609b38340e9670271d469c02bb59f6c79a47ed558bb0924682afd183a
Instruction ID: 59d947b1ec7317a189784d33b45e7b7b5bb5672e27b958e00940aa0a7c742d95
Opcode Fuzzy Hash: 8e6c9eb609b38340e9670271d469c02bb59f6c79a47ed558bb0924682afd183a
Instruction Fuzzy Hash: 3F11AF716002456BCF147F60CCC9FEE776AAF84304F048079FA099B292DF309A4AEB60

Function 00CC5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CC58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CC58EE
DrawMenuBar.USER32(?), ref: 00CC58FD

Strings

0, xrefs: 00CC588F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 2f65c5c3ea421211cbbb4b2aeb3bdb72941a45b3cbe042045787be1cc0a13686
Instruction ID: e1d744c47e9d74e15f269c5202e06163c8276b9fcbcf3a65c23054da346e7dbe
Opcode Fuzzy Hash: 2f65c5c3ea421211cbbb4b2aeb3bdb72941a45b3cbe042045787be1cc0a13686
Instruction Fuzzy Hash: EF011771500218EEDB219F11DC44FAEBBB8FB85361F1080ADE849D6251DB319A96EF21

Function 00C8D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00C8D3BF
FreeLibrary.KERNEL32 ref: 00C8D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00C8D3B9
X64, xrefs: 00C8D2A8

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 427a6e91d40d75c0c5cb6f1b12fe0fb1f9d0a5db18aa6ec51d575dde7cbc9b17
Instruction ID: 28b67d44da87af34656fe8025f6c7d103c5659b433748ba0fd07151311cef336
Opcode Fuzzy Hash: 427a6e91d40d75c0c5cb6f1b12fe0fb1f9d0a5db18aa6ec51d575dde7cbc9b17
Instruction Fuzzy Hash: ECF0AB71841A20EBCB313212DC98F6D7320AF10705F5D816CF80BE21D4DB20CF41839A

Function 00C9007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8579415b3985e3c28030e7e900ad01684dbdc9ebbf9d9e57542da4e5fedff527
Instruction ID: ab210d7ed624c178e5d052448a251ca557eada402a2d3573f19f1a4858a16d10
Opcode Fuzzy Hash: 8579415b3985e3c28030e7e900ad01684dbdc9ebbf9d9e57542da4e5fedff527
Instruction Fuzzy Hash: CBC12B75A00216EFDB14CFA4C898BAEB7B5FF48704F208598E915EB261D731DE81DB90

Function 00C63E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C63F0B
__alldvrm.LIBCMT ref: 00C6410C
__alldvrm.LIBCMT ref: 00C6412E

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 74dd1a6d1f4c88daba86cb50b780720eaaf84e5f66765901e2a165da7037f557
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 3DA17971E003969FDB3ACF58C8C17AEBBE4EF62350F1841ADE5959B281C2348E81C751

Function 00CB342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CB3459
CoUninitialize.OLE32 ref: 00CB3463
VariantInit.OLEAUT32(?), ref: 00CB346E
VariantClear.OLEAUT32(?), ref: 00CB371B

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: db8eb8b89f9eede147ea6de43d5be2a46d49c9207063b0885508564f7a00fdaf
Instruction ID: 57012c5b9e42c1c4468febca0c5186d999b2a3fe36afd3b4c37dfe4b144c03f5
Opcode Fuzzy Hash: db8eb8b89f9eede147ea6de43d5be2a46d49c9207063b0885508564f7a00fdaf
Instruction Fuzzy Hash: 3CA188756143009FCB14DF29C485A6AB7E4FF88314F04895DF98AAB362DB30EE05DB92

Function 00C90436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CCFC08,?), ref: 00C905F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CCFC08,?), ref: 00C90608
CLSIDFromProgID.OLE32(?,?,00000000,00CCCC40,000000FF,?,00000000,00000800,00000000,?,00CCFC08,?), ref: 00C9062D
_memcmp.LIBVCRUNTIME ref: 00C9064E

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: a5a24ec1ca5c99f23a153071bbab85e6240882d745db27877064982544b49cfb
Instruction ID: e7f8b2844b528f5b02ede13289d0bb70d7948ec82ac9ab015f070df90430099b
Opcode Fuzzy Hash: a5a24ec1ca5c99f23a153071bbab85e6240882d745db27877064982544b49cfb
Instruction Fuzzy Hash: 9F81B475A00109AFCF04DF94C988EAEB7B9FF89315F204598F516AB250DB71AE46CB60

Function 00CBA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CBA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00CBA6BA

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Process32NextW.KERNEL32(00000000,?), ref: 00CBA79C
CloseHandle.KERNEL32(00000000), ref: 00CBA7AB

Part of subcall function 00C4CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00C73303,?), ref: 00C4CE8A

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: be83426392cd41ae765d20f9982c8ae7d3364a5677956b397f9a3ad62296962b
Instruction ID: 9ad51539b33a7f3c611a5cff5dc4c0754e4c6333f9c09d796db1214be31260f0
Opcode Fuzzy Hash: be83426392cd41ae765d20f9982c8ae7d3364a5677956b397f9a3ad62296962b
Instruction Fuzzy Hash: 91513AB1508300AFD710EF25C886A6FBBE8FF89754F00891DF599972A1EB71D904DB92

Function 00C71391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C714C0

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 12626538c20106027fba629b82c6e62a9daf3166c55bd999395b0f4a28f60a47
Instruction ID: eb7a96c11009e716454cbbf47ed880375512e184108f4fe7a524eeeec498ffaf
Opcode Fuzzy Hash: 12626538c20106027fba629b82c6e62a9daf3166c55bd999395b0f4a28f60a47
Instruction Fuzzy Hash: 77415F756005006BDB356BFD8C86ABE3AA5EF41770F2CC625FC2DD7191E6348A427272

Function 00CC6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CC62E2
ScreenToClient.USER32(?,?), ref: 00CC6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00CC6382

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 82d39dacfa54be5194551c17898c9c4e29ff3b54473030ef8ca237af92fa149e
Instruction ID: 05cd4f169e47fe2323f7c252066a1b049e6570c4ebb9d70f12b7df7376d9d735
Opcode Fuzzy Hash: 82d39dacfa54be5194551c17898c9c4e29ff3b54473030ef8ca237af92fa149e
Instruction Fuzzy Hash: 33510A74A00249EFDB10DF68DA80EAE7BB5EF45360F14816DF9659B2A0D730EE81CB50

Function 00CB1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00CB1AFD
WSAGetLastError.WSOCK32 ref: 00CB1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00CB1B8A
WSAGetLastError.WSOCK32 ref: 00CB1B94

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 6925a7f7de2e10ead3e92ef1e9b3df1320226147c7b96eb1774bbd63aac307a0
Instruction ID: 1d34c62d13e3490934d58b8550b57138d18f2a41a8d64c43758e7b205a4d7949
Opcode Fuzzy Hash: 6925a7f7de2e10ead3e92ef1e9b3df1320226147c7b96eb1774bbd63aac307a0
Instruction Fuzzy Hash: 8341D074640200AFE720AF24C886F6A77E5AB44718F58C44CFA2A9F3D3D772ED419B90

Function 00C6B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d059b0dca9e5eefdb9e358d47f21e81204254b56331e85d08dfa44b5ca0d9a
Instruction ID: 242fdd91a851fc517375f8edccb7809b7aad17c993a32df740e3191036d5d1e4
Opcode Fuzzy Hash: d5d059b0dca9e5eefdb9e358d47f21e81204254b56331e85d08dfa44b5ca0d9a
Instruction Fuzzy Hash: F3413871A00314AFD734AF38CC81BBABBE9EB84710F10852EF556DB281D7719D818790

Function 00CA56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00CA5783
GetLastError.KERNEL32(?,00000000), ref: 00CA57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00CA57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00CA57FA

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 4968716e6bd8a19b12b974850041adacb4dcf3de453e42a83628af19d6bfbe78
Instruction ID: f3c93116c56df0b1292719617f0a30c4cb4dca18090b00023ff05dd77d1d3220
Opcode Fuzzy Hash: 4968716e6bd8a19b12b974850041adacb4dcf3de453e42a83628af19d6bfbe78
Instruction Fuzzy Hash: 21413E39610611DFCB25DF15C484A5DBBE1EF49324F18C488E85AAB362CB34FD00DB91

Function 00C6D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00C56D71,00000000,00000000,00C582D9,?,00C582D9,?,00000001,00C56D71,8BE85006,00000001,00C582D9,00C582D9), ref: 00C6D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C6D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00C6D9AB
__freea.LIBCMT ref: 00C6D9B4

Part of subcall function 00C63820: RtlAllocateHeap.NTDLL(00000000,?,00D01444,?,00C4FDF5,?,?,00C3A976,00000010,00D01440,00C313FC,?,00C313C6,?,00C31129), ref: 00C63852

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 52f2bb7d4744849122251456e54c61058422e85a2fe07fe976c2791a7bdbeb96
Instruction ID: da0e26a0042c6b59f55d420ab6fa07edd6f92e725fd62458a37764d1d553c2bc
Opcode Fuzzy Hash: 52f2bb7d4744849122251456e54c61058422e85a2fe07fe976c2791a7bdbeb96
Instruction Fuzzy Hash: 5631D072A1020AABDF249F65DC85EAF7BA5EB40310B054168FC15D7150EB35CE54DB90

Function 00CC52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00CC5352
GetWindowLongW.USER32(?,000000F0), ref: 00CC5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CC5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CC53A8

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 995147ffcebcc0dbeef3cd292a9962913d3b117009e6cd5667ce6508e819089f
Instruction ID: e16e33f28c18d0ce9f0479dfdd5ac617d53fce54df41cf73636e253f65bb03ec
Opcode Fuzzy Hash: 995147ffcebcc0dbeef3cd292a9962913d3b117009e6cd5667ce6508e819089f
Instruction Fuzzy Hash: CF31C234B55A88EFEB309F14CC45FE87765AB04390F5C410AFA25962F1C7B0BAC0AB51

Function 00C9AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00C9ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C9AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C9AC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00C9ACC6

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 53c5f3d72d75b7bdeeccc60faeb698289c5d038a8363d740a72bf7f15051e4f2
Instruction ID: a40d70bf28f78054702df0dea4cdffe0386ffee576b9b486bdca9c5fe32ca850
Opcode Fuzzy Hash: 53c5f3d72d75b7bdeeccc60faeb698289c5d038a8363d740a72bf7f15051e4f2
Instruction Fuzzy Hash: 82310730A007186FEF35CB69CC0CBFE7BA5AB89311F04471AE4A59A1D1C3768A8597D2

Function 00CC7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00CC769A
GetWindowRect.USER32(?,?), ref: 00CC7710
PtInRect.USER32(?,?,00CC8B89), ref: 00CC7720
MessageBeep.USER32(00000000), ref: 00CC778C

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 8a2dd30742a4cca754f144abd2130697c26e51f9e5907b1515686c9604262967
Instruction ID: 6f104d155bb542ab8f5c4dc202c79a205c7201e7e2ed4e54f300db2a29f31301
Opcode Fuzzy Hash: 8a2dd30742a4cca754f144abd2130697c26e51f9e5907b1515686c9604262967
Instruction Fuzzy Hash: 22415B38A052189FCB12CF68D894FA977F5FB49314F1542ADE428DB261C730EA41CF90

Function 00CC16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00CC16EB

Part of subcall function 00C93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C93A57
Part of subcall function 00C93A3D: GetCurrentThreadId.KERNEL32 ref: 00C93A5E
Part of subcall function 00C93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C925B3), ref: 00C93A65

GetCaretPos.USER32(?), ref: 00CC16FF
ClientToScreen.USER32(00000000,?), ref: 00CC174C
GetForegroundWindow.USER32 ref: 00CC1752

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f920892dd94352dd4080fbf10a8308293e71f06a4974a42c0351b73f5a344c7f
Instruction ID: 575bcfbda4dbb4dc14a448b5a5a2b6a378fbb6838ff3fa0c27a80ebb654641bf
Opcode Fuzzy Hash: f920892dd94352dd4080fbf10a8308293e71f06a4974a42c0351b73f5a344c7f
Instruction Fuzzy Hash: B9315075D10149AFCB04EFAAC8C1DAEB7F9EF49304B5480A9E415E7212DB319E45DFA0

Function 00C9DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00C37620: _wcslen.LIBCMT ref: 00C37625

_wcslen.LIBCMT ref: 00C9DFCB
_wcslen.LIBCMT ref: 00C9DFE2
_wcslen.LIBCMT ref: 00C9E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00C9E018

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: e6786b2fe287fbbddfae095799da3cbd3fba5f4c3bff1cf01f4b4bd300c44840
Instruction ID: c391ee3109276453f87cd2633034b9c7f9610d7dc0a9b7fa19a3d3308f240e86
Opcode Fuzzy Hash: e6786b2fe287fbbddfae095799da3cbd3fba5f4c3bff1cf01f4b4bd300c44840
Instruction Fuzzy Hash: AB21A175D00214AFCB20DFA8D982BAEB7F8EF45750F144069E905BB245D6709E81DBA1

Function 00CC8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

GetCursorPos.USER32(?), ref: 00CC9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C87711,?,?,?,?,?), ref: 00CC9016
GetCursorPos.USER32(?), ref: 00CC905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C87711,?,?,?), ref: 00CC9094

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e50552c74fee8a88b02070bec5e1874550844f23bd628c673b77456fd14782d3
Instruction ID: 038777007b108485128f51c0c3cbc68315fe3b3edd7e10a83ecd23074e06a723
Opcode Fuzzy Hash: e50552c74fee8a88b02070bec5e1874550844f23bd628c673b77456fd14782d3
Instruction Fuzzy Hash: 56217C35600118EFDB258F94D898FEA7BB9EB8D350F144069F9198B2A1C7319A90EB60

Function 00C9D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00CCCB68), ref: 00C9D2FB
GetLastError.KERNEL32 ref: 00C9D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C9D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00CCCB68), ref: 00C9D376

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 52dee55598d629c2a8cc03cf6d5a74aa313ac19e48a463f49fd1e122219a2e84
Instruction ID: 7f905be847fee09507ea24f2ba22cb3dd78e36704bd0f9366be9ca9b45a8f970
Opcode Fuzzy Hash: 52dee55598d629c2a8cc03cf6d5a74aa313ac19e48a463f49fd1e122219a2e84
Instruction Fuzzy Hash: 2F218D705082019F8B00DF28C88596EB7F4FF56365F104A1DF4AAE32A1D730DA46CB93

Function 00C91571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C9102A
Part of subcall function 00C91014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C91036
Part of subcall function 00C91014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C91045
Part of subcall function 00C91014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C9104C
Part of subcall function 00C91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C91062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C915BE
_memcmp.LIBVCRUNTIME ref: 00C915E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C91617
HeapFree.KERNEL32(00000000), ref: 00C9161E

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 13703f153b899b8eedf4ad04cd445457f518c4d6dc906506d47f24ef250642c2
Instruction ID: debbf63a68ead846fcac61f539add0e718f257ab83ee1d6fb666542ce4410a37
Opcode Fuzzy Hash: 13703f153b899b8eedf4ad04cd445457f518c4d6dc906506d47f24ef250642c2
Instruction Fuzzy Hash: AD217A31E4010AAFDF00DFA4C94ABEEB7B8EF44354F094459E855AB241E730AB05DBA0

Function 00CC2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00CC280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CC2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CC2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00CC2840

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 1e50bc3adf6bde1f69dbf7be0c982b2fbba510bc1c6ae79e7a06680e4503f275
Instruction ID: 5f80873af8ffd701f5d6257b12025decfc194377e55663372acd5bf0bbca0da5
Opcode Fuzzy Hash: 1e50bc3adf6bde1f69dbf7be0c982b2fbba510bc1c6ae79e7a06680e4503f275
Instruction Fuzzy Hash: 9521B035204511AFD714DB24C895FAA7BA5EF85324F14815CF42ACB6E2CB71FD82CB90

Function 00C978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C98D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C9790A,?,000000FF,?,00C98754,00000000,?,0000001C,?,?), ref: 00C98D8C
Part of subcall function 00C98D7D: lstrcpyW.KERNEL32(00000000,?,?,00C9790A,?,000000FF,?,00C98754,00000000,?,0000001C,?,?,00000000), ref: 00C98DB2
Part of subcall function 00C98D7D: lstrcmpiW.KERNEL32(00000000,?,00C9790A,?,000000FF,?,00C98754,00000000,?,0000001C,?,?), ref: 00C98DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C98754,00000000,?,0000001C,?,?,00000000), ref: 00C97923
lstrcpyW.KERNEL32(00000000,?,?,00C98754,00000000,?,0000001C,?,?,00000000), ref: 00C97949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C98754,00000000,?,0000001C,?,?,00000000), ref: 00C97984

Strings

cdecl, xrefs: 00C9797B

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1df5be5a3fedbe743bc69503551f8b4796d522743f430f114f5c522895bc08dc
Instruction ID: 13f433af09cc8294011cac38e70865225bca86a4023854371fedade771986d52
Opcode Fuzzy Hash: 1df5be5a3fedbe743bc69503551f8b4796d522743f430f114f5c522895bc08dc
Instruction Fuzzy Hash: 1711263A201302AFCF15AF35D848E7B77A9FF85750B10412AF906CB2A4EF319901D7A1

Function 00CC7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00CC7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00CC7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CC7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00CAB7AD,00000000), ref: 00CC7D6B

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 9c045e9ef20e1fd912425aeee36b36b37f7e537e42ef4077e448e25ae44dfaf9
Instruction ID: 256e5b19cfe5aa10f1b66f65ca7aeb7578040d0c6c614477809e3b411021af6c
Opcode Fuzzy Hash: 9c045e9ef20e1fd912425aeee36b36b37f7e537e42ef4077e448e25ae44dfaf9
Instruction Fuzzy Hash: 58115C36605615AFCB109F28DC44FAA3BA5EF45360F258728F83AD72E0D7309A51DF90

Function 00CC5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00CC56BB
_wcslen.LIBCMT ref: 00CC56CD
_wcslen.LIBCMT ref: 00CC56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CC5816

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: feeaa1b9e53d9ec9da69101d1774e3590c58ec26f255f8c896dde853b13279b3
Instruction ID: afaec9130d98ff7382f9d77ff4a79dab6c7950e060ab58a7bbfa046ce39ff4eb
Opcode Fuzzy Hash: feeaa1b9e53d9ec9da69101d1774e3590c58ec26f255f8c896dde853b13279b3
Instruction Fuzzy Hash: D611D375A00608A6DF20DF65CC85FEE77ACEF11764B10416EF925D6181E770EAC4CB64

Function 00C61D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6cc64deef60291166ee6079e2a1516e06516f17cc3081aec2a95fd09159b634
Instruction ID: 5077cb2bd06ec382f9cd1906900ad6eca93097aa33ab2f291b86636ff7e43c4e
Opcode Fuzzy Hash: a6cc64deef60291166ee6079e2a1516e06516f17cc3081aec2a95fd09159b634
Instruction Fuzzy Hash: 8001D1B2609A163EFA322A796CC1F2B661CDF817B9F3C0325F931A12D2DB608D406170

Function 00C91A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C91A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C91A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C91A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C91A8A

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 400b5feab5103df4dfc93fc1b9e72ca6e3d6b4778da65e4e1191c0c3258d92fc
Instruction ID: 35793562e6b7ff33a07fbdcd17bbc9d3b12ef654ca2f11f340397b1c93e73f2e
Opcode Fuzzy Hash: 400b5feab5103df4dfc93fc1b9e72ca6e3d6b4778da65e4e1191c0c3258d92fc
Instruction Fuzzy Hash: 0F11F73AD01219FFEF119BA5C985FADBB78EB08750F240091EA14B7290DA716E50EB94

Function 00C9E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C9E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00C9E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C9E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C9E24D

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: fcbdc133beec82da6ff7cc3e8265815b4b2b75c540b3a3c902966c6f5daa6c4c
Instruction ID: e2ae8dc95244783b38f786ca216041c805aa695ccafc381b7bbceabe67e9b63c
Opcode Fuzzy Hash: fcbdc133beec82da6ff7cc3e8265815b4b2b75c540b3a3c902966c6f5daa6c4c
Instruction Fuzzy Hash: 2011A176904258BBCB01DBA8EC49B9E7BACAB45720F144265F929E3391D6B0CA0487A0

Function 00C5D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00C5CFF9,00000000,00000004,00000000), ref: 00C5D218
GetLastError.KERNEL32 ref: 00C5D224
__dosmaperr.LIBCMT ref: 00C5D22B
ResumeThread.KERNEL32(00000000), ref: 00C5D249

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: fa697764b90894e4584070dbc9067ec4d6c3822602bc722ce82aed3bc66637b0
Instruction ID: 97ef18a95fb2ff94235b1752317ac3ef33dd1763e3773295e2b56a223b8a7db7
Opcode Fuzzy Hash: fa697764b90894e4584070dbc9067ec4d6c3822602bc722ce82aed3bc66637b0
Instruction Fuzzy Hash: D501D67A4053047BC7315BA6DC45BAF7A69DF81333F140219FD26921D0DB70CD8AD6A4

Function 00CC9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00C49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C49BB2

GetClientRect.USER32(?,?), ref: 00CC9F31
GetCursorPos.USER32(?), ref: 00CC9F3B
ScreenToClient.USER32(?,?), ref: 00CC9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00CC9F7A

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: f5645cf8ab6500bc6e75ecac6f22d4305558b5ed8dbb610850bac928f5444d8d
Instruction ID: f3043a2843e9e962fe50c3eda824a805e3cb2b68c2915ad7c395d50d5753ab4f
Opcode Fuzzy Hash: f5645cf8ab6500bc6e75ecac6f22d4305558b5ed8dbb610850bac928f5444d8d
Instruction Fuzzy Hash: 4911153690021AEBDB10DFA8D889FEE77B9FB45311F000459F911E3150D730BA92DBA1

Function 00C3600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C3604C
GetStockObject.GDI32(00000011), ref: 00C36060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C3606A

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 823bb90a730aceae243310f73d50048abb2cadc8ea5512b82c33d9f45d163178
Instruction ID: d78d44e4792580d4151fcd0acbb8cb1dec2101a5590c1fd7fd269794397018e3
Opcode Fuzzy Hash: 823bb90a730aceae243310f73d50048abb2cadc8ea5512b82c33d9f45d163178
Instruction Fuzzy Hash: 44115B72511509BFEF164FA4DC85FEEBF69EF093A4F044215FA2892110DB32DD60ABA4

Function 00C53B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00C53B56

Part of subcall function 00C53AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00C53AD2
Part of subcall function 00C53AA3: ___AdjustPointer.LIBCMT ref: 00C53AED

_UnwindNestedFrames.LIBCMT ref: 00C53B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00C53B7C
CallCatchBlock.LIBVCRUNTIME ref: 00C53BA4

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: d910e29e8ea132157d5c74ffd3aa5886169b47873306381bcb278e6d3e459757
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 76014C36100188BBDF125E95CC42EEB3F6EEF88799F044014FE5896121C732E9A5EBA4

Function 00C63073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00C313C6,00000000,00000000,?,00C6301A,00C313C6,00000000,00000000,00000000,?,00C6328B,00000006,FlsSetValue), ref: 00C630A5
GetLastError.KERNEL32(?,00C6301A,00C313C6,00000000,00000000,00000000,?,00C6328B,00000006,FlsSetValue,00CD2290,FlsSetValue,00000000,00000364,?,00C62E46), ref: 00C630B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00C6301A,00C313C6,00000000,00000000,00000000,?,00C6328B,00000006,FlsSetValue,00CD2290,FlsSetValue,00000000), ref: 00C630BF

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 8a7b1f73d673fe37de4ad697da77f9882ce14713afde59a9334cd63394529629
Instruction ID: 5f3e3869453636294de3c1d20d151a1e6b57e0a84a514f47c123de8fa8036065
Opcode Fuzzy Hash: 8a7b1f73d673fe37de4ad697da77f9882ce14713afde59a9334cd63394529629
Instruction Fuzzy Hash: 0601F732301262ABCB314B79ECC4F5B7B98EF45BA1B140620F929E3180C721DA0AC7E0

Function 00C97464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00C9747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C97497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C974AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C974CA

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 69fe6135a163bac38071e5037b9945b8b82368af5ff1a406cc59e59167008669
Instruction ID: 488b5e183bbab7b37841fb289aa221399bfcf3b45fb18ba3f8f24424732e86f1
Opcode Fuzzy Hash: 69fe6135a163bac38071e5037b9945b8b82368af5ff1a406cc59e59167008669
Instruction Fuzzy Hash: B7118EB12163109BEB20CF15DC4CFA67BFCEB00B00F108669E62AD6152D770E944DF90

Function 00C9B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C9ACD3,?,00008000), ref: 00C9B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C9ACD3,?,00008000), ref: 00C9B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C9ACD3,?,00008000), ref: 00C9B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C9ACD3,?,00008000), ref: 00C9B126

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: df25b6a31f77c47dc56574c3db8eddf731be18666602d2483071e43cb77474d9
Instruction ID: 1208956aa9af2cdcafc73c82a0c1c40beb81715f5f289ba78e008f5d6782ce98
Opcode Fuzzy Hash: df25b6a31f77c47dc56574c3db8eddf731be18666602d2483071e43cb77474d9
Instruction Fuzzy Hash: 30115B71C01A2CE7CF00AFE5EAACBEEBB78FF49711F114095D951B2181CB305A508B91

Function 00CC7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CC7E33
ScreenToClient.USER32(?,?), ref: 00CC7E4B
ScreenToClient.USER32(?,?), ref: 00CC7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CC7E8A

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 04cce1db3ea1b0fb58f06601649ad4dddd5234f9ab7df95e6eade4466c877d55
Instruction ID: 2d03299726cfe0aaf1d16d44def0655732224d2a548abf6ea935454206d9d8fc
Opcode Fuzzy Hash: 04cce1db3ea1b0fb58f06601649ad4dddd5234f9ab7df95e6eade4466c877d55
Instruction Fuzzy Hash: 9F1114B9D0024AAFDB41DF98C984AEEBBF5FF08310F505156E915E3210D735AA55CF50

Function 00C92DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C92DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C92DD6
GetCurrentThreadId.KERNEL32 ref: 00C92DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C92DE4

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 725f3748408bf7ef6fa271f1e4ee6969eda777afcc71d3dd894559b83075ab96
Instruction ID: ed0e519ce739e8319a1a86139f87005dac7e0ce0867b7482366e7c74c0bd9125
Opcode Fuzzy Hash: 725f3748408bf7ef6fa271f1e4ee6969eda777afcc71d3dd894559b83075ab96
Instruction Fuzzy Hash: 17E01272501224BBDB201B73DD8DFEF7E6CEF56BA5F450115F50AD10909AA5C941C6B0

Function 00CC8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C49693
Part of subcall function 00C49639: SelectObject.GDI32(?,00000000), ref: 00C496A2
Part of subcall function 00C49639: BeginPath.GDI32(?), ref: 00C496B9
Part of subcall function 00C49639: SelectObject.GDI32(?,00000000), ref: 00C496E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00CC8887
LineTo.GDI32(?,?,?), ref: 00CC8894
EndPath.GDI32(?), ref: 00CC88A4
StrokePath.GDI32(?), ref: 00CC88B2

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 39fc6902f88679c7e899c97ac86daac7880f416cecb8438bc4f3e64b52288ca8
Instruction ID: d21caaa4036f4b54312444ef5d140bc51d8a8ce1478e7ffef1af63480003b1c3
Opcode Fuzzy Hash: 39fc6902f88679c7e899c97ac86daac7880f416cecb8438bc4f3e64b52288ca8
Instruction Fuzzy Hash: 6AF05E36041258FADB125F94EC09FDE3F59AF06710F048004FA65655E1C7755611DFE5

Function 00C498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C498CC
SetTextColor.GDI32(?,?), ref: 00C498D6
SetBkMode.GDI32(?,00000001), ref: 00C498E9
GetStockObject.GDI32(00000005), ref: 00C498F1

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 95cd2c782d7569e09f337f745de2d6cd10758a0acea180ec9c6677fe69dce527
Instruction ID: 26d9d8f2bb20daa6e2612d922e01c39b8cba2f5a8dc0c21557d63a19b1d89f9a
Opcode Fuzzy Hash: 95cd2c782d7569e09f337f745de2d6cd10758a0acea180ec9c6677fe69dce527
Instruction Fuzzy Hash: A6E03931644280AADB215B75EC49BED3B20AB52336F188219F6BE980E1C37286409B10

Function 00C9162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C91634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C911D9), ref: 00C9163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C911D9), ref: 00C91648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C911D9), ref: 00C9164F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 65a54fc3f4ed23bd3e33fb43e4e4f566a032cade09bd17f2bab0c179fd5e9287
Instruction ID: 41aceaa9b3775fab5abb1196cfd9964758b70b3bbace6a278b9d42ec109ea27e
Opcode Fuzzy Hash: 65a54fc3f4ed23bd3e33fb43e4e4f566a032cade09bd17f2bab0c179fd5e9287
Instruction Fuzzy Hash: 99E08671A01211DBDB201FA0ED4DF8A3B7CFF44791F1C4808F659C9090D634C541C750

Function 00C8D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C8D858
GetDC.USER32(00000000), ref: 00C8D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C8D882
ReleaseDC.USER32(?), ref: 00C8D8A3

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7c81b774073f072a492682d729cd9c25bf5ee51c2df7edd5cd709eb1cd0999a0
Instruction ID: 6886d425e40ad54f40b5abbd3eea32afe52202a541da1d3ee23ff84e0b350cde
Opcode Fuzzy Hash: 7c81b774073f072a492682d729cd9c25bf5ee51c2df7edd5cd709eb1cd0999a0
Instruction Fuzzy Hash: E6E0BFB5800205DFCF41AFA5D98CB6DBBB5FB08311F148459F85BE7250C7399942AF50

Function 00C8D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C8D86C
GetDC.USER32(00000000), ref: 00C8D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C8D882
ReleaseDC.USER32(?), ref: 00C8D8A3

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ebb2e1ea9bc7a8e0dadb15458329f2ed162a35c629c18b7d71de53152e7421f8
Instruction ID: b6e28d021bed072ee2a4a20b8031e96b4221a5833d7512a2307dcea63ad09873
Opcode Fuzzy Hash: ebb2e1ea9bc7a8e0dadb15458329f2ed162a35c629c18b7d71de53152e7421f8
Instruction Fuzzy Hash: 4DE0B6B5C00204EFCF51AFA5D98CB6DBBB5FB08311F148449F95AE7250CB399902AF50

Function 00CA4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C37620: _wcslen.LIBCMT ref: 00C37625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00CA4ED4

Strings

*, xrefs: 00CA4E10
LPT, xrefs: 00CA4DFB

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: cd4ac08f31b995d5aaab7a91dd3927edd834d829c87bbcfa97f47e2de91ecbdc
Instruction ID: dc6c6f2879f080911fe12c29f74736a496dd06d02ec01e9e1549b67d070b37d9
Opcode Fuzzy Hash: cd4ac08f31b995d5aaab7a91dd3927edd834d829c87bbcfa97f47e2de91ecbdc
Instruction Fuzzy Hash: BC917575900205DFCB18DF98C884EA9BBF1BF85308F158099E41A9F362D775EE85CB91

Function 00C4E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00C4E1B1

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 813ea88a7e898ad0d437a4de0d48a1fb364c9da9b602f6bfd76bf9a7ed80cd9e
Instruction ID: f6633faa6a17392ba16adfe8bc4c9f5ff9ecb5cab7c71d15b03146fd11e6b3ed
Opcode Fuzzy Hash: 813ea88a7e898ad0d437a4de0d48a1fb364c9da9b602f6bfd76bf9a7ed80cd9e
Instruction Fuzzy Hash: E8514475A04246DFDB24EF68C481ABE7BA4FF16314F248059ECA19B2C0D7349E42DBA4

Function 00C4F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C4F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C4F2BB

Strings

@, xrefs: 00C4F2AF

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 796343c14b22863f321a8ec6d2ff9ce2536451b728364fbaa508964531fc86e5
Instruction ID: 8baca83c2fcd67e6e6ddb4188e82f8e08b208dccb46520268a7e030a3a2163a8
Opcode Fuzzy Hash: 796343c14b22863f321a8ec6d2ff9ce2536451b728364fbaa508964531fc86e5
Instruction Fuzzy Hash: E25135724187489BD320AF54DC86BAFBBF8FB88300F81895DF1D9511A5EB708529CB67

Function 00CB5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00CB57E0
_wcslen.LIBCMT ref: 00CB57EC

Strings

CALLARGARRAY, xrefs: 00CB57E6, 00CB57EB

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 16dab74444c6410ef7d0cfbb0ca9d6f8d34aecca2aabbd9c01fa97d8330b3009
Instruction ID: e38856eff3498c1c172a58c0ffd5eff98e3c551c3c29afb26d744d10b4223b91
Opcode Fuzzy Hash: 16dab74444c6410ef7d0cfbb0ca9d6f8d34aecca2aabbd9c01fa97d8330b3009
Instruction Fuzzy Hash: 4F41BE71E402099FCF14DFA9C885AFEBBB5FF59324F144029E515A7291E7319E81CB90

Function 00CAD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CAD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00CAD13A

Strings

|, xrefs: 00CAD10B

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 8297a45091f97f4128c155ae53eb5fb97f8a5b0779d7c7e13b192904535ab4bc
Instruction ID: bb7a821fad97a03bb62f5fd3bf769d023b6f3853e634362278d645a83ac15c9e
Opcode Fuzzy Hash: 8297a45091f97f4128c155ae53eb5fb97f8a5b0779d7c7e13b192904535ab4bc
Instruction Fuzzy Hash: A5315D71D10209ABCF15EFA5CC85AEEBFB9FF09314F004019F916A6161D735AA46DF50

Function 00CC356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00CC3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CC365C

Strings

static, xrefs: 00CC35BC

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 01a32af2205a66aaaec7d9ab336bd836f5ccae7ace091bd72570bce6a99633bc
Instruction ID: 8ae7b7ced2bf437cb9407cea8e8f59a5e19c7328adaeaa6625b2187f2040a29f
Opcode Fuzzy Hash: 01a32af2205a66aaaec7d9ab336bd836f5ccae7ace091bd72570bce6a99633bc
Instruction Fuzzy Hash: 71318B71110244AADB10DF68DC81FFB73A9FF88720F10961DF9A997290DA31AE81DB64

Function 00CC4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00CC461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CC4634

Strings

', xrefs: 00CC458E

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: a9527d28e96873a9051226c3edce3588a07bf0477deabd02e311d8d39a7b3979
Instruction ID: c97a6520ad11441923009acc73ed3caf68827c5b8ab0c6f13ff54059c6fc3109
Opcode Fuzzy Hash: a9527d28e96873a9051226c3edce3588a07bf0477deabd02e311d8d39a7b3979
Instruction Fuzzy Hash: F1311974A013099FDB18CF69C990FDA7BB5FF49300F14806AE915AB355D770A941CF90

Function 00CC31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CC327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CC3287

Strings

Combobox, xrefs: 00CC3249

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 9cd29d2b6ce7b6d24dad316003ee0d43b081c6894e4556de18f8e7db0134ad9a
Instruction ID: 4d4199173554edb6db60fd6ddada85022e242dbb1fc6a6b58e63a303b5630426
Opcode Fuzzy Hash: 9cd29d2b6ce7b6d24dad316003ee0d43b081c6894e4556de18f8e7db0134ad9a
Instruction Fuzzy Hash: 6311B2713002487FEF259F54EC81FBB376AEB94364F108129F92897292D6719E519760

Function 00CC3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C3600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C3604C
Part of subcall function 00C3600E: GetStockObject.GDI32(00000011), ref: 00C36060
Part of subcall function 00C3600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C3606A

GetWindowRect.USER32(00000000,?), ref: 00CC377A
GetSysColor.USER32(00000012), ref: 00CC3794

Strings

static, xrefs: 00CC3757

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 5209a3e7aec421c0123befcd078facb4beced625f1661a2c33b10f52de3d27a6
Instruction ID: 0d27198dbd48e86b7c48a907f673df6fe31210481ed9a2445a08285038a9abf3
Opcode Fuzzy Hash: 5209a3e7aec421c0123befcd078facb4beced625f1661a2c33b10f52de3d27a6
Instruction Fuzzy Hash: 1F1129B2610209AFDB01DFA8DD4AFEE7BB8EB08314F004518F965E2250D735E9519B60

Function 00CACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00CACD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00CACDA6

Strings

<local>, xrefs: 00CACD66

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 33231eb21645471f9f73e307760adecc7bc92061a3082867b51d4bc50bd56d71
Instruction ID: c4d0354118e98ba0c5fe02aeed72135b9d26eefcbf01a310bbcc5108a41b406b
Opcode Fuzzy Hash: 33231eb21645471f9f73e307760adecc7bc92061a3082867b51d4bc50bd56d71
Instruction Fuzzy Hash: E211A371A056367AD7244B668CC9FE7BE68EB137A8F004226F12982180D7609950D6F0

Function 00CC3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00CC34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CC34BA

Strings

edit, xrefs: 00CC348F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 11986289e7f5c0970f88111b226d58da578ee080003a00e52c631caf1b809c60
Instruction ID: 727fc1e320b2a0d17a6d67d9d458a16208f12f5ec42c5e5c79c6052ff044d39a
Opcode Fuzzy Hash: 11986289e7f5c0970f88111b226d58da578ee080003a00e52c631caf1b809c60
Instruction Fuzzy Hash: 4A118F71100248ABEB169F64EC84FEB3B6AEB05374F508728F975971D0C771DE919B60

Function 00C96C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

CharUpperBuffW.USER32(?,?,?), ref: 00C96CB6
_wcslen.LIBCMT ref: 00C96CC2

Strings

STOP, xrefs: 00C96CBC, 00C96CC1

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 930fbe9ec4f26fdb6e1c171431063dd129bf0f6a28c714b84d7f3ea5c38db9ca
Instruction ID: 06217d16fd5b8704edba60e89b581106e6ba67950b0bbe5e46ae28727ed1d597
Opcode Fuzzy Hash: 930fbe9ec4f26fdb6e1c171431063dd129bf0f6a28c714b84d7f3ea5c38db9ca
Instruction Fuzzy Hash: 4601C033A145268ACF21AFFDDC899BF77B5EB61710B110528F8B2961D0EA31EA50C650

Function 00C91CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C91D4C

Strings

ListBox, xrefs: 00C91D16
ComboBox, xrefs: 00C91CEB

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0827bbadd2d3d51ab3a1e799b52dfb41447ea75ff6f89f7ab70904dfb4d02114
Instruction ID: 9d70982ab0c8ae4792f1a5284105179b997c6d918211722784ca269448775ef5
Opcode Fuzzy Hash: 0827bbadd2d3d51ab3a1e799b52dfb41447ea75ff6f89f7ab70904dfb4d02114
Instruction Fuzzy Hash: 2101D872611219AB8F09EBA4CD5ADFE7768EF47390F040619FD32572C1EA705908D661

Function 00C91BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C91C46

Strings

ListBox, xrefs: 00C91C10
ComboBox, xrefs: 00C91BE5

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9b1e244c76a59813b38b2ad3d3b10531d8cda3e43b9ae890383dbe36f17483a1
Instruction ID: 8b9e8d37f4407eafb66cbd651d73ee695b015edffefac8cd52856119fe1ad67f
Opcode Fuzzy Hash: 9b1e244c76a59813b38b2ad3d3b10531d8cda3e43b9ae890383dbe36f17483a1
Instruction Fuzzy Hash: 1B01A77578510967CF05EB90CA5AEFF77A8DF52340F140019F916672C1EA709F08D6B2

Function 00C91C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C91CC8

Strings

ListBox, xrefs: 00C91C94
ComboBox, xrefs: 00C91C69

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bb86ff9d76aa6efdf6e277e755a6086ae3d324171497db553e5474a4bbfa6b4c
Instruction ID: 0d6902df4e528881dc9483aa7b3b7e4f586b4d79e0b8d7da774d89888502cad6
Opcode Fuzzy Hash: bb86ff9d76aa6efdf6e277e755a6086ae3d324171497db553e5474a4bbfa6b4c
Instruction Fuzzy Hash: 7A01D67579011967CF04EBA4CA0AEFE77A89B12380F580015BD02B3281EAB09F08D672

Function 00C91D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39CB3: _wcslen.LIBCMT ref: 00C39CBD

Part of subcall function 00C93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C93CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00C91DD3

Strings

ListBox, xrefs: 00C91DA0
ComboBox, xrefs: 00C91D75

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ea64ff8c8af6abbd1b266f7ec87dd40718fdb82399f64573defdb52b082e725f
Instruction ID: fd20075754dfc7b45027f29b0abac559cf082906986651939693699d5fb7d696
Opcode Fuzzy Hash: ea64ff8c8af6abbd1b266f7ec87dd40718fdb82399f64573defdb52b082e725f
Instruction Fuzzy Hash: 0AF0A476B5121967DF05E7A4CD5AFFE77A8EB02350F080915F922A72C1DAB05A089261

Function 00CB747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CB7493
_wcslen.LIBCMT ref: 00CB74B9

Strings

3, 3, 16, 1, xrefs: 00CB7483

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 289a786c04611e3ab0c6c6eb9a23d83eb40fd3c13aea68d22e18bd6390f0b6e8
Instruction ID: f8dd9f2dd81fb0910451d5155542169ba444234cc197804d3aa7c80e3ea73a21
Opcode Fuzzy Hash: 289a786c04611e3ab0c6c6eb9a23d83eb40fd3c13aea68d22e18bd6390f0b6e8
Instruction Fuzzy Hash: DBE0610670432020933513B9DCC29FF568DCFC5753B10192BFD81C2366EA94CED1A7A5

Function 00C90B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C90B23

Strings

Error allocating memory., xrefs: 00C90B1C
AutoIt, xrefs: 00C90B17

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: be0d82cf271fa5dbad4854c88e554be1239e324511b4f3e620e6f279466e6fc6
Instruction ID: 48adef3ea633ceacf4463cc5cedfffa08c928ddec06a1046fbd0741f52ea67bd
Opcode Fuzzy Hash: be0d82cf271fa5dbad4854c88e554be1239e324511b4f3e620e6f279466e6fc6
Instruction Fuzzy Hash: B4E048312443183AD6143654BC47FC97A849F05B65F10442EFB9C555C38AE1659166A9

Function 00C50D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C4F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C50D71,?,?,?,00C3100A), ref: 00C4F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00C3100A), ref: 00C50D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C3100A), ref: 00C50D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C50D7F

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: a626ed8fafa09803db168bff00ba9724c61dcae43eb9e9f724e04cd5829f4bae
Instruction ID: fdc82468553106bbffa2193e900c540b3de718a9d188fe083c05f4a606972a99
Opcode Fuzzy Hash: a626ed8fafa09803db168bff00ba9724c61dcae43eb9e9f724e04cd5829f4bae
Instruction Fuzzy Hash: A6E092B82007518BD7309FB8D448B467BF0BF00741F104D2DE886C6751DBB4E4898BA1

Function 00CA3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00CA302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00CA3044

Strings

aut, xrefs: 00CA3038

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 1e8031acbccf62976e670a5e2a60cf724f766262166d1cf056e0df2830151bcf
Instruction ID: 57ecc98b5811609669061f54329cf26f1a1f17a308480ce1fb1652b19e149dd2
Opcode Fuzzy Hash: 1e8031acbccf62976e670a5e2a60cf724f766262166d1cf056e0df2830151bcf
Instruction Fuzzy Hash: AAD05EB250032867DA60E7A4EC4EFDB3A6CDB04750F0002A1F659E2491DAB49984CAD0

Function 00C8D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C8D220

Strings

%.3d, xrefs: 00C8D22B
X64, xrefs: 00C8D2A8

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 49c2eee6224dcabcf1c0e0bc1861364c24c23d0797bfcacf38d985eaf0e666f1
Instruction ID: cd3ec0e8accc84fab0d236d73bb7a36789c11a6a1cce3282316132f7d3e243b6
Opcode Fuzzy Hash: 49c2eee6224dcabcf1c0e0bc1861364c24c23d0797bfcacf38d985eaf0e666f1
Instruction Fuzzy Hash: D7D012A1808108FACB90B7D1DC89DBAB37CFB09305F508462F90792080D624D9086765

Function 00CC2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CC236C
PostMessageW.USER32(00000000), ref: 00CC2373

Part of subcall function 00C9E97B: Sleep.KERNEL32 ref: 00C9E9F3

Strings

Shell_TrayWnd, xrefs: 00CC2365

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4d5dfa435921d57d7f9264e25562a82b189206c30744ace0f99b038a1f4e3ebb
Instruction ID: 45a351328e20112652abdf7d8a2297a07cf78b10b3b6b41063accd19ef6d8d02
Opcode Fuzzy Hash: 4d5dfa435921d57d7f9264e25562a82b189206c30744ace0f99b038a1f4e3ebb
Instruction Fuzzy Hash: 6CD0C9327853107AE6A4B771EC4FFCA66149B14B14F114916F74AEA1D0C9A4A8418A54

Function 00CC2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CC232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CC233F

Part of subcall function 00C9E97B: Sleep.KERNEL32 ref: 00C9E9F3

Strings

Shell_TrayWnd, xrefs: 00CC2325

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 00c20797912cb28673a8b2dedabaa8f49d653f2546c1762ec375190b8ba01f0c
Instruction ID: 0b87c47c630664828fd1f9fe8b80273907d9324b78b7d24bbe3f5acb8649f41d
Opcode Fuzzy Hash: 00c20797912cb28673a8b2dedabaa8f49d653f2546c1762ec375190b8ba01f0c
Instruction Fuzzy Hash: 19D01236794310B7E6A4B771EC4FFDA7A149B10B14F114916F74AEA1D0C9F4A841CB54

Function 00C6BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00C6BE93
GetLastError.KERNEL32 ref: 00C6BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C6BEFC

Memory Dump Source

Source File: 00000000.00000002.2276733205.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true

Associated: 00000000.00000002.2276623871.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277016876.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277406010.0000000000CFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2277829277.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e5e91b8650300bcc1c62ec7d730714e958fb8c0e7fc5d349899bb134e0298a7e
Instruction ID: 3bf3638671d07866aaa34f7a8239c3ca7ed457e14c278b6a74b7b63689f4eb81
Opcode Fuzzy Hash: e5e91b8650300bcc1c62ec7d730714e958fb8c0e7fc5d349899bb134e0298a7e
Instruction Fuzzy Hash: F341E339604206AFCB318FA5CCC4BAA7BA5AF41310F144169F969D71B1DB318E82DB62

Analysis Process: firefox.exePID: 7184, Parent PID: 6392COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001D2CBD75437 Relevance: 8.3, APIs: 1, Instructions: 6848nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001D2CBD7545C

Memory Dump Source

Source File: 00000012.00000002.3470584427.000001D2CBD70000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D2CBD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1d2cbd70000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 7d855dfef058891d6d0f13281f0639ac0c732643bbd828a8aceaae6a46d64bc4
Instruction ID: 98e27d2c5e0b2ea30fa9d3031e9ce707e1dcb90ce123a853fd5ff640282d9c2d
Opcode Fuzzy Hash: 7d855dfef058891d6d0f13281f0639ac0c732643bbd828a8aceaae6a46d64bc4
Instruction Fuzzy Hash: FBA3F331624A488BDB2DDF28CC857E977E5FB95300F04422EE94BD3645EF35EA42CA81

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2440405880.0000016E13591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2401657445.0000016E1C224000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2396707402.0000016E1C262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2401657445.0000016E1C224000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2396707402.0000016E1C262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2401657445.0000016E1C224000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2396707402.0000016E1C262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2401657445.0000016E1C224000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2396707402.0000016E1C262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000002.3465997201.000001D2CB70A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3466725523.000002263830C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000002.3465997201.000001D2CB70A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3466725523.000002263830C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000002.3465997201.000001D2CB70A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3466725523.000002263830C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2440405880.0000016E13591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://6edd4cbe-8a9f-4158-beca-90f5feba9c8c/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2292412205.0000016E141C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2378865494.0000016E141B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:50292 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50293 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.6:50294 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50303 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50302 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50304 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:50305 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.114.113:443 -> 192.168.2.6:53345 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:53437 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:53436 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:53439 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:53441 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:53440 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:53438 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:53442 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:53443 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.113
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.113
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.113
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.113
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.113
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.113
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.113
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.113
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.113
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 53428 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50296 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50296
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50295
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53440 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53442
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50297
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53441
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53445
Source: unknown	Network traffic detected: HTTP traffic on port 53443 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50293 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53437 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50305 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50304
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50303
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50305
Source: unknown	Network traffic detected: HTTP traffic on port 53345 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53441 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50302
Source: unknown	Network traffic detected: HTTP traffic on port 50292 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53438 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 50304 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53428
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53345
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53445 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50303 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53439 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50295 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53439
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53438
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50297 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53437
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53436
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53442 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50292
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53440
Source: unknown	Network traffic detected: HTTP traffic on port 50302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50294 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50294
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50293
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53436 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_f08c46bb-f207-4d48-a336-51a109eed8cb.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_f08c46bb-f207-4d48-a336-51a109eed8cb.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre