Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1544032
MD5:	36e326562ccfc7504f9d23095789964a
SHA1:	98d840a59071822ae34936c980039739f50f22fb
SHA256:	f963f59209443304c987ba8defe0b9d7b26284a25ed51c0cb3ee7b83bb356a8a
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6412 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 36E326562CCFC7504F9D23095789964A)

taskkill.exe (PID: 984 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6668 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1560 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6604 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2820 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 984 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3116 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5612 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7064 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e43e39a0-cc16-484a-9b18-44609e3e176e} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" 224ca56e310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7684 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=948 -parentBuildID 20230927232528 -prefsHandle 4104 -prefMapHandle 4180 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28e99635-fe3b-45d9-8cee-0516a7b7dc3a} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" 224ca57d810 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7252 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3948 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4532 -prefMapHandle 4540 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e63adc83-332e-472f-8367-08683521a553} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" 224dc47e510 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6412	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00BDEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00BDEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BDED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00BDED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00BDEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00BCAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BF9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00BF9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2077363058.0000000000C22000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_faff7f6c-c
Source: file.exe, 00000000.00000000.2077363058.0000000000C22000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b75ac009-f
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2862bd64-f
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a98f3b88-6

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002BBC38B33B7 NtQuerySystemInformation,		17_2_000002BBC38B33B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002BBC39EB6B2 NtQuerySystemInformation,		17_2_000002BBC39EB6B2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00BCD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00BC1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00BCE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B68060	0_2_00B68060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD2046	0_2_00BD2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC8298	0_2_00BC8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9E4FF	0_2_00B9E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9676B	0_2_00B9676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF4873	0_2_00BF4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8CAA0	0_2_00B8CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6CAF0	0_2_00B6CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7CC39	0_2_00B7CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B96DD9	0_2_00B96DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B691C0	0_2_00B691C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7B119	0_2_00B7B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81394	0_2_00B81394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81706	0_2_00B81706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8781B	0_2_00B8781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B819B0	0_2_00B819B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B67920	0_2_00B67920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7997D	0_2_00B7997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B87A4A	0_2_00B87A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B87CA7	0_2_00B87CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81C77	0_2_00B81C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B99EEE	0_2_00B99EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BEBE44	0_2_00BEBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81F32	0_2_00B81F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002BBC38B33B7	17_2_000002BBC38B33B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002BBC39EB6B2	17_2_000002BBC39EB6B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002BBC39EB6F2	17_2_000002BBC39EB6F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002BBC39EBDDC	17_2_000002BBC39EBDDC

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B69CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B80A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B7F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@95/11

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BD37B5 GetLastError,FormatMessageW,

0_2_00BD37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC10BF AdjustTokenPrivileges,CloseHandle,		0_2_00BC10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00BC16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BD51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00BD51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00BCD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BD648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00BD648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00B642A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Program Files\Mozilla Firefox\firefox.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2301662446.00000224E64F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254075600.00000224E64E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271342813.00000224E64F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2301662446.00000224E64F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254075600.00000224E64E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271342813.00000224E64F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2301662446.00000224E64F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254075600.00000224E64E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271342813.00000224E64F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2301662446.00000224E64F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254075600.00000224E64E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271342813.00000224E64F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2301662446.00000224E64F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254075600.00000224E64E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271342813.00000224E64F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2301662446.00000224E64F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254075600.00000224E64E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271342813.00000224E64F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2301662446.00000224E64F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254075600.00000224E64E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271342813.00000224E64F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2301662446.00000224E64F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254075600.00000224E64E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271342813.00000224E64F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2301662446.00000224E64F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254075600.00000224E64E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271342813.00000224E64F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e43e39a0-cc16-484a-9b18-44609e3e176e} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" 224ca56e310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=948 -parentBuildID 20230927232528 -prefsHandle 4104 -prefMapHandle 4180 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28e99635-fe3b-45d9-8cee-0516a7b7dc3a} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" 224ca57d810 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3948 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4532 -prefMapHandle 4540 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e63adc83-332e-472f-8367-08683521a553} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" 224dc47e510 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e43e39a0-cc16-484a-9b18-44609e3e176e} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" 224ca56e310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=948 -parentBuildID 20230927232528 -prefsHandle 4104 -prefMapHandle 4180 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28e99635-fe3b-45d9-8cee-0516a7b7dc3a} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" 224ca57d810 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3948 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4532 -prefMapHandle 4540 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e63adc83-332e-472f-8367-08683521a553} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" 224dc47e510 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000E.00000003.2297689304.00000224DBC66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2203915484.00000224E6B01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000E.00000003.2297689304.00000224DBC66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2321972638.00000224DA296000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000E.00000003.2297689304.00000224DBC66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2319282754.00000224DA29C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2321972638.00000224DA296000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2320220128.00000224DA296000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2319282754.00000224DA29C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000E.00000003.2297689304.00000224DBC66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2203915484.00000224E6B01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000E.00000003.2297689304.00000224DBC66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2320220128.00000224DA296000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000E.00000003.2297689304.00000224DBC66000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B642DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B80A76 push ecx; ret

0_2_00B80A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00B7F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00BF1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97297

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000002BBC38B33B7 rdtsc

17_2_000002BBC38B33B7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00BCDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9C2A2 FindFirstFileExW,	0_2_00B9C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD68EE FindFirstFileW,FindClose,	0_2_00BD68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00BD698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BCD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BCD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BD9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BD979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00BD9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00BD5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B642DE

Source: firefox.exe, 00000012.00000002.3344373367.000001BA07260000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWv
Source: firefox.exe, 00000010.00000002.3346001331.0000020A24710000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: firefox.exe, 00000010.00000002.3340122387.0000020A2406A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3339214530.000002BBC2F9A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3340051436.000001BA06F6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3341101143.0000020A2441B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000011.00000002.3343804394.000002BBC3790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWqy
Source: firefox.exe, 00000011.00000002.3343804394.000002BBC3790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?"Y
Source: firefox.exe, 00000010.00000002.3340122387.0000020A2406A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3346001331.0000020A24710000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3343804394.000002BBC3790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000002BBC38B33B7 rdtsc

17_2_000002BBC38B33B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BDEAA2 BlockInput,

0_2_00BDEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B92622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B642DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B84CE8 mov eax, dword ptr fs:[00000030h]

0_2_00B84CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00BC0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B92622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B8083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B809D5 SetUnhandledExceptionFilter,	0_2_00B809D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B80C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B80C21

Source: C:\Users\user\Desktop\file.exe

0_2_00BC1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BA2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00BA2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCB226 SendInput,keybd_event,

0_2_00BCB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BE22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00BE22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00BC0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00BC1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2207613674.00000224E6B07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B80698 cpuid

0_2_00B80698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BD8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00BD8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BBD27A GetUserNameW,

0_2_00BBD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B9B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00B9B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B642DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6412, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6412, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00BE1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00BE1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
http://json-schema.org/draft-07/schema#-	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
twitter.com	104.244.42.193	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.193.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.186.46	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	172.217.18.110	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.193.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3340750130.000001BA071C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2302422963.00000224E51B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2189893004.00000224E3A20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2342188275.00000224DB490000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2144758635.00000224E2371000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2241865084.00000224E2375000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2227344468.00000224E2375000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2145083351.00000224E2376000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3342522489.0000020A246E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3340679896.000002BBC33E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3344624361.000001BA07404000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3340679896.000002BBC3386000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3340750130.000001BA0718F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2290495585.00000224E2430000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304567708.00000224E2430000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2290495585.00000224E244A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2152000681.00000224E256D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2317141995.00000224E244A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304567708.00000224E244A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2311009516.00000224E2532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2272765406.00000224E3765000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2287187244.00000224E37A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278462070.00000224E379F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272765406.00000224E379F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2123822914.00000224DA68A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122311574.00000224DA653000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2121727366.00000224DA400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122547959.00000224DA66F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2121922516.00000224DA61D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122112050.00000224DA638000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2294371681.00000224DC581000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311965275.00000224DC5E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314436674.00000224DB859000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2153028018.00000224DB859000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296038927.00000224DC426000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2271342813.00000224E64E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254075600.00000224E64E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301662446.00000224E64E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2290223367.00000224E24D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304369526.00000224E24D4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2123822914.00000224DA68A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312892855.00000224DBAC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2238190707.00000224DBFA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122311574.00000224DA653000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2121727366.00000224DA400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122547959.00000224DA66F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341415487.00000224DBAC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2121922516.00000224DA61D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122112050.00000224DA638000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2122311574.00000224DA653000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2121727366.00000224DA400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122547959.00000224DA66F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2121922516.00000224DA61D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122112050.00000224DA638000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2272312347.00000224E4C26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272312347.00000224E4C42000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2303713106.00000224E2985000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2290495585.00000224E2430000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304567708.00000224E2430000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2271503504.00000224E6449000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2274271030.00000224E2569000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274271030.00000224E2549000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000E.00000003.2153028018.00000224DB8D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313754887.00000224DB8D9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.2228039944.00000224DA0EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2130315305.00000224DA0C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2259015487.00000224DA0EB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2274271030.00000224E2569000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274271030.00000224E2549000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3340679896.000002BBC3303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3340750130.000001BA0710C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2193048761.00000224DB526000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193096587.00000224DB53B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192873244.00000224DB52A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2299973445.00000224E293A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2290495585.00000224E244A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2152000681.00000224E256D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2317141995.00000224E244A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304567708.00000224E244A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2337322140.00000224E45EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2316757565.00000224E45EC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3340750130.000001BA071C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2149893820.00000224E298A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2153940875.00000224DB79A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2149893820.00000224E2991000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2153940875.00000224DB7A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2193048761.00000224DB526000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2168453933.00000224DBDB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2316757565.00000224E45EC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2299973445.00000224E298B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311965275.00000224DC5E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2310036665.00000224E298B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2278462070.00000224E3765000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2341939138.00000224DB4C6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3342522489.0000020A246E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3340679896.000002BBC33E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3344624361.000001BA07404000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3342522489.0000020A246E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3340679896.000002BBC33E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3344624361.000001BA07404000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2311009516.00000224E2532000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3340679896.000002BBC3312000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3340750130.000001BA07113000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2290495585.00000224E244A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2152000681.00000224E256D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2317141995.00000224E244A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304567708.00000224E244A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000011.00000002.3340123495.000002BBC32D0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2314999756.00000224DB7D8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.2193048761.00000224DB526000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2219033574.00000224DB6BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2276711600.00000224DB6BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223760518.00000224DB5E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2279688714.00000224DDD0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2166247117.00000224DBDC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2350023121.00000224DBF1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2168453933.00000224DBDB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2126946094.00000224DA661000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2307968742.00000224DC9C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2230853967.00000224E23B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2238838876.00000224DBD27000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2350290553.00000224DB5ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2276546921.00000224DDD35000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2346502814.00000224DBF13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2220726404.00000224DAABB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2144667101.00000224E23C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2344340367.00000224DBF1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257343793.00000224E225A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2239756559.00000224DB5D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250626541.00000224DBBC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223760518.00000224DB5F9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2152224861.00000224E2556000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2153028018.00000224DB8D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257343793.00000224E225A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313754887.00000224DB8D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273951978.00000224E2EBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256459175.00000224E2EC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2153028018.00000224DB8D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257343793.00000224E225A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313754887.00000224DB8D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273951978.00000224E2EBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256459175.00000224E2EC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2314999756.00000224DB7D8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2144758635.00000224E2371000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2241865084.00000224E2375000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2227344468.00000224E2375000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2145083351.00000224E2376000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2290223367.00000224E24D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304369526.00000224E24D4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2299973445.00000224E293F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2310755197.00000224E2963000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2290223367.00000224E24D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304369526.00000224E24D4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2193048761.00000224DB526000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2340247760.00000224DD18C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2306508686.00000224DD187000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2193048761.00000224DB526000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193096587.00000224DB53B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192873244.00000224DB52A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2228039944.00000224DA0EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2130315305.00000224DA0C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2259015487.00000224DA0EB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2337322140.00000224E45EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2316757565.00000224E45EC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2274271030.00000224E2569000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2290495585.00000224E244A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2152000681.00000224E256D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2317141995.00000224E244A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304567708.00000224E244A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2271503504.00000224E647A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255667449.00000224E4E9C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2122112050.00000224DA638000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000E.00000003.2123822914.00000224DA68A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312892855.00000224DBAC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2238190707.00000224DBFA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122311574.00000224DA653000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2121727366.00000224DA400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122547959.00000224DA66F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341415487.00000224DBAC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2121922516.00000224DA61D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2122112050.00000224DA638000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000E.00000003.2290495585.00000224E2430000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304567708.00000224E2430000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.3340505061.0000020A24190000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3339801241.000002BBC30C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3340342715.000001BA06FA0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544032
Start date and time:	2024-10-28 18:26:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@95/11
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 40 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.32.18.233, 34.211.181.209, 34.218.156.47, 142.250.186.46, 2.22.61.56, 2.22.61.59, 142.250.185.174, 142.250.185.234, 142.250.185.138
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
13:27:12	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
star-mini.c10r.facebook.com	https://link.edgepilot.com/s/b064b0de/7_W48d8I8kGlXhrfD-hDUg?u=https://delivmodas.ks.infinitoag.com/	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	http://shoutout.wix.com	Get hash	malicious	Unknown	Browse	157.240.0.35
	http://bigfoot99.com	Get hash	malicious	Unknown	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	https://link.edgepilot.com/s/b064b0de/7_W48d8I8kGlXhrfD-hDUg?u=https://delivmodas.ks.infinitoag.com/	Get hash	malicious	Unknown	Browse	151.101.2.137
	renier_visser-In Employee -11384.pdf	Get hash	malicious	Unknown	Browse	151.101.66.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	http://shoutout.wix.com	Get hash	malicious	Unknown	Browse	199.232.188.157
	https://onedrive.live.com/view.aspx?resid=8656653D19C3C7C0!sb98dbf79ab614921877689e4912e2fae&migratedtospo=true&redeem=aHR0cHM6Ly8xZHJ2Lm1zL28vYy84NjU2NjUzZDE5YzNjN2MwL0VubV9qYmxocXlGSmgzYUo1SkV1TDY0QmtKQzA5SEFwTjV6cTh1YW5PSWxxNEE_ZT1pdGFpeGo&wd=target%28Sezione%20senza%20titolo.one%7Ccfe57f3b-5d7b-4d15-b045-f6fdb53b3776%2FRechnung%2039920898-43006843%20%5C%7C%20Ebner%20Media%20Group%7C205becae-dae9-4a36-907a-485bcab69387%2F%29&wdorigin=NavigationUrl	Get hash	malicious	Unknown	Browse	151.101.2.137
	http://bigfoot99.com	Get hash	malicious	Unknown	Browse	151.101.64.84
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://gofile.io/d/IAr464	Get hash	malicious	Unknown	Browse	151.101.1.229
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	http://shoutout.wix.com	Get hash	malicious	Unknown	Browse	34.49.229.81
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	http://shoutout.wix.com	Get hash	malicious	Unknown	Browse	34.49.229.81
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_583749b1-4fef-47bf-b3b8-0068aafd6966.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.176513933011325
Encrypted:	false
SSDEEP:	192:HKMXnTkcbhbVbTbfbRbObtbyEl7nQrQJA6wnSrDtTkd/Su:HPwcNhnzFSJwrDjnSrDhkd/r
MD5:	922A3016A605B00E3A45D9502D5F5AB5
SHA1:	C092297F6C7868E73F76620BA230235FD99B168A
SHA-256:	77851968526236D073FD9A758FA3AE21B8B048A9A0F4ADD12B22CE68291A5C31
SHA-512:	95E753A02493B658E33FDC02F23C78B039CCFE99E047D4DD218D99C7614756C9F0FA63DF8D9224BD9260E91BB98CE210BFB0AFA09948CC471534146C992EE6D2
Malicious:	false
Preview:	{"type":"uninstall","id":"583749b1-4fef-47bf-b3b8-0068aafd6966","creationDate":"2024-10-28T18:40:49.712Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_583749b1-4fef-47bf-b3b8-0068aafd6966.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.176513933011325
Encrypted:	false
SSDEEP:	192:HKMXnTkcbhbVbTbfbRbObtbyEl7nQrQJA6wnSrDtTkd/Su:HPwcNhnzFSJwrDjnSrDhkd/r
MD5:	922A3016A605B00E3A45D9502D5F5AB5
SHA1:	C092297F6C7868E73F76620BA230235FD99B168A
SHA-256:	77851968526236D073FD9A758FA3AE21B8B048A9A0F4ADD12B22CE68291A5C31
SHA-512:	95E753A02493B658E33FDC02F23C78B039CCFE99E047D4DD218D99C7614756C9F0FA63DF8D9224BD9260E91BB98CE210BFB0AFA09948CC471534146C992EE6D2
Malicious:	false
Preview:	{"type":"uninstall","id":"583749b1-4fef-47bf-b3b8-0068aafd6966","creationDate":"2024-10-28T18:40:49.712Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9261834292345705
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNYr90xeh:8S+OVPUFRbOdwNIOdYpjvY1Q6LjO8P
MD5:	B3E682A91580F45FBD19F2B2F29E3D9D
SHA1:	F7B8D1D3A3117FC40DA5195DE2EA2B83EAF50038
SHA-256:	D4EB2D9DD12E905C8232589035B87B0996DC872BE3EE8AA657B15081476B2245
SHA-512:	0380322879C51CAF2AE53A49258D11FE8F4D52BE878DA2AEDEAA5003F3F4204253DF7AD090A4495EBC35738B1F1BDC61A11D17D173834B82FA52F7BB9E087824
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9261834292345705
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNYr90xeh:8S+OVPUFRbOdwNIOdYpjvY1Q6LjO8P
MD5:	B3E682A91580F45FBD19F2B2F29E3D9D
SHA1:	F7B8D1D3A3117FC40DA5195DE2EA2B83EAF50038
SHA-256:	D4EB2D9DD12E905C8232589035B87B0996DC872BE3EE8AA657B15081476B2245
SHA-512:	0380322879C51CAF2AE53A49258D11FE8F4D52BE878DA2AEDEAA5003F3F4204253DF7AD090A4495EBC35738B1F1BDC61A11D17D173834B82FA52F7BB9E087824
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07335892763187632
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiw:DLhesh7Owd4+ji
MD5:	4596795AC42EC4EC00B57399F0E5816D
SHA1:	1A110144078B16A7DFDE3F98DDB2C3EB742CA44A
SHA-256:	976E39672C380A2E057B62AEAFF20ADD57E06C1387AA894BFB98B6DC2DE26055
SHA-512:	40217295624C179416459FC6CCF2F166C4C4816B71DE4676B3070FFBBEB5884C7A6F8C7CB274903BB970083AF6EB46570CF41C022F7EEA7C4B42337D558FF756
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035325086693798996
Encrypted:	false
SSDEEP:	3:GtlstF/9VWyZsPylstF/9VWyZsPX/T89//alEl:GtWt/rZUyWt/rZU789XuM
MD5:	144BCB9331EE6F6E9A256F7ECB80D8B6
SHA1:	C5E821BB951964F22B92537966E73BECCDEFDC2D
SHA-256:	4CF50B891EAE3FD175C792D80CADDA70F9BE6A41236892BBEB6CE5F4C05D8D64
SHA-512:	248EC7F541988F02D0620CAFD40467E868E6F0C212C55ABB19C603C93FA07F468FCCBCA949D4B93FB4BFFD2F1C831F0D7AA1BD2DED34594770C37E559FFC295C
Malicious:	false
Preview:	..-......................x...M..JJ..7c....I&...-......................x...M..JJ..7c....I&.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.039714462148821926
Encrypted:	false
SSDEEP:	3:Ol1Lr4tUglfvvyDrdNFLl8rEXsxdwhml8XW3R2:KdrbKq3tl8dMhm93w
MD5:	F17955DFA39355CC8F65657FD4CAA172
SHA1:	3CAADFE47217C35940B7163C352EDCA9725ADCA8
SHA-256:	1027DED977B400F736510F14CAF749DBBF8320A8F2F655EF4B1B1138EB441D66
SHA-512:	FD2F6810ED01831E574AA05624360BB7E1F272D5AB5CF961D87F3AC01F5FDE1A6F1D56B1052FDA7A3CC55D64757A973E34ABF46FC092946F5CF7FA38549D76FE
Malicious:	false
Preview:	7....-..........JJ..7c..^M]C..9........JJ..7c...x..M.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.476312300900657
Encrypted:	false
SSDEEP:	192:znPOeRnLYbBp6/J0aX+k6SEXKnJNbB5RHWNBw8d/Sl:jDe2JUHqjJHEwo0
MD5:	5EF430693B83CD53C0D044BD694E33E5
SHA1:	D779911012A959886AC450FBC879B48EE571E353
SHA-256:	D136ACF6D8A6803885E4F5433C58DD9E0428C2518E17149638EFFC7B2D2625A5
SHA-512:	3E49DE1FE3AB05A0061BE2A2757CB80A5F5C9F56ECB8608983CCD47E78D3C5C72CC7AED9EF1688D40533B4D5B38EBF6E4BB37C4AE3F56A1B2CB7446DC282C13F
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730140820);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730140820);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730140820);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173014

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.476312300900657
Encrypted:	false
SSDEEP:	192:znPOeRnLYbBp6/J0aX+k6SEXKnJNbB5RHWNBw8d/Sl:jDe2JUHqjJHEwo0
MD5:	5EF430693B83CD53C0D044BD694E33E5
SHA1:	D779911012A959886AC450FBC879B48EE571E353
SHA-256:	D136ACF6D8A6803885E4F5433C58DD9E0428C2518E17149638EFFC7B2D2625A5
SHA-512:	3E49DE1FE3AB05A0061BE2A2757CB80A5F5C9F56ECB8608983CCD47E78D3C5C72CC7AED9EF1688D40533B4D5B38EBF6E4BB37C4AE3F56A1B2CB7446DC282C13F
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730140820);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730140820);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730140820);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173014

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.366833259280723
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS/RLXnIrcf/pnxQwRcWT5sKmgb0u3eHVpjO+FFamhuEeJJF0NtO2cI:GUpOxEBZnRcoegr3erjxbUJmNtc3zBtU
MD5:	B8966A4437CFAB7150C9521508C67CE1
SHA1:	1CD507BB78227D41FDC1E892CDF3E46B02088BD5
SHA-256:	9766B54387488C0D15E0E8496B9F559487825E9417D450E59AE3E70C038B8F3F
SHA-512:	69B7B2D69D7E554EF973A6A0D42A889090C77B0BE5E933C80DCE03B3287906C1632B54AF67F60C209C04262BF4E4AC73D6F5305E3AE5FB7219C893A7D066BFD7
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{46e9db8c-0352-43ea-8acc-b910400f3c98}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730140824421,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...2,"startTim..`789688...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..eexpiry....796929,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.366833259280723
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS/RLXnIrcf/pnxQwRcWT5sKmgb0u3eHVpjO+FFamhuEeJJF0NtO2cI:GUpOxEBZnRcoegr3erjxbUJmNtc3zBtU
MD5:	B8966A4437CFAB7150C9521508C67CE1
SHA1:	1CD507BB78227D41FDC1E892CDF3E46B02088BD5
SHA-256:	9766B54387488C0D15E0E8496B9F559487825E9417D450E59AE3E70C038B8F3F
SHA-512:	69B7B2D69D7E554EF973A6A0D42A889090C77B0BE5E933C80DCE03B3287906C1632B54AF67F60C209C04262BF4E4AC73D6F5305E3AE5FB7219C893A7D066BFD7
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{46e9db8c-0352-43ea-8acc-b910400f3c98}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730140824421,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...2,"startTim..`789688...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..eexpiry....796929,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.366833259280723
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS/RLXnIrcf/pnxQwRcWT5sKmgb0u3eHVpjO+FFamhuEeJJF0NtO2cI:GUpOxEBZnRcoegr3erjxbUJmNtc3zBtU
MD5:	B8966A4437CFAB7150C9521508C67CE1
SHA1:	1CD507BB78227D41FDC1E892CDF3E46B02088BD5
SHA-256:	9766B54387488C0D15E0E8496B9F559487825E9417D450E59AE3E70C038B8F3F
SHA-512:	69B7B2D69D7E554EF973A6A0D42A889090C77B0BE5E933C80DCE03B3287906C1632B54AF67F60C209C04262BF4E4AC73D6F5305E3AE5FB7219C893A7D066BFD7
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{46e9db8c-0352-43ea-8acc-b910400f3c98}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730140824421,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...2,"startTim..`789688...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..eexpiry....796929,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.0294056433349414
Encrypted:	false
SSDEEP:	96:ycvMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:yTEr5NX0z3DhRe
MD5:	DDDDA567DE3B8C229E30E837EA51EFA3
SHA1:	8E2CC20704FC271D4E5129474642173FF735909A
SHA-256:	60BF73F19F802A7F8B662E3028F516D3C88AFAAFE2BCFB06EDA83224DD5D69F8
SHA-512:	7D2C3C2EE19D677360A88576FADD8C1CDD02C765F359764964AF7785A5494649A5F9C16B43018393444F8D0E3ACDFC02FF6232FC9737A48C3416B558EE7D9A50
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-28T18:40:05.504Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.0294056433349414
Encrypted:	false
SSDEEP:	96:ycvMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:yTEr5NX0z3DhRe
MD5:	DDDDA567DE3B8C229E30E837EA51EFA3
SHA1:	8E2CC20704FC271D4E5129474642173FF735909A
SHA-256:	60BF73F19F802A7F8B662E3028F516D3C88AFAAFE2BCFB06EDA83224DD5D69F8
SHA-512:	7D2C3C2EE19D677360A88576FADD8C1CDD02C765F359764964AF7785A5494649A5F9C16B43018393444F8D0E3ACDFC02FF6232FC9737A48C3416B558EE7D9A50
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-28T18:40:05.504Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584694819984862
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	36e326562ccfc7504f9d23095789964a
SHA1:	98d840a59071822ae34936c980039739f50f22fb
SHA256:	f963f59209443304c987ba8defe0b9d7b26284a25ed51c0cb3ee7b83bb356a8a
SHA512:	5c75440cc85306cc281b41e994b64c82a03834b03678e6a63bc9e0b8e606b709d249622b7062afa5a3a0480d45ce58c4b8317d4d5c88f47099a0c6338a7a442e
SSDEEP:	12288:XqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Ts:XqDEvCTbMWu7rQYlBQcBiT6rprG8abs
TLSH:	C6159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671FC8CA [Mon Oct 28 17:24:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F6E64F8E5F3h
jmp 00007F6E64F8DEFFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F6E64F8E0DDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F6E64F8E0AAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F6E64F90C9Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F6E64F90CE8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F6E64F90CD1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	bfa87ed7d64705521e47a28351e240b1	False	0.31561511075949367	data	5.373871127017588	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 18:27:08.798368931 CET	49712	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:09.094640970 CET	49713	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:09.094677925 CET	443	49713	34.117.188.166	192.168.2.5
Oct 28, 2024 18:27:09.095455885 CET	49713	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:09.096947908 CET	49713	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:09.096971035 CET	443	49713	34.117.188.166	192.168.2.5
Oct 28, 2024 18:27:09.097898006 CET	49714	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:09.097910881 CET	443	49714	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:09.098202944 CET	49714	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:09.098346949 CET	49714	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:09.098361969 CET	443	49714	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:09.189280987 CET	49715	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:09.324698925 CET	80	49715	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:09.328661919 CET	49715	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:09.777246952 CET	49715	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:09.800591946 CET	49712	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:09.843884945 CET	49717	443	192.168.2.5	35.190.72.216
Oct 28, 2024 18:27:09.843909025 CET	443	49717	35.190.72.216	192.168.2.5
Oct 28, 2024 18:27:09.844000101 CET	49717	443	192.168.2.5	35.190.72.216
Oct 28, 2024 18:27:09.845345974 CET	49717	443	192.168.2.5	35.190.72.216
Oct 28, 2024 18:27:09.845362902 CET	443	49717	35.190.72.216	192.168.2.5
Oct 28, 2024 18:27:09.969548941 CET	443	49713	34.117.188.166	192.168.2.5
Oct 28, 2024 18:27:09.969631910 CET	49713	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:09.974762917 CET	49713	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:09.974777937 CET	443	49713	34.117.188.166	192.168.2.5
Oct 28, 2024 18:27:09.974812031 CET	49713	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:09.975073099 CET	443	49713	34.117.188.166	192.168.2.5
Oct 28, 2024 18:27:09.975140095 CET	49713	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:09.980654001 CET	443	49714	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:09.980870008 CET	49714	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:09.984041929 CET	49714	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:09.984057903 CET	443	49714	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:09.984370947 CET	443	49714	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:09.987112999 CET	49714	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:09.987112999 CET	49714	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:09.987288952 CET	443	49714	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:09.987505913 CET	49714	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:10.186177015 CET	49715	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:10.329163074 CET	80	49715	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:10.329229116 CET	49715	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:10.333856106 CET	80	49715	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:10.945646048 CET	80	49715	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:10.945924997 CET	49715	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:10.953474998 CET	49718	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:10.953507900 CET	443	49718	34.117.188.166	192.168.2.5
Oct 28, 2024 18:27:10.953630924 CET	49718	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:10.954993963 CET	49718	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:10.955012083 CET	443	49718	34.117.188.166	192.168.2.5
Oct 28, 2024 18:27:10.955832958 CET	49719	443	192.168.2.5	34.160.144.191
Oct 28, 2024 18:27:10.955866098 CET	443	49719	34.160.144.191	192.168.2.5
Oct 28, 2024 18:27:10.956161976 CET	49719	443	192.168.2.5	34.160.144.191
Oct 28, 2024 18:27:10.956262112 CET	49719	443	192.168.2.5	34.160.144.191
Oct 28, 2024 18:27:10.956280947 CET	443	49719	34.160.144.191	192.168.2.5
Oct 28, 2024 18:27:11.358334064 CET	49715	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:11.806580067 CET	49712	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:11.957366943 CET	80	49715	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:11.975622892 CET	49715	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:12.177764893 CET	49715	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:12.286211967 CET	80	49715	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:12.286529064 CET	49715	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:12.980535030 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:13.248097897 CET	49722	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:13.305460930 CET	49717	443	192.168.2.5	35.190.72.216
Oct 28, 2024 18:27:13.351337910 CET	443	49717	35.190.72.216	192.168.2.5
Oct 28, 2024 18:27:13.768560886 CET	443	49717	35.190.72.216	192.168.2.5
Oct 28, 2024 18:27:13.768691063 CET	443	49717	35.190.72.216	192.168.2.5
Oct 28, 2024 18:27:13.775351048 CET	443	49717	35.190.72.216	192.168.2.5
Oct 28, 2024 18:27:13.779620886 CET	49717	443	192.168.2.5	35.190.72.216
Oct 28, 2024 18:27:13.779620886 CET	49717	443	192.168.2.5	35.190.72.216
Oct 28, 2024 18:27:13.779680967 CET	49717	443	192.168.2.5	35.190.72.216
Oct 28, 2024 18:27:13.779680967 CET	49717	443	192.168.2.5	35.190.72.216
Oct 28, 2024 18:27:13.979811907 CET	49723	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:13.979845047 CET	443	49723	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:13.980231047 CET	49723	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:13.980232954 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:13.981865883 CET	49723	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:13.981894970 CET	443	49723	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:14.110567093 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:14.110827923 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:14.111157894 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:14.221708059 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:14.264692068 CET	49722	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:14.824146032 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:14.828321934 CET	49725	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:14.828353882 CET	443	49725	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:14.828821898 CET	49726	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:14.828861952 CET	443	49726	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:14.830734968 CET	49725	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:14.830852032 CET	49726	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:14.832433939 CET	49725	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:14.832459927 CET	443	49725	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:14.833872080 CET	49726	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:14.833893061 CET	443	49726	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:14.849668026 CET	443	49723	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:14.852204084 CET	49723	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:14.857095957 CET	49723	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:14.857136965 CET	443	49723	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:14.857165098 CET	49723	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:14.857374907 CET	443	49723	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:14.857451916 CET	49723	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:14.861829996 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:14.865181923 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:15.113914967 CET	49728	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:15.157130957 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:15.157218933 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:15.299500942 CET	49729	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:15.299541950 CET	443	49729	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:15.299714088 CET	49729	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:15.301069975 CET	49729	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:15.301096916 CET	443	49729	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:15.317240953 CET	80	49715	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:15.321947098 CET	49715	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:15.509706020 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:15.509787083 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:15.814644098 CET	49712	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:15.855612040 CET	49730	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:15.855652094 CET	443	49730	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:15.855798960 CET	49730	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:15.855957985 CET	49730	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:15.855967045 CET	443	49730	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:15.868165970 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:15.994859934 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:15.997507095 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:15.997775078 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:16.120167971 CET	49728	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:16.181108952 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:16.181210995 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:16.213756084 CET	443	49729	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:16.218415022 CET	49729	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:16.225078106 CET	49729	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:16.225101948 CET	443	49729	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:16.225186110 CET	49729	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:16.225260973 CET	443	49729	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:16.225465059 CET	49729	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:16.267297029 CET	49722	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:16.271791935 CET	80	49728	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:16.271883965 CET	49728	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:16.407859087 CET	80	49722	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:16.408046007 CET	49722	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:16.621781111 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:16.845670938 CET	443	49730	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:16.845784903 CET	49730	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:16.849698067 CET	49730	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:16.849715948 CET	443	49730	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:16.850030899 CET	443	49730	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:16.850099087 CET	443	49726	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:16.850203991 CET	49726	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:16.854465008 CET	49730	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:16.854507923 CET	49730	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:16.854623079 CET	443	49730	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:16.857059002 CET	49726	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:16.857081890 CET	443	49726	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:16.857203007 CET	49726	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:16.857240915 CET	443	49726	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:16.857405901 CET	49730	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:16.857415915 CET	49726	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:17.115825891 CET	443	49725	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:17.115955114 CET	49725	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:17.121743917 CET	49725	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:17.121767044 CET	443	49725	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:17.121834993 CET	49725	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:17.121927023 CET	443	49725	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:17.122046947 CET	49725	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:17.470954895 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:17.525479078 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:17.525655031 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:17.743644953 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:17.770723104 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:17.825227976 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:19.077176094 CET	443	49719	34.160.144.191	192.168.2.5
Oct 28, 2024 18:27:19.077272892 CET	49719	443	192.168.2.5	34.160.144.191
Oct 28, 2024 18:27:19.080821991 CET	49719	443	192.168.2.5	34.160.144.191
Oct 28, 2024 18:27:19.080843925 CET	443	49719	34.160.144.191	192.168.2.5
Oct 28, 2024 18:27:19.081101894 CET	443	49719	34.160.144.191	192.168.2.5
Oct 28, 2024 18:27:19.083885908 CET	49719	443	192.168.2.5	34.160.144.191
Oct 28, 2024 18:27:19.083885908 CET	49719	443	192.168.2.5	34.160.144.191
Oct 28, 2024 18:27:19.084036112 CET	443	49719	34.160.144.191	192.168.2.5
Oct 28, 2024 18:27:19.084180117 CET	49719	443	192.168.2.5	34.160.144.191
Oct 28, 2024 18:27:20.125927925 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:20.128694057 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:20.238976955 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:20.240921021 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:20.245621920 CET	49735	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:20.245649099 CET	443	49735	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:20.245974064 CET	49735	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:20.247937918 CET	49735	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:20.247951031 CET	443	49735	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:20.358814001 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:20.362536907 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:20.404082060 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:20.404937983 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:20.959263086 CET	49718	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:20.959301949 CET	443	49718	34.117.188.166	192.168.2.5
Oct 28, 2024 18:27:21.193685055 CET	443	49735	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:21.198489904 CET	49735	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:21.254504919 CET	49735	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:21.254524946 CET	443	49735	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:21.254693985 CET	49735	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:21.255112886 CET	443	49735	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:21.255686045 CET	49735	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:21.284797907 CET	49728	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:21.426580906 CET	80	49728	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:21.426815033 CET	49728	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:22.005773067 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:22.071978092 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:22.074321032 CET	49736	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:22.074374914 CET	443	49736	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:22.074559927 CET	49736	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:22.076029062 CET	49736	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:22.076051950 CET	443	49736	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:22.076899052 CET	49737	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:22.076925993 CET	443	49737	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:22.077016115 CET	49737	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:22.078479052 CET	49737	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:22.078489065 CET	443	49737	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:22.316469908 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:22.416742086 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:22.424738884 CET	49722	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:22.431375027 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:22.553611994 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:22.568753004 CET	49739	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:22.568785906 CET	443	49739	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:22.568907976 CET	49739	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:22.569207907 CET	49739	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:22.569221973 CET	443	49739	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:22.569746971 CET	49740	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:22.569773912 CET	443	49740	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:22.570059061 CET	49741	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:22.570094109 CET	443	49741	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:22.570139885 CET	49742	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:22.570152998 CET	443	49742	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:22.570554972 CET	49741	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:22.570559025 CET	49740	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:22.570664883 CET	49742	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:22.570683002 CET	49740	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:22.570694923 CET	443	49740	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:22.570794106 CET	49742	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:22.570806980 CET	443	49742	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:22.570868015 CET	49741	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:22.570884943 CET	443	49741	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:22.601747036 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:22.755469084 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:23.288125038 CET	49722	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:23.419651985 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:23.474565029 CET	443	49739	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:23.475886106 CET	443	49742	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:23.476330042 CET	49742	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:23.476344109 CET	49739	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:23.820923090 CET	49712	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:23.984324932 CET	80	49712	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:23.986911058 CET	49712	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:24.055452108 CET	443	49736	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:24.055741072 CET	49736	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:24.202016115 CET	49739	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:24.202035904 CET	443	49739	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:24.202404022 CET	443	49739	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:24.206115961 CET	49742	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:24.206132889 CET	443	49742	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:24.206487894 CET	443	49742	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:24.245292902 CET	49736	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:24.245348930 CET	443	49736	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:24.245481014 CET	49736	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:24.245549917 CET	49739	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:24.245621920 CET	49739	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:24.245703936 CET	49742	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:24.245733023 CET	49742	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:24.245747089 CET	443	49736	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:24.245871067 CET	443	49739	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:24.245915890 CET	443	49742	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:24.246074915 CET	49736	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:24.246084929 CET	49739	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:24.246110916 CET	49742	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:24.745718956 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:24.993133068 CET	49722	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:25.698610067 CET	443	49741	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:25.698913097 CET	49741	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:25.706793070 CET	443	49740	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:25.707005024 CET	49740	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:25.974572897 CET	49741	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:25.974601030 CET	443	49741	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:25.975614071 CET	443	49741	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:25.976955891 CET	49740	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:25.976990938 CET	443	49740	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:25.977446079 CET	443	49740	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:25.979476929 CET	49741	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:25.979578018 CET	49741	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:25.979670048 CET	49740	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:25.979670048 CET	49740	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:25.979933977 CET	443	49740	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:25.979984045 CET	443	49741	34.120.208.123	192.168.2.5
Oct 28, 2024 18:27:25.980045080 CET	49741	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:25.980048895 CET	49740	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:25.980101109 CET	49740	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:25.982508898 CET	49741	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:27:26.065119982 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:26.232436895 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:26.350148916 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:26.355561018 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:26.360980034 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:26.397207022 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:26.663072109 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:26.713711023 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:26.993662119 CET	443	49718	34.117.188.166	192.168.2.5
Oct 28, 2024 18:27:26.998564005 CET	49718	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:27.009814978 CET	49718	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:27.009834051 CET	443	49718	34.117.188.166	192.168.2.5
Oct 28, 2024 18:27:27.009955883 CET	49718	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:27.010174036 CET	443	49718	34.117.188.166	192.168.2.5
Oct 28, 2024 18:27:27.014626980 CET	49718	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:27.022875071 CET	49746	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:27.022901058 CET	443	49746	34.117.188.166	192.168.2.5
Oct 28, 2024 18:27:27.024251938 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:27.026712894 CET	49746	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:27.028721094 CET	49746	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:27.028734922 CET	443	49746	34.117.188.166	192.168.2.5
Oct 28, 2024 18:27:27.029740095 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:27.152861118 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:27.158293009 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:27.163662910 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:27.199558973 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:27.283763885 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:27.331101894 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:27.638597965 CET	443	49746	34.117.188.166	192.168.2.5
Oct 28, 2024 18:27:27.638679981 CET	49746	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:27.644301891 CET	49746	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:27.644325972 CET	443	49746	34.117.188.166	192.168.2.5
Oct 28, 2024 18:27:27.644429922 CET	49746	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:27.644567966 CET	443	49746	34.117.188.166	192.168.2.5
Oct 28, 2024 18:27:27.649642944 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:27.652686119 CET	49746	443	192.168.2.5	34.117.188.166
Oct 28, 2024 18:27:27.655407906 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:27.744620085 CET	443	49737	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:27.745429993 CET	49737	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:27.749363899 CET	49737	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:27.749375105 CET	443	49737	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:27.749469042 CET	49737	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:27.749694109 CET	443	49737	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:27.749919891 CET	49737	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:27.777183056 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:27.832601070 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:28.387459040 CET	49722	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:28.393085957 CET	80	49722	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:28.393523932 CET	80	49722	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:28.393753052 CET	49722	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:28.773416042 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:28.778693914 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:28.898397923 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:28.957959890 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:29.791965961 CET	49712	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:29.797893047 CET	80	49712	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:29.800551891 CET	49712	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:36.500160933 CET	49767	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:36.500199080 CET	443	49767	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:36.501219034 CET	49767	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:36.501400948 CET	49767	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:36.501413107 CET	443	49767	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:36.518728018 CET	49768	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:36.518753052 CET	443	49768	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:36.520884991 CET	49768	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:36.521048069 CET	49768	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:36.521065950 CET	443	49768	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:36.524698019 CET	49769	443	192.168.2.5	35.190.72.216
Oct 28, 2024 18:27:36.524713993 CET	443	49769	35.190.72.216	192.168.2.5
Oct 28, 2024 18:27:36.526129007 CET	49769	443	192.168.2.5	35.190.72.216
Oct 28, 2024 18:27:36.527767897 CET	49769	443	192.168.2.5	35.190.72.216
Oct 28, 2024 18:27:36.527784109 CET	443	49769	35.190.72.216	192.168.2.5
Oct 28, 2024 18:27:36.530169964 CET	49770	443	192.168.2.5	151.101.193.91
Oct 28, 2024 18:27:36.530184984 CET	443	49770	151.101.193.91	192.168.2.5
Oct 28, 2024 18:27:36.531673908 CET	49770	443	192.168.2.5	151.101.193.91
Oct 28, 2024 18:27:36.531811953 CET	49770	443	192.168.2.5	151.101.193.91
Oct 28, 2024 18:27:36.531822920 CET	443	49770	151.101.193.91	192.168.2.5
Oct 28, 2024 18:27:36.539597034 CET	49771	443	192.168.2.5	35.201.103.21
Oct 28, 2024 18:27:36.539622068 CET	443	49771	35.201.103.21	192.168.2.5
Oct 28, 2024 18:27:36.540199041 CET	49771	443	192.168.2.5	35.201.103.21
Oct 28, 2024 18:27:36.541615009 CET	49771	443	192.168.2.5	35.201.103.21
Oct 28, 2024 18:27:36.541621923 CET	443	49771	35.201.103.21	192.168.2.5
Oct 28, 2024 18:27:37.100780964 CET	443	49767	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.100891113 CET	49767	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.105398893 CET	49767	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.105410099 CET	443	49767	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.105732918 CET	443	49767	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.108306885 CET	49767	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.108432055 CET	49767	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.108664989 CET	443	49767	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.109163046 CET	49767	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.113306046 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:37.118626118 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:37.145349979 CET	443	49769	35.190.72.216	192.168.2.5
Oct 28, 2024 18:27:37.145442009 CET	49769	443	192.168.2.5	35.190.72.216
Oct 28, 2024 18:27:37.150805950 CET	49769	443	192.168.2.5	35.190.72.216
Oct 28, 2024 18:27:37.150823116 CET	443	49769	35.190.72.216	192.168.2.5
Oct 28, 2024 18:27:37.150914907 CET	49769	443	192.168.2.5	35.190.72.216
Oct 28, 2024 18:27:37.151180983 CET	443	49769	35.190.72.216	192.168.2.5
Oct 28, 2024 18:27:37.151336908 CET	49769	443	192.168.2.5	35.190.72.216
Oct 28, 2024 18:27:37.154369116 CET	443	49768	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:37.154527903 CET	49768	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:37.157838106 CET	49768	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:37.157849073 CET	443	49768	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:37.158077955 CET	443	49768	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:37.161339998 CET	49768	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:37.161429882 CET	49768	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:37.161498070 CET	443	49768	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:37.164676905 CET	49768	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:37.170429945 CET	443	49770	151.101.193.91	192.168.2.5
Oct 28, 2024 18:27:37.170533895 CET	49770	443	192.168.2.5	151.101.193.91
Oct 28, 2024 18:27:37.173348904 CET	49770	443	192.168.2.5	151.101.193.91
Oct 28, 2024 18:27:37.173360109 CET	443	49770	151.101.193.91	192.168.2.5
Oct 28, 2024 18:27:37.173744917 CET	443	49770	151.101.193.91	192.168.2.5
Oct 28, 2024 18:27:37.175421000 CET	49770	443	192.168.2.5	151.101.193.91
Oct 28, 2024 18:27:37.175602913 CET	443	49770	151.101.193.91	192.168.2.5
Oct 28, 2024 18:27:37.179424047 CET	443	49771	35.201.103.21	192.168.2.5
Oct 28, 2024 18:27:37.181852102 CET	49770	443	192.168.2.5	151.101.193.91
Oct 28, 2024 18:27:37.182001114 CET	49771	443	192.168.2.5	35.201.103.21
Oct 28, 2024 18:27:37.186801910 CET	49770	443	192.168.2.5	151.101.193.91
Oct 28, 2024 18:27:37.191965103 CET	49771	443	192.168.2.5	35.201.103.21
Oct 28, 2024 18:27:37.191981077 CET	443	49771	35.201.103.21	192.168.2.5
Oct 28, 2024 18:27:37.192061901 CET	49771	443	192.168.2.5	35.201.103.21
Oct 28, 2024 18:27:37.192162037 CET	443	49771	35.201.103.21	192.168.2.5
Oct 28, 2024 18:27:37.194185019 CET	49771	443	192.168.2.5	35.201.103.21
Oct 28, 2024 18:27:37.208581924 CET	49777	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.208631039 CET	443	49777	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.211236000 CET	49778	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.211271048 CET	443	49778	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.213088989 CET	49777	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.213211060 CET	49778	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.213350058 CET	49779	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.213366032 CET	443	49779	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.213454962 CET	49777	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.213474035 CET	443	49777	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.213540077 CET	49778	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.213552952 CET	443	49778	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.214534044 CET	49779	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.214787960 CET	49779	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.214795113 CET	443	49779	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.216474056 CET	49780	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:37.216526031 CET	443	49780	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:37.216645002 CET	49780	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:37.216753006 CET	49780	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:37.216770887 CET	443	49780	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:37.241210938 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:37.246493101 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:37.252008915 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:37.297687054 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:37.372653008 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:37.413626909 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:37.818464041 CET	443	49778	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.820620060 CET	443	49780	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:37.826714993 CET	443	49779	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.827337027 CET	443	49778	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.827338934 CET	443	49780	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:37.832283020 CET	443	49777	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.835340023 CET	443	49779	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.838416100 CET	49780	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:37.838433981 CET	49778	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.838435888 CET	49779	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.847345114 CET	443	49777	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.848526001 CET	49778	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.848531008 CET	443	49778	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.848763943 CET	443	49778	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.851802111 CET	49779	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.851813078 CET	443	49779	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.852098942 CET	443	49779	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.854774952 CET	49780	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:37.854784012 CET	443	49780	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:37.855114937 CET	443	49780	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:37.858696938 CET	49778	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.858722925 CET	49777	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.858724117 CET	49779	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.867527962 CET	49777	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.867537975 CET	443	49777	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.868563890 CET	443	49777	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.872235060 CET	49778	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.872338057 CET	49778	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.872422934 CET	443	49778	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.876893997 CET	49779	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.876904011 CET	49780	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:37.877105951 CET	443	49780	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:37.877147913 CET	49779	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.877223969 CET	49780	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:37.877230883 CET	443	49780	34.149.100.209	192.168.2.5
Oct 28, 2024 18:27:37.877290964 CET	443	49779	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.878990889 CET	49779	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.879009008 CET	49780	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:37.879051924 CET	49778	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.879065990 CET	49780	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:37.879065990 CET	49780	443	192.168.2.5	34.149.100.209
Oct 28, 2024 18:27:37.879352093 CET	49779	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.898634911 CET	49777	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.898727894 CET	49777	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:37.899043083 CET	443	49777	35.244.181.201	192.168.2.5
Oct 28, 2024 18:27:37.899348021 CET	49777	443	192.168.2.5	35.244.181.201
Oct 28, 2024 18:27:38.046922922 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:38.052365065 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:38.174072027 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:38.178802013 CET	49786	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:38.178845882 CET	443	49786	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:38.180022955 CET	49786	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:38.185265064 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:38.185265064 CET	49786	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:38.185286045 CET	443	49786	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:38.190841913 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:38.222018957 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:38.311080933 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:38.368627071 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:38.789463997 CET	443	49786	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:38.789592981 CET	49786	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:38.795459032 CET	49786	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:38.795475960 CET	443	49786	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:38.795583963 CET	49786	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:38.795655012 CET	443	49786	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:38.795721054 CET	49786	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:38.798546076 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:38.803904057 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:38.926089048 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:38.930376053 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:38.935926914 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:38.986011028 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:39.404126883 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:39.449649096 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:48.930480957 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:48.936286926 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:49.416316986 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:49.421745062 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:58.939227104 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:59.083661079 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:59.084741116 CET	49895	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:59.084773064 CET	443	49895	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:59.085154057 CET	49895	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:59.086611032 CET	49895	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:59.086630106 CET	443	49895	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:59.425124884 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:59.431581974 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:27:59.716597080 CET	443	49895	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:59.716686964 CET	49895	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:59.721748114 CET	49895	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:59.721760035 CET	443	49895	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:59.721836090 CET	49895	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:59.721959114 CET	443	49895	34.107.243.93	192.168.2.5
Oct 28, 2024 18:27:59.722501993 CET	49895	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:27:59.724375010 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:27:59.729713917 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:00.134150028 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:00.137774944 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:00.143346071 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:00.196300030 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:00.263360023 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:00.311779022 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:06.277523041 CET	49937	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:28:06.277561903 CET	443	49937	34.120.208.123	192.168.2.5
Oct 28, 2024 18:28:06.277905941 CET	49938	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:28:06.277944088 CET	443	49938	34.120.208.123	192.168.2.5
Oct 28, 2024 18:28:06.291212082 CET	49938	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:28:06.291229963 CET	49937	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:28:06.291481972 CET	49937	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:28:06.291520119 CET	443	49937	34.120.208.123	192.168.2.5
Oct 28, 2024 18:28:06.291707993 CET	49938	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:28:06.291728020 CET	443	49938	34.120.208.123	192.168.2.5
Oct 28, 2024 18:28:06.907203913 CET	443	49938	34.120.208.123	192.168.2.5
Oct 28, 2024 18:28:06.907218933 CET	443	49938	34.120.208.123	192.168.2.5
Oct 28, 2024 18:28:06.907272100 CET	49938	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:28:06.910280943 CET	49938	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:28:06.910289049 CET	443	49938	34.120.208.123	192.168.2.5
Oct 28, 2024 18:28:06.910676003 CET	443	49938	34.120.208.123	192.168.2.5
Oct 28, 2024 18:28:06.913124084 CET	49938	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:28:06.913295031 CET	49938	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:28:06.913305044 CET	443	49937	34.120.208.123	192.168.2.5
Oct 28, 2024 18:28:06.913317919 CET	443	49937	34.120.208.123	192.168.2.5
Oct 28, 2024 18:28:06.913374901 CET	443	49938	34.120.208.123	192.168.2.5
Oct 28, 2024 18:28:06.915019035 CET	49938	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:28:06.915039062 CET	49937	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:28:06.919163942 CET	49937	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:28:06.919195890 CET	443	49937	34.120.208.123	192.168.2.5
Oct 28, 2024 18:28:06.919872999 CET	443	49937	34.120.208.123	192.168.2.5
Oct 28, 2024 18:28:06.921932936 CET	49937	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:28:06.922024965 CET	49937	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:28:06.922137976 CET	443	49937	34.120.208.123	192.168.2.5
Oct 28, 2024 18:28:06.922547102 CET	49937	443	192.168.2.5	34.120.208.123
Oct 28, 2024 18:28:06.923901081 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:06.929522991 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:07.052841902 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:07.070656061 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:07.076272011 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:07.115554094 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:07.195698977 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:07.247077942 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:14.621408939 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:14.627065897 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:14.749141932 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:14.752429962 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:14.757822990 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:14.796452045 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:14.877701044 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:14.934442043 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:24.763825893 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:24.769387007 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:24.879808903 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:24.886698961 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:34.777045012 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:34.782351017 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:34.908575058 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:34.914091110 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:39.750965118 CET	50027	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:28:39.751007080 CET	443	50027	34.107.243.93	192.168.2.5
Oct 28, 2024 18:28:39.752661943 CET	50027	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:28:39.754360914 CET	50027	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:28:39.754375935 CET	443	50027	34.107.243.93	192.168.2.5
Oct 28, 2024 18:28:40.391272068 CET	443	50027	34.107.243.93	192.168.2.5
Oct 28, 2024 18:28:40.391360044 CET	50027	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:28:40.397069931 CET	50027	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:28:40.397078037 CET	443	50027	34.107.243.93	192.168.2.5
Oct 28, 2024 18:28:40.397094011 CET	50027	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:28:40.397383928 CET	443	50027	34.107.243.93	192.168.2.5
Oct 28, 2024 18:28:40.400089025 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:40.400577068 CET	50027	443	192.168.2.5	34.107.243.93
Oct 28, 2024 18:28:40.406431913 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:40.529122114 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:40.533520937 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:40.539347887 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:40.572056055 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:40.660269976 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:40.710194111 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:50.538343906 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:50.544332027 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:28:50.669877052 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:28:50.675384998 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:29:00.551904917 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:29:00.683630943 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:29:00.687556982 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:29:00.689060926 CET	80	49721	34.107.221.82	192.168.2.5
Oct 28, 2024 18:29:10.700813055 CET	49727	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:29:10.701246977 CET	49721	80	192.168.2.5	34.107.221.82
Oct 28, 2024 18:29:10.706299067 CET	80	49727	34.107.221.82	192.168.2.5
Oct 28, 2024 18:29:10.706594944 CET	80	49721	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 18:27:08.532927036 CET	55204	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:08.635833025 CET	55407	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:08.681809902 CET	53	55204	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:08.707474947 CET	53877	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:08.798593998 CET	57237	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:08.869961023 CET	53	53877	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:08.873198032 CET	55169	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:08.964198112 CET	58148	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:09.015070915 CET	53	55169	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:09.057363033 CET	52580	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:09.087717056 CET	53	58148	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:09.097372055 CET	61554	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:09.098747969 CET	63157	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:09.231154919 CET	53	61554	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:09.232856989 CET	53	63157	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:09.282331944 CET	58805	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:09.282712936 CET	62101	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:09.402616978 CET	53	62101	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:09.782505989 CET	57508	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:09.793766975 CET	55904	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:09.801270962 CET	57237	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:10.286544085 CET	58805	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:10.783425093 CET	57508	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:10.788155079 CET	55904	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:10.804116011 CET	57237	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:10.950640917 CET	53	57508	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:10.955045938 CET	53	55904	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:11.116985083 CET	53587	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:11.117609978 CET	55921	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:11.280664921 CET	53	53587	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:11.294310093 CET	58805	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:12.117805958 CET	55921	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:12.248672009 CET	53	55921	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:12.808134079 CET	57237	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:12.979495049 CET	53	57237	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:12.980503082 CET	61255	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:12.981400013 CET	49777	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:13.121911049 CET	53	49777	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:13.123265982 CET	53511	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:13.294233084 CET	58805	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:13.463551044 CET	57853	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:13.668775082 CET	59553	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:13.671283960 CET	53700	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:13.796968937 CET	53	59553	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:13.983464003 CET	61255	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:14.151324034 CET	53511	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:14.531379938 CET	57853	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:14.669325113 CET	53700	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:14.804944992 CET	53	53700	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:14.981353045 CET	61255	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:15.121604919 CET	53	61255	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:15.122811079 CET	50252	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:15.166212082 CET	53511	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:15.285068989 CET	53	50252	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:15.285990953 CET	59751	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:15.338371992 CET	53	53511	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:15.340727091 CET	51582	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:15.445513964 CET	53	59751	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:15.446822882 CET	54982	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:15.493308067 CET	53	51582	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:15.494227886 CET	65220	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:15.645695925 CET	53	65220	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:15.647452116 CET	51151	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:16.452373981 CET	54982	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:16.653714895 CET	51151	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:17.308604002 CET	58805	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:17.455333948 CET	54982	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:17.657776117 CET	51151	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:19.470273018 CET	54982	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:19.671051979 CET	51151	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:19.818753958 CET	53	51151	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:20.093143940 CET	56954	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:20.126056910 CET	63140	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:20.211788893 CET	53	56954	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:20.212783098 CET	49672	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:20.327382088 CET	53	49672	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:21.321938992 CET	62903	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:21.470588923 CET	53	62903	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:21.471627951 CET	49717	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:22.470312119 CET	49717	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:23.473483086 CET	54982	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:23.473575115 CET	49717	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:23.625262976 CET	53	49717	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:23.627046108 CET	53	54982	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:24.200396061 CET	62301	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:24.201041937 CET	51179	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:24.337779999 CET	53	62301	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:24.337788105 CET	53	51179	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:24.338643074 CET	56719	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:24.555397987 CET	53	56719	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:24.648536921 CET	53	51108	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:25.294059038 CET	59221	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:25.295192957 CET	62395	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:25.972405910 CET	62873	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:26.232450962 CET	53	62873	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:26.233328104 CET	62462	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:26.241460085 CET	53	62462	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:26.242115974 CET	64334	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:26.250242949 CET	53	64334	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:26.253478050 CET	50361	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:26.260761023 CET	53	50361	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:26.261499882 CET	54564	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:26.270296097 CET	53	54564	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:26.271326065 CET	52364	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:26.279783964 CET	53	52364	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:26.281128883 CET	59891	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:26.288810015 CET	53	59891	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:26.295953989 CET	55820	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:26.298669100 CET	62395	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:26.298697948 CET	59221	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:26.303700924 CET	53	55820	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:26.305067062 CET	62317	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:26.305984020 CET	53	59221	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:26.306261063 CET	53	62395	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:26.307558060 CET	56446	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:26.313031912 CET	53	62317	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:26.315665007 CET	53	56446	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:26.316394091 CET	51380	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:26.324960947 CET	53	51380	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:26.327871084 CET	54480	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:26.328025103 CET	51622	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:26.328371048 CET	53636	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:26.335457087 CET	53	54480	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:26.336091042 CET	53	51622	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:26.336111069 CET	64326	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:26.336627960 CET	53	53636	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:26.337536097 CET	56102	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:26.344799042 CET	53	64326	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:26.345606089 CET	53	56102	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:27.024566889 CET	64475	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:36.505008936 CET	56166	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:36.513355017 CET	53	56166	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:36.515736103 CET	64760	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:36.523734093 CET	53	64760	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:36.529038906 CET	63584	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:36.531337976 CET	57137	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:36.536829948 CET	53	63584	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:36.540143013 CET	56115	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:36.542195082 CET	53	57137	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:36.545511961 CET	52704	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:36.548469067 CET	53	56115	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:36.553366899 CET	53	52704	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:36.559787035 CET	62437	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:36.568855047 CET	53	62437	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:38.179336071 CET	59708	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:38.187004089 CET	53	59708	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:58.898390055 CET	58955	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:59.083775043 CET	53	58955	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:59.085006952 CET	51760	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:27:59.092595100 CET	53	51760	1.1.1.1	192.168.2.5
Oct 28, 2024 18:27:59.724534035 CET	53048	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:28:06.275723934 CET	56017	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:28:06.283375978 CET	53	56017	1.1.1.1	192.168.2.5
Oct 28, 2024 18:28:39.741940022 CET	62360	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:28:39.749480963 CET	53	62360	1.1.1.1	192.168.2.5
Oct 28, 2024 18:28:39.750309944 CET	64733	53	192.168.2.5	1.1.1.1
Oct 28, 2024 18:28:39.758418083 CET	53	64733	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 28, 2024 18:27:08.532927036 CET	192.168.2.5	1.1.1.1	0xbdfd	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:08.635833025 CET	192.168.2.5	1.1.1.1	0xf11a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:08.707474947 CET	192.168.2.5	1.1.1.1	0x3621	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:08.798593998 CET	192.168.2.5	1.1.1.1	0x79b3	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:08.873198032 CET	192.168.2.5	1.1.1.1	0x7b45	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 28, 2024 18:27:08.964198112 CET	192.168.2.5	1.1.1.1	0x518b	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:09.057363033 CET	192.168.2.5	1.1.1.1	0x50e0	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:09.097372055 CET	192.168.2.5	1.1.1.1	0xf858	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:09.098747969 CET	192.168.2.5	1.1.1.1	0x3291	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:09.282331944 CET	192.168.2.5	1.1.1.1	0x5a02	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 18:27:09.282712936 CET	192.168.2.5	1.1.1.1	0x7e82	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:09.782505989 CET	192.168.2.5	1.1.1.1	0x9b16	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:09.793766975 CET	192.168.2.5	1.1.1.1	0x55bb	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:09.801270962 CET	192.168.2.5	1.1.1.1	0x79b3	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:10.286544085 CET	192.168.2.5	1.1.1.1	0x5a02	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 18:27:10.783425093 CET	192.168.2.5	1.1.1.1	0x9b16	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:10.788155079 CET	192.168.2.5	1.1.1.1	0x55bb	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:10.804116011 CET	192.168.2.5	1.1.1.1	0x79b3	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:11.116985083 CET	192.168.2.5	1.1.1.1	0xdf9f	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:11.117609978 CET	192.168.2.5	1.1.1.1	0x38ba	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:11.294310093 CET	192.168.2.5	1.1.1.1	0x5a02	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 18:27:12.117805958 CET	192.168.2.5	1.1.1.1	0x38ba	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:12.808134079 CET	192.168.2.5	1.1.1.1	0x79b3	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:12.980503082 CET	192.168.2.5	1.1.1.1	0x30ce	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:12.981400013 CET	192.168.2.5	1.1.1.1	0x7ee2	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:13.123265982 CET	192.168.2.5	1.1.1.1	0x68e0	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:13.294233084 CET	192.168.2.5	1.1.1.1	0x5a02	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 18:27:13.463551044 CET	192.168.2.5	1.1.1.1	0x976c	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:13.668775082 CET	192.168.2.5	1.1.1.1	0x7d0c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:13.671283960 CET	192.168.2.5	1.1.1.1	0x514f	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:13.983464003 CET	192.168.2.5	1.1.1.1	0x30ce	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:14.151324034 CET	192.168.2.5	1.1.1.1	0x68e0	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:14.531379938 CET	192.168.2.5	1.1.1.1	0x976c	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:14.669325113 CET	192.168.2.5	1.1.1.1	0x514f	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:14.981353045 CET	192.168.2.5	1.1.1.1	0x30ce	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:15.122811079 CET	192.168.2.5	1.1.1.1	0x2364	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:15.166212082 CET	192.168.2.5	1.1.1.1	0x68e0	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:15.285990953 CET	192.168.2.5	1.1.1.1	0xe188	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:15.340727091 CET	192.168.2.5	1.1.1.1	0xc58d	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:15.446822882 CET	192.168.2.5	1.1.1.1	0x4235	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:15.494227886 CET	192.168.2.5	1.1.1.1	0x1a3	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:15.647452116 CET	192.168.2.5	1.1.1.1	0x3a90	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:16.452373981 CET	192.168.2.5	1.1.1.1	0x4235	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:16.653714895 CET	192.168.2.5	1.1.1.1	0x3a90	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:17.308604002 CET	192.168.2.5	1.1.1.1	0x5a02	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 18:27:17.455333948 CET	192.168.2.5	1.1.1.1	0x4235	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:17.657776117 CET	192.168.2.5	1.1.1.1	0x3a90	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:19.470273018 CET	192.168.2.5	1.1.1.1	0x4235	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:19.671051979 CET	192.168.2.5	1.1.1.1	0x3a90	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:20.093143940 CET	192.168.2.5	1.1.1.1	0xf171	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:20.126056910 CET	192.168.2.5	1.1.1.1	0xe6e7	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:20.212783098 CET	192.168.2.5	1.1.1.1	0xe6a9	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 18:27:21.321938992 CET	192.168.2.5	1.1.1.1	0xf8be	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:21.471627951 CET	192.168.2.5	1.1.1.1	0x643	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:22.470312119 CET	192.168.2.5	1.1.1.1	0x643	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:23.473483086 CET	192.168.2.5	1.1.1.1	0x4235	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:23.473575115 CET	192.168.2.5	1.1.1.1	0x643	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:24.200396061 CET	192.168.2.5	1.1.1.1	0x94b5	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:24.201041937 CET	192.168.2.5	1.1.1.1	0x213e	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:24.338643074 CET	192.168.2.5	1.1.1.1	0x6547	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:25.294059038 CET	192.168.2.5	1.1.1.1	0xa6bc	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:25.295192957 CET	192.168.2.5	1.1.1.1	0x934e	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:25.972405910 CET	192.168.2.5	1.1.1.1	0xb4c8	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.233328104 CET	192.168.2.5	1.1.1.1	0x5193	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.242115974 CET	192.168.2.5	1.1.1.1	0x561	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 28, 2024 18:27:26.253478050 CET	192.168.2.5	1.1.1.1	0x2b91	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.261499882 CET	192.168.2.5	1.1.1.1	0x5a0b	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.271326065 CET	192.168.2.5	1.1.1.1	0x41b3	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:26.281128883 CET	192.168.2.5	1.1.1.1	0xf1bf	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.295953989 CET	192.168.2.5	1.1.1.1	0x7fa8	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.298669100 CET	192.168.2.5	1.1.1.1	0x934e	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.298697948 CET	192.168.2.5	1.1.1.1	0xa6bc	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.305067062 CET	192.168.2.5	1.1.1.1	0x20ba	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 28, 2024 18:27:26.307558060 CET	192.168.2.5	1.1.1.1	0xddfe	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.316394091 CET	192.168.2.5	1.1.1.1	0x63a7	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 28, 2024 18:27:26.327871084 CET	192.168.2.5	1.1.1.1	0xb0cf	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.328025103 CET	192.168.2.5	1.1.1.1	0xc97c	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.328371048 CET	192.168.2.5	1.1.1.1	0x96e1	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 18:27:26.336111069 CET	192.168.2.5	1.1.1.1	0x7d69	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 28, 2024 18:27:26.337536097 CET	192.168.2.5	1.1.1.1	0x4f22	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 18:27:27.024566889 CET	192.168.2.5	1.1.1.1	0x6c95	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:36.505008936 CET	192.168.2.5	1.1.1.1	0x94dd	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 18:27:36.515736103 CET	192.168.2.5	1.1.1.1	0x6f77	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:36.529038906 CET	192.168.2.5	1.1.1.1	0x397f	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:36.531337976 CET	192.168.2.5	1.1.1.1	0x2897	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:36.540143013 CET	192.168.2.5	1.1.1.1	0x5227	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:36.545511961 CET	192.168.2.5	1.1.1.1	0xb2dc	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 28, 2024 18:27:36.559787035 CET	192.168.2.5	1.1.1.1	0x829f	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 18:27:38.179336071 CET	192.168.2.5	1.1.1.1	0x2c7b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 18:27:58.898390055 CET	192.168.2.5	1.1.1.1	0x3937	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:59.085006952 CET	192.168.2.5	1.1.1.1	0xf891	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 18:27:59.724534035 CET	192.168.2.5	1.1.1.1	0x481a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:28:06.275723934 CET	192.168.2.5	1.1.1.1	0xb692	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 18:28:39.741940022 CET	192.168.2.5	1.1.1.1	0xa68a	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:28:39.750309944 CET	192.168.2.5	1.1.1.1	0x3776	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 28, 2024 18:27:08.681809902 CET	1.1.1.1	192.168.2.5	0xbdfd	No error (0)	youtube.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:08.797349930 CET	1.1.1.1	192.168.2.5	0xf11a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:08.797349930 CET	1.1.1.1	192.168.2.5	0xf11a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:08.869961023 CET	1.1.1.1	192.168.2.5	0x3621	No error (0)	youtube.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:09.015070915 CET	1.1.1.1	192.168.2.5	0x7b45	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 28, 2024 18:27:09.087717056 CET	1.1.1.1	192.168.2.5	0x518b	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:09.090428114 CET	1.1.1.1	192.168.2.5	0x1053	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:09.090428114 CET	1.1.1.1	192.168.2.5	0x1053	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:09.188256025 CET	1.1.1.1	192.168.2.5	0x50e0	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:09.188256025 CET	1.1.1.1	192.168.2.5	0x50e0	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:09.231154919 CET	1.1.1.1	192.168.2.5	0xf858	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:09.232856989 CET	1.1.1.1	192.168.2.5	0x3291	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:09.843024969 CET	1.1.1.1	192.168.2.5	0xe186	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:10.950640917 CET	1.1.1.1	192.168.2.5	0x9b16	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:10.950640917 CET	1.1.1.1	192.168.2.5	0x9b16	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:10.955045938 CET	1.1.1.1	192.168.2.5	0x55bb	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:10.955045938 CET	1.1.1.1	192.168.2.5	0x55bb	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:10.955045938 CET	1.1.1.1	192.168.2.5	0x55bb	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:11.280664921 CET	1.1.1.1	192.168.2.5	0xdf9f	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:12.248672009 CET	1.1.1.1	192.168.2.5	0x38ba	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:12.248672009 CET	1.1.1.1	192.168.2.5	0x38ba	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:12.979495049 CET	1.1.1.1	192.168.2.5	0x79b3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:13.121911049 CET	1.1.1.1	192.168.2.5	0x7ee2	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:13.796968937 CET	1.1.1.1	192.168.2.5	0x7d0c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:14.676415920 CET	1.1.1.1	192.168.2.5	0x976c	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:14.804933071 CET	1.1.1.1	192.168.2.5	0x8e5	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:14.804944992 CET	1.1.1.1	192.168.2.5	0x514f	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:14.804944992 CET	1.1.1.1	192.168.2.5	0x514f	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:15.121604919 CET	1.1.1.1	192.168.2.5	0x30ce	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 28, 2024 18:27:15.285068989 CET	1.1.1.1	192.168.2.5	0x2364	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:15.493308067 CET	1.1.1.1	192.168.2.5	0xc58d	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:15.645695925 CET	1.1.1.1	192.168.2.5	0x1a3	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 28, 2024 18:27:15.851773977 CET	1.1.1.1	192.168.2.5	0x8cfa	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:15.851773977 CET	1.1.1.1	192.168.2.5	0x8cfa	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:20.211788893 CET	1.1.1.1	192.168.2.5	0xf171	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:20.241082907 CET	1.1.1.1	192.168.2.5	0xe6e7	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:20.241082907 CET	1.1.1.1	192.168.2.5	0xe6e7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:20.244417906 CET	1.1.1.1	192.168.2.5	0x1e34	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:21.470588923 CET	1.1.1.1	192.168.2.5	0xf8be	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:23.627046108 CET	1.1.1.1	192.168.2.5	0x4235	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:23.627046108 CET	1.1.1.1	192.168.2.5	0x4235	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:23.627046108 CET	1.1.1.1	192.168.2.5	0x4235	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:24.337779999 CET	1.1.1.1	192.168.2.5	0x94b5	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:24.337788105 CET	1.1.1.1	192.168.2.5	0x213e	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.232450962 CET	1.1.1.1	192.168.2.5	0xb4c8	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:26.232450962 CET	1.1.1.1	192.168.2.5	0xb4c8	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.241460085 CET	1.1.1.1	192.168.2.5	0x5193	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.250242949 CET	1.1.1.1	192.168.2.5	0x561	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 28, 2024 18:27:26.260761023 CET	1.1.1.1	192.168.2.5	0x2b91	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:26.260761023 CET	1.1.1.1	192.168.2.5	0x2b91	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.260761023 CET	1.1.1.1	192.168.2.5	0x2b91	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.260761023 CET	1.1.1.1	192.168.2.5	0x2b91	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.260761023 CET	1.1.1.1	192.168.2.5	0x2b91	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.270296097 CET	1.1.1.1	192.168.2.5	0x5a0b	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.270296097 CET	1.1.1.1	192.168.2.5	0x5a0b	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.270296097 CET	1.1.1.1	192.168.2.5	0x5a0b	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.270296097 CET	1.1.1.1	192.168.2.5	0x5a0b	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.288810015 CET	1.1.1.1	192.168.2.5	0xf1bf	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.303700924 CET	1.1.1.1	192.168.2.5	0x7fa8	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.305984020 CET	1.1.1.1	192.168.2.5	0xa6bc	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:26.305984020 CET	1.1.1.1	192.168.2.5	0xa6bc	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.305984020 CET	1.1.1.1	192.168.2.5	0xa6bc	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.305984020 CET	1.1.1.1	192.168.2.5	0xa6bc	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.305984020 CET	1.1.1.1	192.168.2.5	0xa6bc	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.305984020 CET	1.1.1.1	192.168.2.5	0xa6bc	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.305984020 CET	1.1.1.1	192.168.2.5	0xa6bc	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.305984020 CET	1.1.1.1	192.168.2.5	0xa6bc	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.305984020 CET	1.1.1.1	192.168.2.5	0xa6bc	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.305984020 CET	1.1.1.1	192.168.2.5	0xa6bc	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.305984020 CET	1.1.1.1	192.168.2.5	0xa6bc	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.305984020 CET	1.1.1.1	192.168.2.5	0xa6bc	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.305984020 CET	1.1.1.1	192.168.2.5	0xa6bc	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.305984020 CET	1.1.1.1	192.168.2.5	0xa6bc	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.305984020 CET	1.1.1.1	192.168.2.5	0xa6bc	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.305984020 CET	1.1.1.1	192.168.2.5	0xa6bc	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.305984020 CET	1.1.1.1	192.168.2.5	0xa6bc	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.306261063 CET	1.1.1.1	192.168.2.5	0x934e	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:26.306261063 CET	1.1.1.1	192.168.2.5	0x934e	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.315665007 CET	1.1.1.1	192.168.2.5	0xddfe	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.324960947 CET	1.1.1.1	192.168.2.5	0x63a7	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 28, 2024 18:27:26.335457087 CET	1.1.1.1	192.168.2.5	0xb0cf	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.335457087 CET	1.1.1.1	192.168.2.5	0xb0cf	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.335457087 CET	1.1.1.1	192.168.2.5	0xb0cf	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.335457087 CET	1.1.1.1	192.168.2.5	0xb0cf	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.335457087 CET	1.1.1.1	192.168.2.5	0xb0cf	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.335457087 CET	1.1.1.1	192.168.2.5	0xb0cf	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.335457087 CET	1.1.1.1	192.168.2.5	0xb0cf	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.335457087 CET	1.1.1.1	192.168.2.5	0xb0cf	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.335457087 CET	1.1.1.1	192.168.2.5	0xb0cf	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.335457087 CET	1.1.1.1	192.168.2.5	0xb0cf	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.335457087 CET	1.1.1.1	192.168.2.5	0xb0cf	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.335457087 CET	1.1.1.1	192.168.2.5	0xb0cf	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.335457087 CET	1.1.1.1	192.168.2.5	0xb0cf	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.335457087 CET	1.1.1.1	192.168.2.5	0xb0cf	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.335457087 CET	1.1.1.1	192.168.2.5	0xb0cf	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.335457087 CET	1.1.1.1	192.168.2.5	0xb0cf	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.336091042 CET	1.1.1.1	192.168.2.5	0xc97c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:26.344799042 CET	1.1.1.1	192.168.2.5	0x7d69	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 28, 2024 18:27:26.344799042 CET	1.1.1.1	192.168.2.5	0x7d69	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 28, 2024 18:27:26.344799042 CET	1.1.1.1	192.168.2.5	0x7d69	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 28, 2024 18:27:26.344799042 CET	1.1.1.1	192.168.2.5	0x7d69	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 28, 2024 18:27:27.033440113 CET	1.1.1.1	192.168.2.5	0x6c95	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:27.033440113 CET	1.1.1.1	192.168.2.5	0x6c95	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:36.523734093 CET	1.1.1.1	192.168.2.5	0x6f77	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:36.523734093 CET	1.1.1.1	192.168.2.5	0x6f77	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:36.523734093 CET	1.1.1.1	192.168.2.5	0x6f77	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:36.523734093 CET	1.1.1.1	192.168.2.5	0x6f77	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:36.536829948 CET	1.1.1.1	192.168.2.5	0x397f	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:36.536829948 CET	1.1.1.1	192.168.2.5	0x397f	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:36.542195082 CET	1.1.1.1	192.168.2.5	0x2897	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:36.542195082 CET	1.1.1.1	192.168.2.5	0x2897	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:36.542195082 CET	1.1.1.1	192.168.2.5	0x2897	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:36.542195082 CET	1.1.1.1	192.168.2.5	0x2897	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:36.548469067 CET	1.1.1.1	192.168.2.5	0x5227	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:38.142141104 CET	1.1.1.1	192.168.2.5	0x47f1	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:38.142141104 CET	1.1.1.1	192.168.2.5	0x47f1	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:59.083775043 CET	1.1.1.1	192.168.2.5	0x3937	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:27:59.732120991 CET	1.1.1.1	192.168.2.5	0x481a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 18:27:59.732120991 CET	1.1.1.1	192.168.2.5	0x481a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:28:06.261665106 CET	1.1.1.1	192.168.2.5	0x5016	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:28:39.749480963 CET	1.1.1.1	192.168.2.5	0xa68a	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49715	34.107.221.82	80	5612	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 18:27:09.777246952 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:27:10.186177015 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:27:10.945646048 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 10044 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 18:27:11.957366943 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 10044 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49721	34.107.221.82	80	5612	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 18:27:14.111157894 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 18:27:14.824146032 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 16409 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 18:27:15.157130957 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 16409 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 18:27:15.509706020 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 16409 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 18:27:16.181108952 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 16409 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 18:27:17.525479078 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 16409 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 18:27:20.125927925 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 18:27:20.358814001 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 16415 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 18:27:22.005773067 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 18:27:22.316469908 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 18:27:22.553611994 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 16417 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 18:27:26.355561018 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 18:27:26.663072109 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 16421 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 18:27:27.158293009 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 18:27:27.283763885 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 16422 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 18:27:28.773416042 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 18:27:28.898397923 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 16423 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 18:27:37.246493101 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 18:27:37.372653008 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 16432 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 18:27:38.185265064 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 18:27:38.311080933 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 16433 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 18:27:38.930376053 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 18:27:39.404126883 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 16434 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 18:27:49.416316986 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 18:27:59.425124884 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 18:28:00.137774944 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 18:28:00.263360023 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 16455 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 18:28:07.070656061 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 18:28:07.195698977 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 16462 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 18:28:14.752429962 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 18:28:14.877701044 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 16469 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 18:28:24.879808903 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 18:28:34.908575058 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 18:28:40.533520937 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 18:28:40.660269976 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 16495 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 18:28:50.669877052 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 18:29:00.683630943 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 18:29:10.701246977 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49727	34.107.221.82	80	5612	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 18:27:15.997775078 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:27:16.621781111 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:27:17.470954895 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:27:17.770723104 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 10051 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 18:27:20.128694057 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:27:20.362536907 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 10054 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 18:27:22.071978092 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:27:22.416742086 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:27:22.755469084 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:27:23.419651985 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:27:24.745718956 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:27:26.065119982 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:27:26.350148916 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 10060 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 18:27:27.024251938 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:27:27.152861118 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 10061 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 18:27:27.649642944 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:27:27.777183056 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 10061 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 18:27:37.113306046 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:27:37.241210938 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 10071 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 18:27:38.046922922 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:27:38.174072027 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 10072 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 18:27:38.798546076 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:27:38.926089048 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 10072 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 18:27:48.930480957 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 18:27:58.939227104 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 18:27:59.724375010 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:28:00.134150028 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 10093 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 18:28:06.923901081 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:28:07.052841902 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 10100 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 18:28:14.621408939 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:28:14.749141932 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 10108 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 18:28:24.763825893 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 18:28:34.777045012 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 18:28:40.400089025 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 18:28:40.529122114 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 10134 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 18:28:50.538343906 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 18:29:00.551904917 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 18:29:10.700813055 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	13:27:01
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xb60000
File size:	919'552 bytes
MD5 hash:	36E326562CCFC7504F9D23095789964A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:27:01
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xa90000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:27:01
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:27:03
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xa90000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:27:03
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:27:03
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xa90000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:27:04
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:27:04
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xa90000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:27:04
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:27:04
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xa90000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:27:04
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:27:04
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:27:04
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:27:04
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	13:27:05
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e43e39a0-cc16-484a-9b18-44609e3e176e} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" 224ca56e310 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	13:27:07
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=948 -parentBuildID 20230927232528 -prefsHandle 4104 -prefMapHandle 4180 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28e99635-fe3b-45d9-8cee-0516a7b7dc3a} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" 224ca57d810 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	13:27:13
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3948 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4532 -prefMapHandle 4540 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e63adc83-332e-472f-8367-08683521a553} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" 224dc47e510 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.6%
Total number of Nodes:	1573
Total number of Limit Nodes:	49

Executed Functions

Function 00B642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00B6430D

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

GetCurrentProcess.KERNEL32(?,00BFCB64,00000000,?,?), ref: 00B64422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00B64429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00B64454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B64466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00B64474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00B6447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00B644A0

Strings

|O, xrefs: 00BA36F8
GetNativeSystemInfo, xrefs: 00B64460
kernel32.dll, xrefs: 00B6444F

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 240488dea82d6a38e135992f733709cc12d1ebec5fb41ed7f64fa84ccdd9905b
Instruction ID: 1dbe50aecfd7d6a5b96f91be9337c7c13af949a556d9d2477149b227072273ab
Opcode Fuzzy Hash: 240488dea82d6a38e135992f733709cc12d1ebec5fb41ed7f64fa84ccdd9905b
Instruction Fuzzy Hash: 69A1927597E6C4DFC791D7697C827AD7FE4AB27700B0C48D9E84193B32DA244A48CB21

Function 00B642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00B650AA,?,?,00000000,00000000), ref: 00B642B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B650AA,?,?,00000000,00000000), ref: 00B642C9
LoadResource.KERNEL32(?,00000000,?,?,00B650AA,?,?,00000000,00000000,?,?,?,?,?,?,00B64F20), ref: 00BA35BE
SizeofResource.KERNEL32(?,00000000,?,?,00B650AA,?,?,00000000,00000000,?,?,?,?,?,?,00B64F20), ref: 00BA35D3
LockResource.KERNEL32(00B650AA,?,?,00B650AA,?,?,00000000,00000000,?,?,?,?,?,?,00B64F20,?), ref: 00BA35E6

Strings

SCRIPT, xrefs: 00B642BF

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 72a85dec11a76bcc1c75d700aa10cde2a9275d423ee54c47c3c19422014f719f
Instruction ID: 90e7b3c68415bbf48626b3781c966682ce71b214e5e6dc4d7141d02f7402a949
Opcode Fuzzy Hash: 72a85dec11a76bcc1c75d700aa10cde2a9275d423ee54c47c3c19422014f719f
Instruction Fuzzy Hash: 6B115A70201604AFDB218B65DD58F277BB9EBC5B51F2081A9F40297260DB71D854CA20

Function 00BA2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00B62B6B

Part of subcall function 00B63A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C31418,?,00B62E7F,?,?,?,00000000), ref: 00B63A78

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00C22224), ref: 00BA2C10
ShellExecuteW.SHELL32(00000000,?,?,00C22224), ref: 00BA2C17

Strings

runas, xrefs: 00BA2C0B

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: fe10c0ee35b586d766951257e9f0d56aaa364774622972bce80de1a1b53e83cf
Instruction ID: a09d71e5130bef8387738d0374481a7820e926ba06faff045e1ef62ae1cad406
Opcode Fuzzy Hash: fe10c0ee35b586d766951257e9f0d56aaa364774622972bce80de1a1b53e83cf
Instruction Fuzzy Hash: 8811E931208345AED704FF64D951ABEBBE4DF95750F4C04ADF582531A2CF39894AD712

Function 00BCD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00BCD501
Process32FirstW.KERNEL32(00000000,?), ref: 00BCD50F
Process32NextW.KERNEL32(00000000,?), ref: 00BCD52F
CloseHandle.KERNELBASE(00000000), ref: 00BCD5DC

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 1b2f936f26ba239cc5be3456853656a7a621514f3e7058b56a9083dbd775aac1
Instruction ID: 9a9cbc824439486fa0da18bf77fc843f520cee8daff6f58a676b808f01bd2563
Opcode Fuzzy Hash: 1b2f936f26ba239cc5be3456853656a7a621514f3e7058b56a9083dbd775aac1
Instruction Fuzzy Hash: DB319F711083009FD300EF54C881FAFBBE8EFA9354F14096DF585971A1EB719A88CBA2

Function 00BCDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00BA5222), ref: 00BCDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00BCDBDD
FindFirstFileW.KERNEL32(?,?), ref: 00BCDBEE
FindClose.KERNEL32(00000000), ref: 00BCDBFA

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 9df335126ff60e85b0ec6ac2244eda2f3f473665f98affeee918764d707cf5ac
Instruction ID: 20dcd2d4351e2390746503bd065cf1a66fb5f0a1e56caf8a70a798773b412206
Opcode Fuzzy Hash: 9df335126ff60e85b0ec6ac2244eda2f3f473665f98affeee918764d707cf5ac
Instruction Fuzzy Hash: 9BF0A0308109185782206F7CAE0D9BB3BACDE01334B104B5AF836C30E0EFB06994C695

Function 00B84CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00B928E9,?,00B84CBE,00B928E9,00C288B8,0000000C,00B84E15,00B928E9,00000002,00000000,?,00B928E9), ref: 00B84D09
TerminateProcess.KERNEL32(00000000,?,00B84CBE,00B928E9,00C288B8,0000000C,00B84E15,00B928E9,00000002,00000000,?,00B928E9), ref: 00B84D10
ExitProcess.KERNEL32 ref: 00B84D22

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ff4239efee954a8fc0e64c657ab7238aa7335141b341bfb3e11b0af841b1216d
Instruction ID: c7544d572e245b2563579628f0ef3d932c1a3500df1d4fda6ea8bec8bf7305d5
Opcode Fuzzy Hash: ff4239efee954a8fc0e64c657ab7238aa7335141b341bfb3e11b0af841b1216d
Instruction Fuzzy Hash: C4E0B631004149ABCF12BF54DE09A687FA9EB42781B104064FC059B132CB35EE92DB84

Function 00BEAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00BEB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BEB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BEB1D4
_wcslen.LIBCMT ref: 00BEB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BEB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BEB236
_wcslen.LIBCMT ref: 00BEB332

Part of subcall function 00BD05A7: GetStdHandle.KERNEL32(000000F6), ref: 00BD05C6

_wcslen.LIBCMT ref: 00BEB34B
_wcslen.LIBCMT ref: 00BEB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BEB3B6
GetLastError.KERNEL32(00000000), ref: 00BEB407
CloseHandle.KERNEL32(?), ref: 00BEB439
CloseHandle.KERNEL32(00000000), ref: 00BEB44A
CloseHandle.KERNEL32(00000000), ref: 00BEB45C
CloseHandle.KERNEL32(00000000), ref: 00BEB46E
CloseHandle.KERNEL32(?), ref: 00BEB4E3

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 3dd0db4a07c2cbbe022fc17decd21f6b44aefd91b004b27b794f7142a0441f69
Instruction ID: e1f655454cecd9d4be42776e6c20774e61b2d3d983d99146565ce2dccf2789aa
Opcode Fuzzy Hash: 3dd0db4a07c2cbbe022fc17decd21f6b44aefd91b004b27b794f7142a0441f69
Instruction Fuzzy Hash: 5CF15A315082409FC714EF25C891F6BBBE5EF85314F14859DF89A9B2A2DB35EC44CB52

Function 00B6D730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B6D807
timeGetTime.WINMM ref: 00B6DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B6DB28
TranslateMessage.USER32(?), ref: 00B6DB7B
DispatchMessageW.USER32(?), ref: 00B6DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B6DB9F
Sleep.KERNELBASE(0000000A), ref: 00B6DBB1

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: bc6af1be42284648f1e722c1fdac8e2ae3466daf50e42884a4a4043a5346c786
Instruction ID: 8784bf7612ef82eebcbf1923cc9455d19caf12665127055079a5e6c0b8c19bf0
Opcode Fuzzy Hash: bc6af1be42284648f1e722c1fdac8e2ae3466daf50e42884a4a4043a5346c786
Instruction Fuzzy Hash: 3A42C230B08645DFD728CF24C894BBABBE0FF45304F5886A9E56587291D7B4E844CB92

Function 00B62CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B62D07
RegisterClassExW.USER32(00000030), ref: 00B62D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B62D42
InitCommonControlsEx.COMCTL32(?), ref: 00B62D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B62D6F
LoadIconW.USER32(000000A9), ref: 00B62D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B62D94

Strings

+, xrefs: 00B62CF0
0, xrefs: 00B62CE9
TaskbarCreated, xrefs: 00B62D37
AutoIt v3 GUI, xrefs: 00B62D23

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 179ab510fc8147eeb89b3e83c671cc28a1abe3d71664d6d1215da76b177899b7
Instruction ID: f2056b32ee1e4a781b05841c200f1e6994df85dfdda85d5862c7196bee0e9b74
Opcode Fuzzy Hash: 179ab510fc8147eeb89b3e83c671cc28a1abe3d71664d6d1215da76b177899b7
Instruction Fuzzy Hash: 4E21B2B591131CAFDB00DFA4E949BEDBFB4FB08700F04811AEA11A72A0DBB15584CF95

Function 00BA065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BA039A: CreateFileW.KERNELBASE(00000000,00000000,?,00BA0704,?,?,00000000,?,00BA0704,00000000,0000000C), ref: 00BA03B7

GetLastError.KERNEL32 ref: 00BA076F
__dosmaperr.LIBCMT ref: 00BA0776
GetFileType.KERNELBASE(00000000), ref: 00BA0782
GetLastError.KERNEL32 ref: 00BA078C
__dosmaperr.LIBCMT ref: 00BA0795
CloseHandle.KERNEL32(00000000), ref: 00BA07B5
CloseHandle.KERNEL32(?), ref: 00BA08FF
GetLastError.KERNEL32 ref: 00BA0931
__dosmaperr.LIBCMT ref: 00BA0938

Strings

H, xrefs: 00BA08BD

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 6429c32c6b80fef3c75d6eb9fe7be9dd49547499fa2e7c5cc2721c2d89c267b2
Instruction ID: 979a1bb38ae0285b910a144d3b9f93ce1600edeb5e661e73dcee0ea699b8e00f
Opcode Fuzzy Hash: 6429c32c6b80fef3c75d6eb9fe7be9dd49547499fa2e7c5cc2721c2d89c267b2
Instruction Fuzzy Hash: ABA10932A281098FDF19BF68D851BAE7BE0EB0A324F140199F815DB291DB359D12CB95

Function 00B6344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B63A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C31418,?,00B62E7F,?,?,?,00000000), ref: 00B63A78

Part of subcall function 00B63357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B63379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B6356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BA318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BA31CE
RegCloseKey.ADVAPI32(?), ref: 00BA3210
_wcslen.LIBCMT ref: 00BA3277
_wcslen.LIBCMT ref: 00BA3286

Strings

\Include\, xrefs: 00B63527
Software\AutoIt v3\AutoIt, xrefs: 00B63560
Include, xrefs: 00BA3184, 00BA31C5
\, xrefs: 00BA328C

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: df283a048c0cfde025cdb7d60de8b8a69c51adc6f8facccfe788860dc96971d0
Instruction ID: 7179be431f52bea53873614262637f4f1c3eae99d3b6385805afb7b0685b4c64
Opcode Fuzzy Hash: df283a048c0cfde025cdb7d60de8b8a69c51adc6f8facccfe788860dc96971d0
Instruction Fuzzy Hash: C4718A714183059ECB54EF65EC82AAFBBE8FF95740F40486EF545931B0EB349A48CB62

Function 00B62B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B62B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00B62B9D
LoadIconW.USER32(00000063), ref: 00B62BB3
LoadIconW.USER32(000000A4), ref: 00B62BC5
LoadIconW.USER32(000000A2), ref: 00B62BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B62BEF
RegisterClassExW.USER32(?), ref: 00B62C40

Part of subcall function 00B62CD4: GetSysColorBrush.USER32(0000000F), ref: 00B62D07
Part of subcall function 00B62CD4: RegisterClassExW.USER32(00000030), ref: 00B62D31
Part of subcall function 00B62CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B62D42
Part of subcall function 00B62CD4: InitCommonControlsEx.COMCTL32(?), ref: 00B62D5F
Part of subcall function 00B62CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B62D6F
Part of subcall function 00B62CD4: LoadIconW.USER32(000000A9), ref: 00B62D85
Part of subcall function 00B62CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B62D94

Strings

AutoIt v3, xrefs: 00B62C2F
0, xrefs: 00B62C0F
#, xrefs: 00B62C16

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: adeb85f2559daa972195bc64698b0329e25fa52e0ece85d891a6edb9b6faf329
Instruction ID: 1645c6a3200eb7b17256c156a0bc03978a0a3553fafd9b23f7e1fa74b816f783
Opcode Fuzzy Hash: adeb85f2559daa972195bc64698b0329e25fa52e0ece85d891a6edb9b6faf329
Instruction Fuzzy Hash: E1214971E20318AFDB509FA6ED45BADBFB4FB08B50F08005AEA00A76B0D7B10954CF90

Function 00B63170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00B6316A,?,?), ref: 00B631D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00B6316A,?,?), ref: 00B63204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B63227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00B6316A,?,?), ref: 00B63232
CreatePopupMenu.USER32 ref: 00B63246
PostQuitMessage.USER32(00000000), ref: 00B63267

Strings

TaskbarCreated, xrefs: 00B6322D

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: a68a4b7e449f19e911a56c20b492d29b17077a8411a61f19162214c7d54ba634
Instruction ID: 9579ef90e2b21c879097ff61bcd7ee2973574db7148cb20efdaeeef9ae15b4b5
Opcode Fuzzy Hash: a68a4b7e449f19e911a56c20b492d29b17077a8411a61f19162214c7d54ba634
Instruction Fuzzy Hash: 45411831264204ABDF146B7C9D99B7D3AD9EB06B50F0801A5FE02D72A1CB799E80DB61

Function 00B61410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B61459
CoUninitialize.COMBASE ref: 00B614F8
UnregisterHotKey.USER32(?), ref: 00B616DD
DestroyWindow.USER32(?), ref: 00BA24B9
FreeLibrary.KERNEL32(?), ref: 00BA251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BA254B

Strings

close all, xrefs: 00B61454

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: bac596bddf08069de94ca2cd235a0c6160182608b19334b3365cd68475665149
Instruction ID: 8bc636c9a8e1ea28f5bfa687a9a519c3b387635fdab19a097fa79ae7dc5e928f
Opcode Fuzzy Hash: bac596bddf08069de94ca2cd235a0c6160182608b19334b3365cd68475665149
Instruction Fuzzy Hash: BBD17A31B062128FCB19EF19C995A29F7E4FF15700F1885EDE44A6B261DB30AD12CF50

Function 00B62C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B62C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B62CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B61CAD,?), ref: 00B62CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B61CAD,?), ref: 00B62CCF

Strings

AutoIt v3, xrefs: 00B62C89, 00B62C8E, 00B62C8F
edit, xrefs: 00B62CAC

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 72857aebde6c4133cdd5abf6d09263425c8a72948dd9911b54173c89fc4d982f
Instruction ID: d152f9f95494e02e3bf0b5cc80681b2fbe1c219c39ed3e06aa4abd18e382f03f
Opcode Fuzzy Hash: 72857aebde6c4133cdd5abf6d09263425c8a72948dd9911b54173c89fc4d982f
Instruction Fuzzy Hash: AEF0DA755502987EEB711B17AC08FBB6EBDD7C6F50B04405AFE04A35B0C6615898DEB0

Function 00B63B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00B63B0F,SwapMouseButtons,00000004,?), ref: 00B63B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00B63B0F,SwapMouseButtons,00000004,?), ref: 00B63B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00B63B0F,SwapMouseButtons,00000004,?), ref: 00B63B83

Strings

Control Panel\Mouse, xrefs: 00B63B3E

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: aaae925e4bdb2bb62a1dcf484e1f7ddcfc3709abebed9decafff858cacf06650
Instruction ID: fb74a1526914a202e27c69ab16e28094c7332741c717dea93dddd6565c40903a
Opcode Fuzzy Hash: aaae925e4bdb2bb62a1dcf484e1f7ddcfc3709abebed9decafff858cacf06650
Instruction Fuzzy Hash: 951157B1610208FFDB208FA4DC84EEEBBF8EF05B40B1484AAE901D7110E6319E409BA0

Function 00B63923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BA33A2

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B63A04

Strings

Line: , xrefs: 00BA33EB

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 438139af449257a151c28303531e1b6aedd37a2f8b5ce0490b328c4d8f59f301
Instruction ID: 715ac9b7d6644f5ab6df6c8aecec7c74482d60e9d6f46bcb94b446fcd34da6b6
Opcode Fuzzy Hash: 438139af449257a151c28303531e1b6aedd37a2f8b5ce0490b328c4d8f59f301
Instruction Fuzzy Hash: 6831D271408304AED725EB20DC45BEFB7D8AF40B10F0845AAF59A931E1DF789A48CBC6

Function 00B7FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00B80668

Part of subcall function 00B832A4: RaiseException.KERNEL32(?,?,?,00B8068A,?,00C31444,?,?,?,?,?,?,00B8068A,00B61129,00C28738,00B61129), ref: 00B83304

__CxxThrowException@8.LIBVCRUNTIME ref: 00B80685

Strings

Unknown exception, xrefs: 00B80692

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 1d51f075584bf777bc112693c7c30fff1424e29c42ef4a1028a9156597aae353
Instruction ID: 47c005a4a9fa5d52c66e64da7983987cc9b6ec5b33b5b10ffdf733e99523b922
Opcode Fuzzy Hash: 1d51f075584bf777bc112693c7c30fff1424e29c42ef4a1028a9156597aae353
Instruction Fuzzy Hash: FFF0C83490020EB78B14BA64E886CAD77EC9E00750B6085F1B928965B1EF71DA5DC794

Function 00B610F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B61BF4
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B61BFC
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B61C07
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B61C12
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B61C1A
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B61C22

Part of subcall function 00B61B4A: RegisterWindowMessageW.USER32(00000004,?,00B612C4), ref: 00B61BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B6136A
OleInitialize.OLE32 ref: 00B61388
CloseHandle.KERNEL32(00000000,00000000), ref: 00BA24AB

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 507f0b67267a72b3238378df9a496dd45689cfc0a174e6cf72b3e9de648dc282
Instruction ID: 714a5882653e6f94f6da1f85f4bf4e8df5c1b6bb42233e6c8945dfcfb7976d4f
Opcode Fuzzy Hash: 507f0b67267a72b3238378df9a496dd45689cfc0a174e6cf72b3e9de648dc282
Instruction Fuzzy Hash: DA71EAB59313048FC784EFB9A9457AD3AE0FB8934071D866AED0AC73A1EB344445CF59

Function 00BCC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B63A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BCC259
KillTimer.USER32(?,00000001,?,?), ref: 00BCC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BCC270

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 5f85e43286a44792cf3659dc8b3cee81570abedb92c6608fca0b089814996fa5
Instruction ID: 2b763749cf961eaf87f9d957e5f32e10410dd41bb990b927caf7eeea3904d18f
Opcode Fuzzy Hash: 5f85e43286a44792cf3659dc8b3cee81570abedb92c6608fca0b089814996fa5
Instruction Fuzzy Hash: D0319170904344AFEB729F648895BEBBFECAB26308F0404DED6DEA7241C7745A84CB51

Function 00B986AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00B985CC,?,00C28CC8,0000000C), ref: 00B98704
GetLastError.KERNEL32(?,00B985CC,?,00C28CC8,0000000C), ref: 00B9870E
__dosmaperr.LIBCMT ref: 00B98739

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 553c994e8f7373f3f7f21b0869e6f368cc572bd964fad5be4d8063af49b39095
Instruction ID: f15f9d2fa204843af4b4d74f50e35f0100ef725e44a961ea1a5898a37b27a80b
Opcode Fuzzy Hash: 553c994e8f7373f3f7f21b0869e6f368cc572bd964fad5be4d8063af49b39095
Instruction Fuzzy Hash: B8012633A0962027DE356274A845B7E6BD98B83774F3901F9F9198F1D2DEB48C81C294

Function 00B6DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00B6DB7B
DispatchMessageW.USER32(?), ref: 00B6DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B6DB9F
Sleep.KERNELBASE(0000000A), ref: 00B6DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00BB1CC9

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 6afe2bd9fa82a225ff39a7cc594d56da23e80e88a430aa1f64981591c21d6a47
Instruction ID: 2f6c0029be1538dae536d6fe47405864b49fc922ba0841663d4c5c73a34dc9d2
Opcode Fuzzy Hash: 6afe2bd9fa82a225ff39a7cc594d56da23e80e88a430aa1f64981591c21d6a47
Instruction Fuzzy Hash: 14F05E316143449BEB30DBA08C99FFA77E8EB48310F544959E61A870D0DB74A488CB16

Function 00B71310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B717F6

Strings

CALL, xrefs: 00B717C6

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: e61fe0d00386d7c23c7e27ef2205c01a369d322e21e960c235a75e27bbe6c79f
Instruction ID: 2eb3834fad85307dbf2d9587a7f03e02904d75c17e6e4ed2db7dfb29ea9422e3
Opcode Fuzzy Hash: e61fe0d00386d7c23c7e27ef2205c01a369d322e21e960c235a75e27bbe6c79f
Instruction Fuzzy Hash: 6C2289706082019FC714DF18C490A6ABBF1FF95314F1489ADF4AA8B3A1D775ED45CBA2

Function 00B62DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00BA2C8C

Part of subcall function 00B63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B63A97,?,?,00B62E7F,?,?,?,00000000), ref: 00B63AC2

Part of subcall function 00B62DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B62DC4

Strings

X, xrefs: 00BA2C5A

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 4b8f0f0ad114f48d95a5bb2956765d064aae98424fb37b41aec4e2000efaae3c
Instruction ID: 05bd0b9527b1892c66f3430bbf4c9182a476e0bd6b952cc424edbf4892f79365
Opcode Fuzzy Hash: 4b8f0f0ad114f48d95a5bb2956765d064aae98424fb37b41aec4e2000efaae3c
Instruction Fuzzy Hash: 3221A571A002989FDF41EF98D845BEE7BF8EF49714F008099E505A7241DFB85A89CF61

Function 00B63837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B63908

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 23468f39487a34e84dcbce4b65de20e71b28291f703af0aabe0e4b0f20e31bbf
Instruction ID: 65c30d81396580b22907a0cc207a648bdc697252df72aebf58ae6957c8e20dd9
Opcode Fuzzy Hash: 23468f39487a34e84dcbce4b65de20e71b28291f703af0aabe0e4b0f20e31bbf
Instruction Fuzzy Hash: 3831A2705047019FD760DF24D8847DBBBE8FB49B08F04096EFA9A83290E775AA44CB52

Function 00B7F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B7F661

Part of subcall function 00B6D730: GetInputState.USER32 ref: 00B6D807

Sleep.KERNEL32(00000000), ref: 00BBF2DE

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: e6cba91e7c8a9767c0097762e2fddc3ec2ed322e1c1218bfd4a9256e44f2858f
Instruction ID: 76174f5aa5c7ffa12633d390bbb6ffc52ec6acc3e9842a66673a0def6fa836a4
Opcode Fuzzy Hash: e6cba91e7c8a9767c0097762e2fddc3ec2ed322e1c1218bfd4a9256e44f2858f
Instruction Fuzzy Hash: 41F08C312402059FD310EF69D959FBABBE8EF55760F0040B9E85AC7361EB70AC40CB91

Function 00B64ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B64E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B64EDD,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E9C
Part of subcall function 00B64E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B64EAE
Part of subcall function 00B64E90: FreeLibrary.KERNEL32(00000000,?,?,00B64EDD,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64EFD

Part of subcall function 00B64E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BA3CDE,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E62
Part of subcall function 00B64E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B64E74
Part of subcall function 00B64E59: FreeLibrary.KERNEL32(00000000,?,?,00BA3CDE,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E87

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 64711ae935146f381795a60ec3a3e9e38ff187543a5bfd6c90e33f28657b63b2
Instruction ID: bbf1136367744c18312e96bc89b6bfd968333a87e7f25c01dd4cd029ebe316c9
Opcode Fuzzy Hash: 64711ae935146f381795a60ec3a3e9e38ff187543a5bfd6c90e33f28657b63b2
Instruction Fuzzy Hash: 7E112332600705AACB25BB60DC02FED77E4AF40B10F2084AEF546A71D1EF799A459B90

Function 00B98402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00B98440

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 8521b21c96813b3bb9dbf78b3aae857502d6818484b4ee006cdfcd4978753587
Instruction ID: 3cfaca47b8c41f26a7534fb45046bb09d2ad4ceb958e256927b467edb2852220
Opcode Fuzzy Hash: 8521b21c96813b3bb9dbf78b3aae857502d6818484b4ee006cdfcd4978753587
Instruction Fuzzy Hash: 5A11187590410AAFCF05DF58E941A9E7BF5EF49314F1040A9F808AB312DA31DA11CBA5

Function 00B95000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B94C7D: RtlAllocateHeap.NTDLL(00000008,00B61129,00000000,?,00B92E29,00000001,00000364,?,?,?,00B8F2DE,00B93863,00C31444,?,00B7FDF5,?), ref: 00B94CBE

_free.LIBCMT ref: 00B9506C

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: e46bc4a4a80094c2dddfd3812bb978b8aa564257df86e5c929dfed6acf3221a8
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 4A0126726447056BEB328F659881A5AFBE8FB89370F25067DE18483280EA30A805C7B4

Function 00B8E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 843299ac119ce96f31a33c8428911f700e8bdf12ec91f8a774d7fa2e90c25d91
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 89F0F432510A14A6DA313A69DC05B5A37D89F53330F1407F6F434962F2EB74D802CBA5

Function 00B94C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00B61129,00000000,?,00B92E29,00000001,00000364,?,?,?,00B8F2DE,00B93863,00C31444,?,00B7FDF5,?), ref: 00B94CBE

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1c5fafb77ed47a9f1afd189897b69fd75b4b9fd7fcb9e14aeec473a838f656d5
Instruction ID: 0e1d47889ad0f31a23e5040a5e872804b21eb8cf756c011329229d7f10634d10
Opcode Fuzzy Hash: 1c5fafb77ed47a9f1afd189897b69fd75b4b9fd7fcb9e14aeec473a838f656d5
Instruction Fuzzy Hash: A6F0B4316022256EDF216F729C05F5B37E8FF417A1B1542B5B819A7191CB70D802C6A0

Function 00B93820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d55df8a9d889606ecbf539f54c179d0fdec8d30d75e6dfeb7738252080693856
Instruction ID: 9a57fe23ee88494276b1ea98af9a26c3360b1144ed6125eed39fb71ebca2468c
Opcode Fuzzy Hash: d55df8a9d889606ecbf539f54c179d0fdec8d30d75e6dfeb7738252080693856
Instruction Fuzzy Hash: A8E0E5311006259ADE213A679C84B9A36C9EF42FB0F1500F1BD05928A0DB10DE01D3E0

Function 00B64F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64F6D

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: df038e427abc4e16661d9b3b62f00030268ec8d5f240bc17efa231a0ce27bab4
Instruction ID: d00264b31117becdeeab14f33713bd587b4a4ba9b84c3e78c62e7e170cee7826
Opcode Fuzzy Hash: df038e427abc4e16661d9b3b62f00030268ec8d5f240bc17efa231a0ce27bab4
Instruction Fuzzy Hash: ACF03071105B51CFDB389F64D490822BBE4EF1431931089BEE1EE83521CB359844DF10

Function 00BF2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00BF2A66

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 56fa18146ae1696a48162fa38ba1a9cf85d99986448403ae7a96a7a3e8075b5a
Instruction ID: 70f1b3e0ea44646919c4417a077a7541c5ec97040be16b3c0cbbe583c3d65b79
Opcode Fuzzy Hash: 56fa18146ae1696a48162fa38ba1a9cf85d99986448403ae7a96a7a3e8075b5a
Instruction Fuzzy Hash: 0BE04F3635411AAAC714EB30EC809FAB7DCEB5039571045BAAD56D3100EB309A99D6A0

Function 00B630F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B6314E

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 6048af5b30f9d62287c145687e4cdb493b8c24eafe936436b5bfcd8134ddd0d8
Instruction ID: 87e34a5fdf57c5ff1f0df8bfb51420d300e4b1b119658307f29037de7c93e364
Opcode Fuzzy Hash: 6048af5b30f9d62287c145687e4cdb493b8c24eafe936436b5bfcd8134ddd0d8
Instruction Fuzzy Hash: 79F037709143189FEB929B24DC457D97BFCA701708F0400E5A54897291DB745788CF51

Function 00B62DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B62DC4

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 9d0e406b374f023fc2157e9d73b6d7a5e726691cf60d717cfae38fd9141a09ac
Instruction ID: 41e37ecc4d51e391596d02710fb86e3fd042a8dc7651a1f20ea25244f9498668
Opcode Fuzzy Hash: 9d0e406b374f023fc2157e9d73b6d7a5e726691cf60d717cfae38fd9141a09ac
Instruction Fuzzy Hash: BEE0CD766041245BC710965C9C06FEA77DDDFC8790F0440B1FD09D7248D964AD80C550

Function 00B62B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B63837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B63908

Part of subcall function 00B6D730: GetInputState.USER32 ref: 00B6D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00B62B6B

Part of subcall function 00B630F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B6314E

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: dc03a2e76bd189d9e2c288f5deb1099a980d50650c66a5b59df58a6f151cb402
Instruction ID: 59ec40c68d448488f95245932435815bc0040495fc7400094f295e4faf94ce1b
Opcode Fuzzy Hash: dc03a2e76bd189d9e2c288f5deb1099a980d50650c66a5b59df58a6f151cb402
Instruction Fuzzy Hash: 64E0CD317042840BCA08BB75A8526BDF7D9DBD1751F4419BEF546431A3CF3D49498352

Function 00BA039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00BA0704,?,?,00000000,?,00BA0704,00000000,0000000C), ref: 00BA03B7

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6f87200e69c9e59d16f50962c195aeb5d46468cc2d8cb90337cedb4864f83cec
Instruction ID: 1536021126fcaccfb6c8da31c26aa86778ab0494f2377f1aa97fcf891fbedf8c
Opcode Fuzzy Hash: 6f87200e69c9e59d16f50962c195aeb5d46468cc2d8cb90337cedb4864f83cec
Instruction Fuzzy Hash: 36D06C3204010DBBDF028F84DD06EDA3FAAFB48714F014000BE1866020C732E971EB90

Function 00B61CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00B61CBC

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 67cfda639c983899ccac04df6f097b47cbd51309ecbf4e043110c5cca879c57a
Instruction ID: 47db01a20c56d3fe3aaf6db96fe3e3f97650eb12e61011dd03924c4fb6945017
Opcode Fuzzy Hash: 67cfda639c983899ccac04df6f097b47cbd51309ecbf4e043110c5cca879c57a
Instruction Fuzzy Hash: 63C09236290308AFF6148B80BD4BF287B64A358B01F088001FA09AB5F3C7A22864EA50

Non-executed Functions

Function 00BF9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00BF961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BF965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00BF969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BF96C9
SendMessageW.USER32 ref: 00BF96F2
GetKeyState.USER32(00000011), ref: 00BF978B
GetKeyState.USER32(00000009), ref: 00BF9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BF97AE
GetKeyState.USER32(00000010), ref: 00BF97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BF97E9
SendMessageW.USER32 ref: 00BF9810
SendMessageW.USER32(?,00001030,?,00BF7E95), ref: 00BF9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00BF992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00BF9941
SetCapture.USER32(?), ref: 00BF994A
ClientToScreen.USER32(?,?), ref: 00BF99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00BF99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BF99D6
ReleaseCapture.USER32 ref: 00BF99E1
GetCursorPos.USER32(?), ref: 00BF9A19
ScreenToClient.USER32(?,?), ref: 00BF9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00BF9A80
SendMessageW.USER32 ref: 00BF9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00BF9AEB
SendMessageW.USER32 ref: 00BF9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00BF9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00BF9B4A
GetCursorPos.USER32(?), ref: 00BF9B68
ScreenToClient.USER32(?,?), ref: 00BF9B75
GetParent.USER32(?), ref: 00BF9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00BF9BFA
SendMessageW.USER32 ref: 00BF9C2B
ClientToScreen.USER32(?,?), ref: 00BF9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00BF9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00BF9CDE
SendMessageW.USER32 ref: 00BF9D01
ClientToScreen.USER32(?,?), ref: 00BF9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00BF9D82

Part of subcall function 00B79944: GetWindowLongW.USER32(?,000000EB), ref: 00B79952

GetWindowLongW.USER32(?,000000F0), ref: 00BF9E05

Strings

F, xrefs: 00BF9D07
@GUI_DRAGID, xrefs: 00BF997D

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 69299c0cd9348b57a4038412ff8bf569a40accfcb2aae3bc1c22df08605d58f4
Instruction ID: bf1036f9883fc9924598a2981710cad81fa117034cbd3d62fa7faad7aafd9ba8
Opcode Fuzzy Hash: 69299c0cd9348b57a4038412ff8bf569a40accfcb2aae3bc1c22df08605d58f4
Instruction Fuzzy Hash: 7B428D34204209AFDB24DF24CD84BBABBE5FF49710F144699F699C72A1DB31A898CF51

Function 00BF4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00BF48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00BF4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00BF4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00BF494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00BF495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00BF497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00BF49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00BF49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00BF4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00BF4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00BF4A7E
IsMenu.USER32(?), ref: 00BF4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BF4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BF4B20
GetWindowLongW.USER32(?,000000F0), ref: 00BF4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00BF4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00BF4C82
wsprintfW.USER32 ref: 00BF4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BF4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00BF4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00BF4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BF4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00BF4D5A

Strings

%d/%02d/%02d, xrefs: 00BF4CA8

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 330cfb1686a9cb35959bcebada05d1a4ffe75b3ffe76d5986999197ecb9cd4d3
Instruction ID: f0acfa45b78fd4878151f6dd17c84209c81f0449f8b871a0477bc1a19d350465
Opcode Fuzzy Hash: 330cfb1686a9cb35959bcebada05d1a4ffe75b3ffe76d5986999197ecb9cd4d3
Instruction Fuzzy Hash: 6812CF71600259ABEB248F28CC49FBF7BF8EF45710F1041A9FA1ADB2A1DB749945CB50

Function 00B7F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00B7F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BBF474
IsIconic.USER32(00000000), ref: 00BBF47D
ShowWindow.USER32(00000000,00000009), ref: 00BBF48A
SetForegroundWindow.USER32(00000000), ref: 00BBF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BBF4AA
GetCurrentThreadId.KERNEL32 ref: 00BBF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BBF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BBF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BBF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00BBF4DE
SetForegroundWindow.USER32(00000000), ref: 00BBF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BBF4F6
keybd_event.USER32(00000012,00000000), ref: 00BBF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BBF50B
keybd_event.USER32(00000012,00000000), ref: 00BBF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BBF519
keybd_event.USER32(00000012,00000000), ref: 00BBF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BBF528
keybd_event.USER32(00000012,00000000), ref: 00BBF52D
SetForegroundWindow.USER32(00000000), ref: 00BBF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00BBF557

Strings

Shell_TrayWnd, xrefs: 00BBF46F

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a58526e032f09001e4f02b988ab7dccf14ff4e7434b6c84609cbc9d18f5a1cab
Instruction ID: 6f2303501006fc0fbbe1594c6e0819deafddc60eb9b4ac265eb85b1f339215d6
Opcode Fuzzy Hash: a58526e032f09001e4f02b988ab7dccf14ff4e7434b6c84609cbc9d18f5a1cab
Instruction Fuzzy Hash: E2314F71A4021DBBEB206BB55D4AFBF7EACEB44B50F100065FA01E71D1CBB19D40EAA0

Function 00BC1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00BC16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BC170D
Part of subcall function 00BC16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BC173A
Part of subcall function 00BC16C3: GetLastError.KERNEL32 ref: 00BC174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00BC1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00BC12A8
CloseHandle.KERNEL32(?), ref: 00BC12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00BC12D1
GetProcessWindowStation.USER32 ref: 00BC12EA
SetProcessWindowStation.USER32(00000000), ref: 00BC12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00BC1310

Part of subcall function 00BC10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BC11FC), ref: 00BC10D4
Part of subcall function 00BC10BF: CloseHandle.KERNEL32(?,?,00BC11FC), ref: 00BC10E9

Strings

, xrefs: 00BC125A
winsta0, xrefs: 00BC12CC
default, xrefs: 00BC130B

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: cbb436e55118b9b5efd6eb8598c3dc228182a11627d110b125bee56c1c3484ad
Instruction ID: 9b73bf645e1938dbf2bd310cc06b289795f79b91475d494bc70968c617f2892a
Opcode Fuzzy Hash: cbb436e55118b9b5efd6eb8598c3dc228182a11627d110b125bee56c1c3484ad
Instruction Fuzzy Hash: 15817871900209ABDF259FA8DD49FEE7BB9EF05704F1445A9F910B72A2DB308984CF60

Function 00BC0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BC1114
Part of subcall function 00BC10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1120
Part of subcall function 00BC10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC112F
Part of subcall function 00BC10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1136
Part of subcall function 00BC10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BC114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BC0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BC0C00
GetLengthSid.ADVAPI32(?), ref: 00BC0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00BC0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BC0C6D
GetLengthSid.ADVAPI32(?), ref: 00BC0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00BC0C8C
HeapAlloc.KERNEL32(00000000), ref: 00BC0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BC0CB4
CopySid.ADVAPI32(00000000), ref: 00BC0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BC0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BC0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BC0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0D45
HeapFree.KERNEL32(00000000), ref: 00BC0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0D55
HeapFree.KERNEL32(00000000), ref: 00BC0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0D65
HeapFree.KERNEL32(00000000), ref: 00BC0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00BC0D78
HeapFree.KERNEL32(00000000), ref: 00BC0D7F

Part of subcall function 00BC1193: GetProcessHeap.KERNEL32(00000008,00BC0BB1,?,00000000,?,00BC0BB1,?), ref: 00BC11A1
Part of subcall function 00BC1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00BC0BB1,?), ref: 00BC11A8
Part of subcall function 00BC1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00BC0BB1,?), ref: 00BC11B7

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: bee75659effae38db4e7c3d1bea5d66397d80bd5e63f545998313108dd802cc6
Instruction ID: 59750d439d50d0531e688b5e40e1e8dd2db01ed4be20587950c4ef35a9dbb9c0
Opcode Fuzzy Hash: bee75659effae38db4e7c3d1bea5d66397d80bd5e63f545998313108dd802cc6
Instruction Fuzzy Hash: 2E715C7290020AEBDF10EFA4DD44FAEBBB8FF04700F1446A9E915E7191DB71AA45CB60

Function 00BDEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00BFCC08), ref: 00BDEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00BDEB37
GetClipboardData.USER32(0000000D), ref: 00BDEB43
CloseClipboard.USER32 ref: 00BDEB4F
GlobalLock.KERNEL32(00000000), ref: 00BDEB87
CloseClipboard.USER32 ref: 00BDEB91
GlobalUnlock.KERNEL32(00000000), ref: 00BDEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00BDEBC9
GetClipboardData.USER32(00000001), ref: 00BDEBD1
GlobalLock.KERNEL32(00000000), ref: 00BDEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00BDEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00BDEC38
GetClipboardData.USER32(0000000F), ref: 00BDEC44
GlobalLock.KERNEL32(00000000), ref: 00BDEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00BDEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00BDEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00BDECD2
GlobalUnlock.KERNEL32(00000000), ref: 00BDECF3
CountClipboardFormats.USER32 ref: 00BDED14
CloseClipboard.USER32 ref: 00BDED59

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: cc394dfb89e49c42bf0c498ad99efe7ad7c0482d89abcdc560db912d4f2f5805
Instruction ID: dba7c4042ec047c30d9c36c963c0e20cf1a280dc140eeed80a5a3810300274c7
Opcode Fuzzy Hash: cc394dfb89e49c42bf0c498ad99efe7ad7c0482d89abcdc560db912d4f2f5805
Instruction Fuzzy Hash: C6619F34204206AFD300EF24D985F3ABBE4EF84714F14459AF4669B3A1EF31E949CB62

Function 00BD698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00BD69BE
FindClose.KERNEL32(00000000), ref: 00BD6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BD6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BD6A75

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00BD6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BD6ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00BD6B6A
%02d, xrefs: 00BD6C00, 00BD6C0A, 00BD6C5A, 00BD6CAA, 00BD6CFA, 00BD6D4A
%03d, xrefs: 00BD6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00BD6B32
%4d, xrefs: 00BD6BB1

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 4b21bd78aa07d8724e9fd26a382377ec281be50a824e355eded18b7659227a1b
Instruction ID: 645c0ce30bd43c8367799652124b65aff21d8a1558a4cb0429122284c0f19f3c
Opcode Fuzzy Hash: 4b21bd78aa07d8724e9fd26a382377ec281be50a824e355eded18b7659227a1b
Instruction Fuzzy Hash: 2FD14171508340AFC714DBA4C981EABB7ECEF98704F04495EF589D7251EB78DA44CB62

Function 00BD9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00BD9663
GetFileAttributesW.KERNEL32(?), ref: 00BD96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00BD96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00BD96D3
FindClose.KERNEL32(00000000), ref: 00BD96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00BD96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD974A
SetCurrentDirectoryW.KERNEL32(00C26B7C), ref: 00BD9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BD9772
FindClose.KERNEL32(00000000), ref: 00BD977F
FindClose.KERNEL32(00000000), ref: 00BD978F

Strings

*.*, xrefs: 00BD96F5

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e154f76431f341df7f276a8585639fa8809e0614b46b093f81c3f73891a9f261
Instruction ID: 3802f2f8b2500d5cc324c8c7da13e69db583ed3d9f16f293c0f1980c314bbeae
Opcode Fuzzy Hash: e154f76431f341df7f276a8585639fa8809e0614b46b093f81c3f73891a9f261
Instruction Fuzzy Hash: 0331843254121D6ADF14AFB4ED49AEEBBECDF49321F1041A6E915E31A0EB30DD84CB64

Function 00BD979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00BD97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00BD9819
FindClose.KERNEL32(00000000), ref: 00BD9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00BD9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD9890
SetCurrentDirectoryW.KERNEL32(00C26B7C), ref: 00BD98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BD98B8
FindClose.KERNEL32(00000000), ref: 00BD98C5
FindClose.KERNEL32(00000000), ref: 00BD98D5

Part of subcall function 00BCDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00BCDB00

Strings

*.*, xrefs: 00BD983B

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 4f0c41848de4fdc4b112b2ee1d7da99793cbe06622dfcd6ed0a76fe101179fc0
Instruction ID: 06acc43bdf9c90ac78a539326e5383b2bcfb94e433be96e5f94f689513cca1b1
Opcode Fuzzy Hash: 4f0c41848de4fdc4b112b2ee1d7da99793cbe06622dfcd6ed0a76fe101179fc0
Instruction Fuzzy Hash: 9A31953254061D6ADF14AFA4EC48AEEB7ECDF06760F1441A6E514A32A0EB31D984DB64

Function 00BEBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BEC9F1
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA68
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00BEBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00BEBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00BEC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00BEC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BEC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BEC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00BEC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BEC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BEC382
RegCloseKey.ADVAPI32(00000000), ref: 00BEC38F

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: d78e6040271980a5d6011ee9248daa57a3fb1a56b51f0e49b11617c47e6308f9
Instruction ID: 781062b2849992882ec6afd5a9eff0a122259ff3536bb8d36b17e81eba50f3da
Opcode Fuzzy Hash: d78e6040271980a5d6011ee9248daa57a3fb1a56b51f0e49b11617c47e6308f9
Instruction Fuzzy Hash: 97025F716042409FD714DF29C895E2ABBE5EF49318F18C49DF84ADB2A2DB31EC46CB91

Function 00BD8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00BD8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BD8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00BD8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BD8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00BD838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8395

Strings

*.*, xrefs: 00BD839B

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: e08682bf7fa7f5c27d2f0aefaef63608c3eccf636cf71eba06364e83c1ab9e6c
Instruction ID: 846e28686d7d291e0eac49c05aa694f81e4a8ddc7ce4d3d0ecb6e323d9c34ecb
Opcode Fuzzy Hash: e08682bf7fa7f5c27d2f0aefaef63608c3eccf636cf71eba06364e83c1ab9e6c
Instruction Fuzzy Hash: 3E616A725043459FCB10EF64C8409AEF7E8FF89320F0449AEF99997251EB35E949CB92

Function 00BCD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B63A97,?,?,00B62E7F,?,?,?,00000000), ref: 00B63AC2

Part of subcall function 00BCE199: GetFileAttributesW.KERNEL32(?,00BCCF95), ref: 00BCE19A

FindFirstFileW.KERNEL32(?,?), ref: 00BCD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00BCD1DD
MoveFileW.KERNEL32(?,?), ref: 00BCD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00BCD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BCD237

Part of subcall function 00BCD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00BCD21C,?,?), ref: 00BCD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00BCD253
FindClose.KERNEL32(00000000), ref: 00BCD264

Strings

\*.*, xrefs: 00BCD0CD, 00BCD0D6, 00BCD0EB

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 3dc20f966c8374256df98fe0bcef510557e3d722cecd442928a1ac7ee0b0b8be
Instruction ID: 0f9df49f36ff4b1f5c8a01381ecf26534b93cb55c5bfb3b56a8ab6d3cdeb75ae
Opcode Fuzzy Hash: 3dc20f966c8374256df98fe0bcef510557e3d722cecd442928a1ac7ee0b0b8be
Instruction Fuzzy Hash: A8614A3580110DAACF15EBE0DA92EEDBBF9EF55340F2441A9E40277191EB34AF09DB60

Function 00BDED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00BDED91
EmptyClipboard.USER32 ref: 00BDED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00BDEDAC
CloseClipboard.USER32 ref: 00BDEEA3

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f427fa83fe91071ab2e059e678da7d8c57e802360ea937c0843102a7a87dac76
Instruction ID: dea957120ca64b81f18dd9d7defb68b477c078336b303ca6975bb761bcee941b
Opcode Fuzzy Hash: f427fa83fe91071ab2e059e678da7d8c57e802360ea937c0843102a7a87dac76
Instruction Fuzzy Hash: BF417E35604651EFE720EF15D888B29BBE5EF44318F14C09AE4698F762DB75EC81CB90

Function 00BCE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BC170D
Part of subcall function 00BC16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BC173A
Part of subcall function 00BC16C3: GetLastError.KERNEL32 ref: 00BC174A

ExitWindowsEx.USER32(?,00000000), ref: 00BCE932

Strings

@, xrefs: 00BCE925
SeShutdownPrivilege, xrefs: 00BCE902
, xrefs: 00BCE95C
, xrefs: 00BCE920

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: e14636d0395f863603d176309c70270b07fe734be64bf14527057eb69349e6c8
Instruction ID: c97b96fc8b158dc47dd9723b14ebd420d51ab259cfc1121c6ea16d1b9bd82622
Opcode Fuzzy Hash: e14636d0395f863603d176309c70270b07fe734be64bf14527057eb69349e6c8
Instruction Fuzzy Hash: BF012B32610215EBEB5426789C8AFBF72DCD714740F1449A9F823E30D2DAF09C808294

Function 00BE1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00BE1276
WSAGetLastError.WSOCK32 ref: 00BE1283
bind.WSOCK32(00000000,?,00000010), ref: 00BE12BA
WSAGetLastError.WSOCK32 ref: 00BE12C5
closesocket.WSOCK32(00000000), ref: 00BE12F4
listen.WSOCK32(00000000,00000005), ref: 00BE1303
WSAGetLastError.WSOCK32 ref: 00BE130D
closesocket.WSOCK32(00000000), ref: 00BE133C

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: d17324ca274b8626ad967931a48bbd4487c17ef4bcc3cb969f28caeb4e3cbe1c
Instruction ID: 3e8fce062dff851083819e4196f7a228e2af60742076ff7a326a35dda1ef8cf3
Opcode Fuzzy Hash: d17324ca274b8626ad967931a48bbd4487c17ef4bcc3cb969f28caeb4e3cbe1c
Instruction Fuzzy Hash: 2E41AF31600140AFD710DF69C988B69BBE5EF46318F2885D8E9569F292C771EC85CBA1

Function 00B9B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B9B9D4
_free.LIBCMT ref: 00B9B9F8
_free.LIBCMT ref: 00B9BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C03700), ref: 00B9BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00C3121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00B9BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00C31270,000000FF,?,0000003F,00000000,?), ref: 00B9BC36
_free.LIBCMT ref: 00B9BD4B

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 98b07bab7bc53755d0d32c7a2496ff034d1182870a6655d934a332c8fd802cd8
Instruction ID: 2dfe8db50a76067e8526078fd07417971615579742c85864e5e6aca9b6134221
Opcode Fuzzy Hash: 98b07bab7bc53755d0d32c7a2496ff034d1182870a6655d934a332c8fd802cd8
Instruction Fuzzy Hash: 63C1E571904209AFDF24DF69AA41FAE7BF9EF41310F1841FAE89497291EB319E41C790

Function 00BCD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B63A97,?,?,00B62E7F,?,?,?,00000000), ref: 00B63AC2

Part of subcall function 00BCE199: GetFileAttributesW.KERNEL32(?,00BCCF95), ref: 00BCE19A

FindFirstFileW.KERNEL32(?,?), ref: 00BCD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00BCD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BCD481
FindClose.KERNEL32(00000000), ref: 00BCD498
FindClose.KERNEL32(00000000), ref: 00BCD4A1

Strings

\*.*, xrefs: 00BCD3F2

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: f5b92c669c34b2ef90edde96b91bc5cb7031018b8f50e207e9a313bbae6dfa6f
Instruction ID: b1f783e2c30c718a8c620bd41616648644d91c5edbb044200b0da55fa938b894
Opcode Fuzzy Hash: f5b92c669c34b2ef90edde96b91bc5cb7031018b8f50e207e9a313bbae6dfa6f
Instruction Fuzzy Hash: 45318E310083459BC304EF64D9919AFBBE8EE92304F444AADF4D593291EB34AA09DB63

Function 00B9E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B9E645

Strings

1#INF, xrefs: 00B9F852
1#SNAN, xrefs: 00B9F844
1#IND, xrefs: 00B9F83D
1#QNAN, xrefs: 00B9F84B

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1f6c801120bc4068196bc4f341b3781c2bf94b493670789bbd9facb6a7258f06
Instruction ID: 02afb6e3410a8773bd34bb290138d20ae3f0a8f9b4045c9aaef4227ec5dd1c3f
Opcode Fuzzy Hash: 1f6c801120bc4068196bc4f341b3781c2bf94b493670789bbd9facb6a7258f06
Instruction Fuzzy Hash: 29C23771E086298BDF25CE289D807EAB7F5EB48315F1541FAD85DE7240E778AE818F40

Function 00BD648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BD64DC
CoInitialize.OLE32(00000000), ref: 00BD6639
CoCreateInstance.OLE32(00BFFCF8,00000000,00000001,00BFFB68,?), ref: 00BD6650
CoUninitialize.OLE32 ref: 00BD68D4

Strings

.lnk, xrefs: 00BD64BA, 00BD6524, 00BD65E0

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: d97b45ed7f4cf8222e7fc2f071e79aea7633fa338d1480b31ef950b105641600
Instruction ID: 07a56de05b624f83f2ad96c9b11f03594df98d0e44711ade279a2f3ee5ec75e7
Opcode Fuzzy Hash: d97b45ed7f4cf8222e7fc2f071e79aea7633fa338d1480b31ef950b105641600
Instruction Fuzzy Hash: A9D14A71508205AFC304EF24C88196BB7E9FF94708F1049ADF5958B2A1EB71ED49CBA2

Function 00BE22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00BE22E8

Part of subcall function 00BDE4EC: GetWindowRect.USER32(?,?), ref: 00BDE504

GetDesktopWindow.USER32 ref: 00BE2312
GetWindowRect.USER32(00000000), ref: 00BE2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00BE2355
GetCursorPos.USER32(?), ref: 00BE2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00BE23DF

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: f00da6cb8d2a56b6adc5fe803e1d1ac7bff0fba0b502da2a9a4e09db4d2a1700
Instruction ID: 96217207541fb0085d242e9517a1ce0bfddb6af096d6f299531065162ddbfde8
Opcode Fuzzy Hash: f00da6cb8d2a56b6adc5fe803e1d1ac7bff0fba0b502da2a9a4e09db4d2a1700
Instruction Fuzzy Hash: 0631DE72504345AFC720DF15C845B6BBBEAFB84310F000A1AF89497181DB34EA48CB92

Function 00BD9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00BD9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00BD9C8B

Part of subcall function 00BD3874: GetInputState.USER32 ref: 00BD38CB
Part of subcall function 00BD3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BD3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00BD9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00BD9C75

Strings

*.*, xrefs: 00BD9B5D

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 20a8891374eee40daff57cdb3dd22483a7a475f564d4561b99190d0105c85c5e
Instruction ID: e1001d0b5d2441cb800aa8c685cc667bc2df7401fd477690f0c80b33cfe5a64d
Opcode Fuzzy Hash: 20a8891374eee40daff57cdb3dd22483a7a475f564d4561b99190d0105c85c5e
Instruction Fuzzy Hash: 8841537194420EAFDF15DF64C985AEEBBF8EF05310F244196E405A32A1EB319E84DF60

Function 00B7997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00B79A4E
GetSysColor.USER32(0000000F), ref: 00B79B23
SetBkColor.GDI32(?,00000000), ref: 00B79B36

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 2f85edf201aefd4a0da9d3bbe58c7599857bc6eb50c97f8f61ffef9485ddabe4
Instruction ID: 450c7bb0fc26557edde3a87d9b36edff64e8fbdec65a79a283d1d9f94e9dd02d
Opcode Fuzzy Hash: 2f85edf201aefd4a0da9d3bbe58c7599857bc6eb50c97f8f61ffef9485ddabe4
Instruction Fuzzy Hash: 12A13570249508AFE728AA3D8C88FBF2ADDDB82300F2581C9F526C7695CE619D01D372

Function 00BE1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE304E: inet_addr.WSOCK32(?), ref: 00BE307A
Part of subcall function 00BE304E: _wcslen.LIBCMT ref: 00BE309B

socket.WSOCK32(00000002,00000002,00000011), ref: 00BE185D
WSAGetLastError.WSOCK32 ref: 00BE1884
bind.WSOCK32(00000000,?,00000010), ref: 00BE18DB
WSAGetLastError.WSOCK32 ref: 00BE18E6
closesocket.WSOCK32(00000000), ref: 00BE1915

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 40028d8a7ab03d57c936cf25a997caa3ccf2324adac135e3cf27094c4cebb671
Instruction ID: 4107e7c7a7625050523983100a3cd2d36c6cfa52e82e956699904ca042a66d36
Opcode Fuzzy Hash: 40028d8a7ab03d57c936cf25a997caa3ccf2324adac135e3cf27094c4cebb671
Instruction Fuzzy Hash: 5851B275A002009FD710AF24C896F7A77E5EB44718F1884D8F95A9F393CB75AD41CBA1

Function 00BF1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00BF1CC0
IsWindowEnabled.USER32 ref: 00BF1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00BF1CDB
IsIconic.USER32 ref: 00BF1CE9
IsZoomed.USER32 ref: 00BF1CF7

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 6cb9386cd688927c5374776248e4d4acaa63cf8094ae802c7efb03648bd7b6ab
Instruction ID: a6149eaed73ab25ff5986cc59745079c4f4789642eec689b994b0aa696b0c797
Opcode Fuzzy Hash: 6cb9386cd688927c5374776248e4d4acaa63cf8094ae802c7efb03648bd7b6ab
Instruction Fuzzy Hash: D72194317402189FD7208F1ED884B767BE5EF95314B1988A8E945CF351CB71DC4ACB90

Function 00B68060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00B6813C
VUUU, xrefs: 00B683E8
VUUU, xrefs: 00BA5DF0
VUUU, xrefs: 00B6843C
VUUU, xrefs: 00B683FA

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 17c3ea6eebff8612e6cecf1db8f813f6f2e80c99084de3e5d91d88ee75a14ef2
Instruction ID: c9ab7858ab5eb2e8573949feb7aec456f32d056d485054044b06adb50f09d949
Opcode Fuzzy Hash: 17c3ea6eebff8612e6cecf1db8f813f6f2e80c99084de3e5d91d88ee75a14ef2
Instruction Fuzzy Hash: D8A24C71A0461ACBDF34CF58C8807ADB7F1FB55314F2482EAE855A7285EB749E81CB90

Function 00BCAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00BCAAAC
SetKeyboardState.USER32(00000080), ref: 00BCAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00BCAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00BCAB88

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 21fefd155f87ce77fd2557b2d601db2afd205a2994bd974327cc63bd2b64fe1b
Instruction ID: 55e9f83f6b31eea4c4731c1872742fff2bb012893d2a26f3d76b51b04e5aab66
Opcode Fuzzy Hash: 21fefd155f87ce77fd2557b2d601db2afd205a2994bd974327cc63bd2b64fe1b
Instruction Fuzzy Hash: 62310370A8020CAEFB359A68CC49FFA7BF6EB44328F04429EF581961D1D7758D85C762

Function 00BDCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00BDCE89
GetLastError.KERNEL32(?,00000000), ref: 00BDCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00BDCEFE

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: e87f2be227b45ffa17166b39c9826c647f2b0907be33afa5723e937478b68bad
Instruction ID: 21b0e008b684adf23f8426bb1e659623be42867440a3cea896a703b0d12c34e8
Opcode Fuzzy Hash: e87f2be227b45ffa17166b39c9826c647f2b0907be33afa5723e937478b68bad
Instruction Fuzzy Hash: 632190B15003069BD720DFA5C985BA7BBFCEB50354F1044AEE546D3251EB70ED48DB54

Function 00BC8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00BC82AA

Strings

(, xrefs: 00BC82F0
|, xrefs: 00BC82DA

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 9ec2cc479a2ad6ecb29e87930d75d9a4ca2c6938cee2a8cd15beb39edf582ada
Instruction ID: cd0937ec0e3f1f3286a2820bbc1b0a619a647fccecdb1b187942583335d17b91
Opcode Fuzzy Hash: 9ec2cc479a2ad6ecb29e87930d75d9a4ca2c6938cee2a8cd15beb39edf582ada
Instruction Fuzzy Hash: 8F322474A006059FCB28CF59C481E6AB7F0FF48710B15C5AEE49ADB7A1EB70E981CB54

Function 00BD5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00BD5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00BD5D17
FindClose.KERNEL32(?), ref: 00BD5D5F

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 22886eec9a8c9a2e7744bfdef65ba42fa8c38f75234cb281a8101377fa9d7b07
Instruction ID: ec3bddc853572c6aa82c59373408f77287ef1108d6e5fa641f619e49f32609ad
Opcode Fuzzy Hash: 22886eec9a8c9a2e7744bfdef65ba42fa8c38f75234cb281a8101377fa9d7b07
Instruction Fuzzy Hash: FD517A746046019FC724DF28C494EA6FBE5FF49314F1485AEE99A8B3A1DB30E944CBA1

Function 00B92622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00B9271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B92724
UnhandledExceptionFilter.KERNEL32(?), ref: 00B92731

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2e67734d0c5f8905583287ec1a8b3a0d7881de191bfd74dfa6492463a3b61108
Instruction ID: e7ef3c6ae6936ef3fb0ba136dbb8ca79a1fdf124770022becde1f78f64052b17
Opcode Fuzzy Hash: 2e67734d0c5f8905583287ec1a8b3a0d7881de191bfd74dfa6492463a3b61108
Instruction Fuzzy Hash: 0D31C37491121CABCF21EF68D98879CBBF8AF08310F5041EAE41CA7260EB349F858F44

Function 00BD51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BD51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00BD5238
SetErrorMode.KERNEL32(00000000), ref: 00BD52A1

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 9368520dde16f7e09904d6c840474d73db367784a7acdbfd7b66f90dab76bd01
Instruction ID: 45697b266bbed8c548c111d55dfade78b754bba9686d53372a7624593a33eacd
Opcode Fuzzy Hash: 9368520dde16f7e09904d6c840474d73db367784a7acdbfd7b66f90dab76bd01
Instruction Fuzzy Hash: E1314B75A10518DFDB00DF94D884EADBBF4FF48314F048099E849AB3A2DB35E85ACB90

Function 00BC16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00B7FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00B80668
Part of subcall function 00B7FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00B80685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BC170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BC173A
GetLastError.KERNEL32 ref: 00BC174A

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: e0134b4cdbdcee9fd59006cc5e5211727d814bb6614a69da484bd4f8498ce00a
Instruction ID: 161fc92f2faf2b536b94c7cbbe043c59d0eecc097bce01653f0e23be54544a4c
Opcode Fuzzy Hash: e0134b4cdbdcee9fd59006cc5e5211727d814bb6614a69da484bd4f8498ce00a
Instruction Fuzzy Hash: 7B11C1B2400309FFD7289F68DCC6E7ABBF9EB04714B20856EE05693241EB70BC41CA24

Function 00BCD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00BCD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00BCD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00BCD650

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: a5766de444cc56cd989766b8806b3c635839a49af4dd702b1f77664d45903e41
Instruction ID: 9e5570266ee72b423bb61c886a6d44300fa696df221290ef446ed8e4a9c2070c
Opcode Fuzzy Hash: a5766de444cc56cd989766b8806b3c635839a49af4dd702b1f77664d45903e41
Instruction Fuzzy Hash: B5113C75E05228BBDB108F999D45FAFBFBCEB45B50F108166F904E7290D6704A05CBA1

Function 00BC1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00BC168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00BC16A1
FreeSid.ADVAPI32(?), ref: 00BC16B1

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 6510ad21920b25c17a3586966737dd971d5461c647443d29eee9412f7fba026d
Instruction ID: 3f232d9a7ff76cb14c4eb3fc5a25eede0e6d63e213c429471962b5bf17516cad
Opcode Fuzzy Hash: 6510ad21920b25c17a3586966737dd971d5461c647443d29eee9412f7fba026d
Instruction Fuzzy Hash: F5F0F47195030DFBDB00DFF49D89EAEBBBCEB08604F5049A5E501E3181EB74AA449A54

Function 00B9C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00B9C36C

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: e128e1f389bcc41b9c310b5fdf9215fccc34bb889d4c3d9da22a93f189c0f217
Instruction ID: bae05c5bba825962a38c4b59ea0ea54665b9c29a2f83c7c3814354623f389113
Opcode Fuzzy Hash: e128e1f389bcc41b9c310b5fdf9215fccc34bb889d4c3d9da22a93f189c0f217
Instruction Fuzzy Hash: F3411572900219AFCF249FB9DC89EBB7BF8EB84354F5042B9F905D7281E6709D818B54

Function 00BBD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00BBD28C

Strings

X64, xrefs: 00BBD2A8

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 8e166ed3641cfb796d2ae91aec90655be7f4013e63f9c9453c1f31c288fa8536
Instruction ID: e40e4ccba7fb3e70d5935cd327355c7e068567a092ce9623ef601e640cc7dc07
Opcode Fuzzy Hash: 8e166ed3641cfb796d2ae91aec90655be7f4013e63f9c9453c1f31c288fa8536
Instruction Fuzzy Hash: 4AD0C9B480111DEBCB94CBA0DCC8DE9B7BCBF04345F104195F106A2000DB7495498F10

Function 00B8CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 4721ac9dbf9fea738e2bb59410ca960eb5300eeea12fc41919ea2b5993f36347
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: B9022CB1E002199BDF14DFA9C8806ADBBF1FF48314F2581AAD919E7390D730AE45CB94

Function 00BD68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00BD6918
FindClose.KERNEL32(00000000), ref: 00BD6961

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 80779c5cb204b44458d96e91ab2edaa95eb58ac5323192d59903469c3f739b81
Instruction ID: d47419fe1dfd89771b89c43f2edfd6683c0b0f06145a76083391112eff65c1aa
Opcode Fuzzy Hash: 80779c5cb204b44458d96e91ab2edaa95eb58ac5323192d59903469c3f739b81
Instruction Fuzzy Hash: AE1190316142019FC710DF69D498A26FBE5FF89328F14C69AE4698F3A2DB34EC45CB91

Function 00BD37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00BE4891,?,?,00000035,?), ref: 00BD37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00BE4891,?,?,00000035,?), ref: 00BD37F4

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 9537781985b58d9603cca919668b029517a6def4bfdcca04c1f9b53a73e3751b
Instruction ID: f7dd40965790d0438766163b78336542935fb23030463a7b24e35a2fb23e8598
Opcode Fuzzy Hash: 9537781985b58d9603cca919668b029517a6def4bfdcca04c1f9b53a73e3751b
Instruction Fuzzy Hash: 54F0E5B06052296AE72017668C4DFEB7AEEEFC5B61F0001A6F509E3281D9709D44C6B1

Function 00BCB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00BCB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00BCB270

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 43d0719f3b449608d8a51df73ebe5ac92bc84e0ff85bb18f9bbf62eb95cd17c2
Instruction ID: 0ae93a5626d214616b734dc8bc388fe724c16cd31942d97eb3047aa6f584c9c1
Opcode Fuzzy Hash: 43d0719f3b449608d8a51df73ebe5ac92bc84e0ff85bb18f9bbf62eb95cd17c2
Instruction Fuzzy Hash: 07F01D7180424DABDB059FA0C806BBE7FB4FF04305F008449F965AA191C7799655DF94

Function 00BC10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BC11FC), ref: 00BC10D4
CloseHandle.KERNEL32(?,?,00BC11FC), ref: 00BC10E9

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 51b31669ce5e257a79d6e8988568329066259833dc6e76b9d74735c70b5e257e
Instruction ID: 7d6c8ec21f93348cc5946b43f2e306c4a6eea0ffd5469ed64d777cbc0286bbf9
Opcode Fuzzy Hash: 51b31669ce5e257a79d6e8988568329066259833dc6e76b9d74735c70b5e257e
Instruction Fuzzy Hash: 75E04F32008601AEE7252B21FC05E737BE9EF04310F10C86DF4A5814B1DF626CE0DB18

Function 00B6CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00BB0C40

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: d73c27538b78e5919828aca66e8149b2bdc3fa9a3eb7751a1902e283c5feb4ac
Instruction ID: 8edb92843887b353c4df61863509edfd3f544504acb670ef815904ad75bec719
Opcode Fuzzy Hash: d73c27538b78e5919828aca66e8149b2bdc3fa9a3eb7751a1902e283c5feb4ac
Instruction Fuzzy Hash: D9326C70910218DBCF14EF94C895AFEBBF5FF04304F1480A9E846AB292D779AD49CB60

Function 00B9676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B96766,?,?,00000008,?,?,00B9FEFE,00000000), ref: 00B96998

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: fc83978f4e01ac5b52c6acc852b88ac933473bedf58aada1dc2b9b8436b7e6d2
Instruction ID: f65479bcdbb78743831e29474c54f0773bfd80066aef1ccd05e3da0d7066a8af
Opcode Fuzzy Hash: fc83978f4e01ac5b52c6acc852b88ac933473bedf58aada1dc2b9b8436b7e6d2
Instruction Fuzzy Hash: ACB12A316106099FDB19CF28C48AB657BE0FF45364F2586A9E899CF2A2C735E991CB40

Function 00B7B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00BB851F

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e9776c3998b694a09e8fdeaca5719c9fadbc8b6e6296276e6d12121792e32185
Instruction ID: 99e1a7ad360c0980c2858703d081952b4b75072a5b127634aeb6048db449e968
Opcode Fuzzy Hash: e9776c3998b694a09e8fdeaca5719c9fadbc8b6e6296276e6d12121792e32185
Instruction Fuzzy Hash: 1D124D759002299BCB24CF58C880BFEB7F9FF48710F14819AE859EB255DB749A81CF94

Function 00BDEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00BDEABD

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 7417da719dc58e48402b8693fb79a68008ac890cf133fba011e17ae43278f7c7
Instruction ID: 4c8b3fe6e137eb95ac62165c05e32162644877b717a3381ee5248a37a609ee35
Opcode Fuzzy Hash: 7417da719dc58e48402b8693fb79a68008ac890cf133fba011e17ae43278f7c7
Instruction Fuzzy Hash: 64E048312102059FC710EF59D444D9AFBE9EF58760F008457FC49CB351DB74E8448B90

Function 00B809D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00B803EE), ref: 00B809DA

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5a6572cd282b2e93488ca2bd0e7d4765ec021ab5c177012a07edf983bdc518da
Instruction ID: def020990cbccbadfad65955ebe5339d95faa1ba63fa53974f77520b3abc1cf9
Opcode Fuzzy Hash: 5a6572cd282b2e93488ca2bd0e7d4765ec021ab5c177012a07edf983bdc518da
Instruction Fuzzy Hash:

Function 00B8781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00B8798B

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 604f760ad32741bf505ba461c7c7bc7f6228d3acbf347af20f6fff4c172bb15b
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4F518A616CC605A7DB38B52A889DBBE27C9DB1234CF3805C9D886C72B2DE11DE01D352

Function 00B96DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44fd09c448c81afafb33fff2e3039d7b3a0cf142eacb3370665ec6a3e404a39
Instruction ID: 5a13b5ddf974f91503e75dd440b02b21623b00ea61894b510d65c8584e11fde2
Opcode Fuzzy Hash: b44fd09c448c81afafb33fff2e3039d7b3a0cf142eacb3370665ec6a3e404a39
Instruction Fuzzy Hash: D232F421D79F014DDB239634CC663396689AFB73C5F16D737E81AB5AA6EF29C4838100

Function 00B7CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f150253a4e41588b0850ca66d8436c7da024ee4c05e0ac20131962c7e3d9dbba
Instruction ID: 2bde3b97f17b8ea0c93448b7ee7501e1a4b22614d886172aec9aa2b28c45c5fa
Opcode Fuzzy Hash: f150253a4e41588b0850ca66d8436c7da024ee4c05e0ac20131962c7e3d9dbba
Instruction Fuzzy Hash: 9C32F231A001498BDF39CE29C4D06FD7FE1EB45300F2885EED4AA9B696D6B4DD81DB81

Function 00B67920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70423339f678426be7728137fcb6f7dfbe51094c24cc83808f7ec2a37147b661
Instruction ID: eecbcce771ee25419d8881cf7a261f61acaef317015b5abd9a2aba0ecd1c1405
Opcode Fuzzy Hash: 70423339f678426be7728137fcb6f7dfbe51094c24cc83808f7ec2a37147b661
Instruction Fuzzy Hash: 8922C470A0460ADFDF14CFA4C881BAEB3F5FF49304F2445A9E816A7291EB399E15CB54

Function 00B691C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e74a0ce4c5c97d818e8f7da208b28bbca3bbc606de69f618fba8e3eeffd5c84
Instruction ID: 466ee13c983ec448c551b236999d771c207dbcf06ef7b9afba4681c5635c25ca
Opcode Fuzzy Hash: 9e74a0ce4c5c97d818e8f7da208b28bbca3bbc606de69f618fba8e3eeffd5c84
Instruction Fuzzy Hash: 7602B5B0E04206EBDB14DF54D881BAEB7F5FF45300F1081A9E816DB291EB35EA15CB95

Function 00B99EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e925e682e42c0db982995cd9d2316f673c0b809f3b4da5a23b661c4049a7a734
Instruction ID: 5046e8efa85e9bfbc4ce4a479d7d6993edbfa50ad49c7190dfd43a3d23f8a020
Opcode Fuzzy Hash: e925e682e42c0db982995cd9d2316f673c0b809f3b4da5a23b661c4049a7a734
Instruction Fuzzy Hash: EBB10520D2AF904DD7239639887133AB69CAFBB6D5F92D71BFC1674D72EB2185838140

Function 00B81C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 4b3f423485deba2eebd47f18c1bf825fc4af16a122c4a586f63b08f7aad1a92b
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 5791A97210A0A34ADB29563E847417DFFE5DA523A231A0FEDD4F2CA1E5FE10C956D720

Function 00B81F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 001e13c70ac2c54668ffe992fe6020efb3fd3e63435ce930e71acbe4f458df78
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: F79175722090A34EEB69633D847803EFFE19A923A131A07DDD4F2DB1E5EE24C555E720

Function 00B819B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 07a9b698cfb56c44e8ffe69022fd542ad59dc8afed20e1310dba686c93151962
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 2E91737220B0A34ADB2D567E857403DFFE99A923A131A0BDED4F2CA1E1FD24C556D720

Function 00B87A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed6ff0d3cd0f8e333a91cfe5c1f53391dade4d23e868ead03dc7b92c620f927
Instruction ID: 11e3f5d73547f9a1074e6ce5af8e18877ffdba934b1a2aca47af071af0a76c5b
Opcode Fuzzy Hash: 7ed6ff0d3cd0f8e333a91cfe5c1f53391dade4d23e868ead03dc7b92c620f927
Instruction Fuzzy Hash: AF6168212C830997DA38BA2889E5BBE63D6DF5170CF3409D9E842DB2B1DE21DE42C755

Function 00B87CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96350a68e69f0eddea575a7d9c68ad78eb9792f9b4b87a66244969c71e4124a4
Instruction ID: 7005ca1d47976b202de1766167191e09ddc0f15bbbd0a57e0944d4a0e770b88a
Opcode Fuzzy Hash: 96350a68e69f0eddea575a7d9c68ad78eb9792f9b4b87a66244969c71e4124a4
Instruction Fuzzy Hash: 36615BB16C870997DA38B9288895BBE23C8DF5274CF3419E9E842DB2B1DE11DD41C355

Function 00B81706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: bf8dad1d7f97ef9aaf2f9ac9583bc0cfb09003e8f939591053aadc98d047b5ee
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 2581C87660A0A309DB2D523E847443EFFE59A923A131A0FDDD4F2CB1E1EE24C956D720

Function 00BD2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44208767a20d661adcb41b1e684fbc2e4b04c3c6e4811ee1f01e9ab9631e8ff7
Instruction ID: c29b38aafecd6e2ea1d4a80c6955f4f5108efe1755982a229d4796361fa04613
Opcode Fuzzy Hash: 44208767a20d661adcb41b1e684fbc2e4b04c3c6e4811ee1f01e9ab9631e8ff7
Instruction Fuzzy Hash: 5B21A8326205118BDB28CF79C92377EB3E5A764310F15866EE4A7C37D0DE35A904C740

Function 00BE2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BE2B30
DeleteObject.GDI32(00000000), ref: 00BE2B43
DestroyWindow.USER32 ref: 00BE2B52
GetDesktopWindow.USER32 ref: 00BE2B6D
GetWindowRect.USER32(00000000), ref: 00BE2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00BE2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00BE2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2CF8
GetClientRect.USER32(00000000,?), ref: 00BE2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00BE2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2D80
GlobalLock.KERNEL32(00000000), ref: 00BE2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2D98
GlobalUnlock.KERNEL32(00000000), ref: 00BE2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2DA8
GlobalFree.KERNEL32(00000000), ref: 00BE2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BFFC38,00000000), ref: 00BE2DDB
GlobalFree.KERNEL32(00000000), ref: 00BE2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00BE2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00BE2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE303F

Strings

AutoIt v3, xrefs: 00BE2CF2
, xrefs: 00BE2FC5
static, xrefs: 00BE2D3A, 00BE2E91
DISPLAY, xrefs: 00BE2EA2

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 89d3d04d02b1e00ef6e8decc58f304c69c1fc6bb808d5b07acbd9ac0226c7a0d
Instruction ID: 1b438a38889c78148e88a17f93639f4ca3d1348b2382b67763b4f26f061333d0
Opcode Fuzzy Hash: 89d3d04d02b1e00ef6e8decc58f304c69c1fc6bb808d5b07acbd9ac0226c7a0d
Instruction Fuzzy Hash: 2F028A71910209AFDB14DFA4CD89EAE7BF9EF48710F048198F915AB2A1DB74ED41CB60

Function 00BF70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00BF712F
GetSysColorBrush.USER32(0000000F), ref: 00BF7160
GetSysColor.USER32(0000000F), ref: 00BF716C
SetBkColor.GDI32(?,000000FF), ref: 00BF7186
SelectObject.GDI32(?,?), ref: 00BF7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00BF71C0
GetSysColor.USER32(00000010), ref: 00BF71C8
CreateSolidBrush.GDI32(00000000), ref: 00BF71CF
FrameRect.USER32(?,?,00000000), ref: 00BF71DE
DeleteObject.GDI32(00000000), ref: 00BF71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00BF7230
FillRect.USER32(?,?,?), ref: 00BF7262
GetWindowLongW.USER32(?,000000F0), ref: 00BF7284

Part of subcall function 00BF73E8: GetSysColor.USER32(00000012), ref: 00BF7421
Part of subcall function 00BF73E8: SetTextColor.GDI32(?,?), ref: 00BF7425
Part of subcall function 00BF73E8: GetSysColorBrush.USER32(0000000F), ref: 00BF743B
Part of subcall function 00BF73E8: GetSysColor.USER32(0000000F), ref: 00BF7446
Part of subcall function 00BF73E8: GetSysColor.USER32(00000011), ref: 00BF7463
Part of subcall function 00BF73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BF7471
Part of subcall function 00BF73E8: SelectObject.GDI32(?,00000000), ref: 00BF7482
Part of subcall function 00BF73E8: SetBkColor.GDI32(?,00000000), ref: 00BF748B
Part of subcall function 00BF73E8: SelectObject.GDI32(?,?), ref: 00BF7498
Part of subcall function 00BF73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00BF74B7
Part of subcall function 00BF73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BF74CE
Part of subcall function 00BF73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00BF74DB

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 58dc5a7a4c7ee24eef7e85fa5dd2336a43953e2cab721a3a4947cfda1ea75d6d
Instruction ID: 49fbb7c9ae34901ee1dcfd7f4c2abcfe8a998779082d7de587ac5428db4a6278
Opcode Fuzzy Hash: 58dc5a7a4c7ee24eef7e85fa5dd2336a43953e2cab721a3a4947cfda1ea75d6d
Instruction Fuzzy Hash: F3A18F72008309AFD7009F64DD49E7A7BE9FB49320F100A59FA62A71A1DB71E989CB51

Function 00B78D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00B78E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00BB6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00BB6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00BB6F43

Part of subcall function 00B78F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B78BE8,?,00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00B78FC5

SendMessageW.USER32(?,00001053), ref: 00BB6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00BB6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00BB6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00BB6FB7

Strings

0, xrefs: 00BB6DCF

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: f0dcaa88e47453d8e7726ec0ab2ccb31165e961e7636bc1ccf19d66fb19c7f8c
Instruction ID: ea83692bbbb5e1444c95a915b3b254eff2d659dcf1b492109011a1ce34e96c4c
Opcode Fuzzy Hash: f0dcaa88e47453d8e7726ec0ab2ccb31165e961e7636bc1ccf19d66fb19c7f8c
Instruction Fuzzy Hash: 54129C30605201EFDB25CF24C998BB9BBE5FB44310F1884A9E499CB261CB75EC92DB51

Function 00BE2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00BE273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00BE286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00BE28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00BE28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00BE2900
GetClientRect.USER32(00000000,?), ref: 00BE290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00BE2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00BE2964
GetStockObject.GDI32(00000011), ref: 00BE2974
SelectObject.GDI32(00000000,00000000), ref: 00BE2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00BE2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BE2991
DeleteDC.GDI32(00000000), ref: 00BE299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00BE29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00BE29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00BE2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00BE2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00BE2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00BE2A77
GetStockObject.GDI32(00000011), ref: 00BE2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00BE2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00BE2A97

Strings

AutoIt v3, xrefs: 00BE28F8
static, xrefs: 00BE294F, 00BE2A71
DISPLAY, xrefs: 00BE295A
msctls_progress32, xrefs: 00BE2A13

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 71ec643c22d8c21b1fd7f63c1c18ad8ca0b8b6afb18140050e49b7706ef0e5e8
Instruction ID: 4ac21d7c651fd518bf3c08487b9a7635407a995dfc0b80e9eb73b99a156367a1
Opcode Fuzzy Hash: 71ec643c22d8c21b1fd7f63c1c18ad8ca0b8b6afb18140050e49b7706ef0e5e8
Instruction Fuzzy Hash: AFB16E71A50219AFEB14DF68CD89FAE7BB9EB08710F004155F915E72A0DB74ED40CBA0

Function 00BD4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BD4AED
GetDriveTypeW.KERNEL32(?,00BFCB68,?,\\.\,00BFCC08), ref: 00BD4BCA
SetErrorMode.KERNEL32(00000000,00BFCB68,?,\\.\,00BFCC08), ref: 00BD4D36

Strings

RAMDisk, xrefs: 00BD4BF4
Virtual, xrefs: 00BD4CE5
USB, xrefs: 00BD4CB4
Removable, xrefs: 00BD4C10, 00BD4C15
SCSI, xrefs: 00BD4C8A
PhysicalDrive, xrefs: 00BD4B76
FileBackedVirtual, xrefs: 00BD4CEC
SAS, xrefs: 00BD4CC9
ATAPI, xrefs: 00BD4C91
ATA, xrefs: 00BD4C98
SATA, xrefs: 00BD4CD0
\\.\, xrefs: 00BD4B3F
SSA, xrefs: 00BD4CA6
iSCSI, xrefs: 00BD4CC2
SSD, xrefs: 00BD4C4A
Fixed, xrefs: 00BD4C09
Unknown, xrefs: 00BD4BED, 00BD4C83
RAID, xrefs: 00BD4CBB
MMC, xrefs: 00BD4CDE
Fibre, xrefs: 00BD4CAD
1394, xrefs: 00BD4C9F
CDROM, xrefs: 00BD4BFB
Network, xrefs: 00BD4C02

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 5bc4a12107a534d784fe816151d3706052793618261a6d90674fe61d7100e8d8
Instruction ID: 9db6e8ab3eb797e380fe12a45fa931bcad339738035de1ee020b085145006a47
Opcode Fuzzy Hash: 5bc4a12107a534d784fe816151d3706052793618261a6d90674fe61d7100e8d8
Instruction Fuzzy Hash: A561AF30616109ABCB04DF24DAC1978F7F1EB44304B2884E7F806ABB91EB35ED41DB51

Function 00BF73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00BF7421
SetTextColor.GDI32(?,?), ref: 00BF7425
GetSysColorBrush.USER32(0000000F), ref: 00BF743B
GetSysColor.USER32(0000000F), ref: 00BF7446
CreateSolidBrush.GDI32(?), ref: 00BF744B
GetSysColor.USER32(00000011), ref: 00BF7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BF7471
SelectObject.GDI32(?,00000000), ref: 00BF7482
SetBkColor.GDI32(?,00000000), ref: 00BF748B
SelectObject.GDI32(?,?), ref: 00BF7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00BF74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BF74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00BF74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BF752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00BF7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00BF7572
DrawFocusRect.USER32(?,?), ref: 00BF757D
GetSysColor.USER32(00000011), ref: 00BF758E
SetTextColor.GDI32(?,00000000), ref: 00BF7596
DrawTextW.USER32(?,00BF70F5,000000FF,?,00000000), ref: 00BF75A8
SelectObject.GDI32(?,?), ref: 00BF75BF
DeleteObject.GDI32(?), ref: 00BF75CA
SelectObject.GDI32(?,?), ref: 00BF75D0
DeleteObject.GDI32(?), ref: 00BF75D5
SetTextColor.GDI32(?,?), ref: 00BF75DB
SetBkColor.GDI32(?,?), ref: 00BF75E5

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 8c9bcd10991a3c9b16cf48270a5d189e36245f43e046f9c7367946c9acf3c672
Instruction ID: c76f206bd528cd12ae29fb2638edbaa5cfd9196399fd904d37605b2b543f0ed1
Opcode Fuzzy Hash: 8c9bcd10991a3c9b16cf48270a5d189e36245f43e046f9c7367946c9acf3c672
Instruction Fuzzy Hash: 01615C7290421CAFDB019FA4DD49EEEBFB9EB08320F114155FA15BB2A1DB709980CB90

Function 00BF0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BF1128
GetDesktopWindow.USER32 ref: 00BF113D
GetWindowRect.USER32(00000000), ref: 00BF1144
GetWindowLongW.USER32(?,000000F0), ref: 00BF1199
DestroyWindow.USER32(?), ref: 00BF11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00BF11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BF120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BF121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00BF1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00BF1245
IsWindowVisible.USER32(00000000), ref: 00BF12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00BF12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00BF12D0
GetWindowRect.USER32(00000000,?), ref: 00BF12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00BF130E
GetMonitorInfoW.USER32(00000000,?), ref: 00BF1328
CopyRect.USER32(?,?), ref: 00BF133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00BF13AA

Strings

(, xrefs: 00BF131B
0, xrefs: 00BF10D3
tooltips_class32, xrefs: 00BF11E6

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 090093980d1167743b301287aa3c8d20d0fffd08811173beed319fe61046f6fc
Instruction ID: f7c5db6dd904ab3d7eb41b8dd0d7962df1a5fc0471954f771a5abce72e38f9fc
Opcode Fuzzy Hash: 090093980d1167743b301287aa3c8d20d0fffd08811173beed319fe61046f6fc
Instruction Fuzzy Hash: C0B16A71608345EFD704DF68C984B6ABBE4EF84750F008D5CFA99AB261DB71E848CB91

Function 00BF0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BF02E5
_wcslen.LIBCMT ref: 00BF031F
_wcslen.LIBCMT ref: 00BF0389
_wcslen.LIBCMT ref: 00BF03F1
_wcslen.LIBCMT ref: 00BF0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00BF04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BF0504

Part of subcall function 00B7F9F2: _wcslen.LIBCMT ref: 00B7F9FD

Part of subcall function 00BC223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BC2258
Part of subcall function 00BC223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BC228A

Strings

GETTEXT, xrefs: 00BF03EC, 00BF0407
FINDITEM, xrefs: 00BF0627
DESELECT, xrefs: 00BF059C
SELECTINVERT, xrefs: 00BF057E
ISSELECTED, xrefs: 00BF04DD
GETSELECTED, xrefs: 00BF05E1
VIEWCHANGE, xrefs: 00BF0675
SELECT, xrefs: 00BF0548
SELECTCLEAR, xrefs: 00BF052D
GETITEMCOUNT, xrefs: 00BF0316, 00BF0337
GETSELECTEDCOUNT, xrefs: 00BF0470, 00BF048B
GETSUBITEMCOUNT, xrefs: 00BF0384, 00BF039F
SELECTALL, xrefs: 00BF0515

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 021274a3ac8b856c91ebbada0bcc08ffb1e50210b7f8ff459f316f6f2e9baaa9
Instruction ID: dc5822af7e73e2b60c7665af73607aedaa56ad8c5222b232f10bf309008eaec5
Opcode Fuzzy Hash: 021274a3ac8b856c91ebbada0bcc08ffb1e50210b7f8ff459f316f6f2e9baaa9
Instruction Fuzzy Hash: A9E1B1312282059FCB14EF24C59093AB7E6FF98314B1446ADF9969B7B2DB30ED49CB41

Function 00B78891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B78968
GetSystemMetrics.USER32(00000007), ref: 00B78970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B7899B
GetSystemMetrics.USER32(00000008), ref: 00B789A3
GetSystemMetrics.USER32(00000004), ref: 00B789C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B789E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B789F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B78A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B78A3C
GetClientRect.USER32(00000000,000000FF), ref: 00B78A5A
GetStockObject.GDI32(00000011), ref: 00B78A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B78A81

Part of subcall function 00B7912D: GetCursorPos.USER32(?), ref: 00B79141
Part of subcall function 00B7912D: ScreenToClient.USER32(00000000,?), ref: 00B7915E
Part of subcall function 00B7912D: GetAsyncKeyState.USER32(00000001), ref: 00B79183
Part of subcall function 00B7912D: GetAsyncKeyState.USER32(00000002), ref: 00B7919D

SetTimer.USER32(00000000,00000000,00000028,00B790FC), ref: 00B78AA8

Strings

InitializeCriticalSectionEx, xrefs: 00BB67BA
AutoIt v3 GUI, xrefs: 00B78A20

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI$InitializeCriticalSectionEx
API String ID: 1458621304-260769550
Opcode ID: 9a3517a41e1fb00fe4d0d1e1a282af96af096d69a5611876325daeda957a7ff7
Instruction ID: 52d852041fc21f473dfb0a22a678a7ca8fed55448d428f3e5a61b9741d040ecd
Opcode Fuzzy Hash: 9a3517a41e1fb00fe4d0d1e1a282af96af096d69a5611876325daeda957a7ff7
Instruction Fuzzy Hash: DDB16B71A00209AFDB14DFA8CD89BFE3BF5FB48314F158169FA19A7290DB74A840CB51

Function 00BC0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BC1114
Part of subcall function 00BC10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1120
Part of subcall function 00BC10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC112F
Part of subcall function 00BC10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1136
Part of subcall function 00BC10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BC114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BC0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BC0E29
GetLengthSid.ADVAPI32(?), ref: 00BC0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00BC0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BC0E96
GetLengthSid.ADVAPI32(?), ref: 00BC0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00BC0EB5
HeapAlloc.KERNEL32(00000000), ref: 00BC0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BC0EDD
CopySid.ADVAPI32(00000000), ref: 00BC0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BC0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BC0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BC0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0F6E
HeapFree.KERNEL32(00000000), ref: 00BC0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0F7E
HeapFree.KERNEL32(00000000), ref: 00BC0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0F8E
HeapFree.KERNEL32(00000000), ref: 00BC0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00BC0FA1
HeapFree.KERNEL32(00000000), ref: 00BC0FA8

Part of subcall function 00BC1193: GetProcessHeap.KERNEL32(00000008,00BC0BB1,?,00000000,?,00BC0BB1,?), ref: 00BC11A1
Part of subcall function 00BC1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00BC0BB1,?), ref: 00BC11A8
Part of subcall function 00BC1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00BC0BB1,?), ref: 00BC11B7

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 98cf8f45d0ef1077563c95b4a98f4ed6ab9b33ae5ea1dadbbb3e7e0b948ad4e3
Instruction ID: 7a20f3b2ac873d0bc491dfa7fc784f56200633f1154fb1feef9224be3ee7a670
Opcode Fuzzy Hash: 98cf8f45d0ef1077563c95b4a98f4ed6ab9b33ae5ea1dadbbb3e7e0b948ad4e3
Instruction Fuzzy Hash: C5715A7290020AEBDF20AFA4DD48FAEBBB8FF05300F144199F919E7191DB319A55CB60

Function 00BEC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00BFCC08,00000000,?,00000000,?,?), ref: 00BEC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00BEC5A4
_wcslen.LIBCMT ref: 00BEC5F4
_wcslen.LIBCMT ref: 00BEC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00BEC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00BEC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00BEC84D
RegCloseKey.ADVAPI32(?), ref: 00BEC881
RegCloseKey.ADVAPI32(00000000), ref: 00BEC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00BEC960

Strings

REG_SZ, xrefs: 00BEC644
REG_EXPAND_SZ, xrefs: 00BEC5CD
REG_DWORD, xrefs: 00BEC804
REG_QWORD, xrefs: 00BEC8C3
REG_MULTI_SZ, xrefs: 00BEC6F5
REG_BINARY, xrefs: 00BEC913

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 17ec39f882829458e5089ddaa1ee6b2988feeb892aa448cea688e4e88278bdf6
Instruction ID: 8a9d08f2768952418015cc9c743438067ebfff396f8616379787dd996bcf813c
Opcode Fuzzy Hash: 17ec39f882829458e5089ddaa1ee6b2988feeb892aa448cea688e4e88278bdf6
Instruction Fuzzy Hash: 25127A356042419FD714DF25C891A2ABBE5FF88714F14889DF88A9B3A2DB35FD42CB81

Function 00BF091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BF09C6
_wcslen.LIBCMT ref: 00BF0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BF0A54
_wcslen.LIBCMT ref: 00BF0A8A
_wcslen.LIBCMT ref: 00BF0B06
_wcslen.LIBCMT ref: 00BF0B81

Part of subcall function 00B7F9F2: _wcslen.LIBCMT ref: 00B7F9FD

Part of subcall function 00BC2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BC2BFA

Strings

GETTEXT, xrefs: 00BF0C97
GETITEMCOUNT, xrefs: 00BF0C1E
ISCHECKED, xrefs: 00BF0CE1
COLLAPSE, xrefs: 00BF0B01, 00BF0B1C
EXPAND, xrefs: 00BF0BF8
GETTOTALCOUNT, xrefs: 00BF09F2, 00BF0A17
EXISTS, xrefs: 00BF0B7C, 00BF0B97
GETSELECTED, xrefs: 00BF0C4E
CHECK, xrefs: 00BF0A85, 00BF0AA0
UNCHECK, xrefs: 00BF0D3E
SELECT, xrefs: 00BF0D11

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 4e15270eccbe3f0fa94402fc30cab8318d735c1ba942c9d519daf50e24400053
Instruction ID: f490d7ab301cce3437eb8fd7ac08333ec8b17bec0a3aee3979abfe7d53d3c590
Opcode Fuzzy Hash: 4e15270eccbe3f0fa94402fc30cab8318d735c1ba942c9d519daf50e24400053
Instruction Fuzzy Hash: C8E17B352183058FCB14EF24C49093AB7E1FF98314B14899DF99A9B762DB30ED49CB81

Function 00BEC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
_wcslen.LIBCMT ref: 00BEC9F1
_wcslen.LIBCMT ref: 00BECA68
_wcslen.LIBCMT ref: 00BECA9E
_wcslen.LIBCMT ref: 00BECAF9
_wcslen.LIBCMT ref: 00BECB2F
_wcslen.LIBCMT ref: 00BECB7F

Strings

HKCR, xrefs: 00BECB29, 00BECB2E
HKCU, xrefs: 00BECBCE
HKEY_LOCAL_MACHINE, xrefs: 00BECA62, 00BECA67
HKEY_USERS, xrefs: 00BECBDF
HKEY_CURRENT_USER, xrefs: 00BECBBD
HKLM, xrefs: 00BECA98, 00BECA9D
HKU, xrefs: 00BECBF0
HKCC, xrefs: 00BECBAC
HKEY_CURRENT_CONFIG, xrefs: 00BECB79, 00BECB7E
HKEY_CLASSES_ROOT, xrefs: 00BECAF3, 00BECAF8

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 2bc31d8413435a1fd8d8b191700c593ab2944a44dae209574e88ed9d509e6d3d
Instruction ID: bc92e83746bbf64929cedc6a4046ffa3949817970c9f381fe283d88a96c409cf
Opcode Fuzzy Hash: 2bc31d8413435a1fd8d8b191700c593ab2944a44dae209574e88ed9d509e6d3d
Instruction Fuzzy Hash: 707108326001AA8BCF20DE7ED9815BE3BE5EF60754B2512B4F86697294E735CD46C390

Function 00BF833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BF835A
_wcslen.LIBCMT ref: 00BF836E
_wcslen.LIBCMT ref: 00BF8391
_wcslen.LIBCMT ref: 00BF83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00BF83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00BF5BF2), ref: 00BF844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BF8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00BF84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BF8501
FreeLibrary.KERNEL32(?), ref: 00BF850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BF851D
DestroyIcon.USER32(?,?,?,?,?,00BF5BF2), ref: 00BF852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00BF8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00BF8555

Strings

.dll, xrefs: 00BF83AB
.exe, xrefs: 00BF8388
.icl, xrefs: 00BF8368

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: f040236962922eca4da5667498301e0a72ff1c61973bff19965b731efa8aca1d
Instruction ID: 5e4449e03b03f5067fc948f130650cf302e73759625b37c598727ca7338a54b1
Opcode Fuzzy Hash: f040236962922eca4da5667498301e0a72ff1c61973bff19965b731efa8aca1d
Instruction Fuzzy Hash: 9561DE7150021ABEEB14DF64CC82BBE7BA8FB14710F10468AF915DB1E1DF74A994CBA0

Function 00B67778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#OnAutoItStartRegister, xrefs: 00B67817
', xrefs: 00BA5169
#notrayicon, xrefs: 00B677E7
#include, xrefs: 00B67847
#comments-end, xrefs: 00B678D9
#include-once, xrefs: 00B6782F
#pragma compile, xrefs: 00B677D3
#cs, xrefs: 00B67873, 00B678C5
#comments-start, xrefs: 00B6785F, 00B678B1
Bad directive syntax error, xrefs: 00BA519A
Unterminated group of comments, xrefs: 00BA528C
#requireadmin, xrefs: 00B677FF
#ce, xrefs: 00B678ED
Cannot parse #include, xrefs: 00BA5279
", xrefs: 00BA5153

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 2470e787992356fa320e74f6317d634f937f02014001b2aa3e1cce4fcabd84fb
Instruction ID: cc20e234a9ea55484877ed2fb71a39c5150e8d31881617ab6e667514f6f7cfa1
Opcode Fuzzy Hash: 2470e787992356fa320e74f6317d634f937f02014001b2aa3e1cce4fcabd84fb
Instruction Fuzzy Hash: 7381C171684209ABDB20AF64CC82FBE37E8EF15304F1440E4F905AB1A6EB749A45C7A5

Function 00BD3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00BD3EF8
_wcslen.LIBCMT ref: 00BD3F03
_wcslen.LIBCMT ref: 00BD3F5A
_wcslen.LIBCMT ref: 00BD3F98
GetDriveTypeW.KERNEL32(?), ref: 00BD3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BD401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BD4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BD4087

Strings

closed, xrefs: 00BD3F08, 00BD3F2D, 00BD3F46, 00BD3F7E, 00BD3F97
open, xrefs: 00BD3F54, 00BD3F59
open , xrefs: 00BD3FE5
type cdaudio alias cd wait, xrefs: 00BD4001
close, xrefs: 00BD3EFE, 00BD3F18
wait, xrefs: 00BD4044
set cd door , xrefs: 00BD4028
close cd wait, xrefs: 00BD4072

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 4e143887ea77a20b2506532a14e4898c69dc371f88f4a46f7d8ed4f00a99f0d5
Instruction ID: 38a2c30cc63a4c4a2696494c8c6b8f906050ee792b0a530e82f39f569406c329
Opcode Fuzzy Hash: 4e143887ea77a20b2506532a14e4898c69dc371f88f4a46f7d8ed4f00a99f0d5
Instruction Fuzzy Hash: 6B71F2726042169FC710EF24C88186AF7F4EF94758F1049AEF89697351EB34ED45CB92

Function 00BC5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00BC5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00BC5A40
SetWindowTextW.USER32(?,?), ref: 00BC5A57
GetDlgItem.USER32(?,000003EA), ref: 00BC5A6C
SetWindowTextW.USER32(00000000,?), ref: 00BC5A72
GetDlgItem.USER32(?,000003E9), ref: 00BC5A82
SetWindowTextW.USER32(00000000,?), ref: 00BC5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00BC5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00BC5AC3
GetWindowRect.USER32(?,?), ref: 00BC5ACC
_wcslen.LIBCMT ref: 00BC5B33
SetWindowTextW.USER32(?,?), ref: 00BC5B6F
GetDesktopWindow.USER32 ref: 00BC5B75
GetWindowRect.USER32(00000000), ref: 00BC5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00BC5BD3
GetClientRect.USER32(?,?), ref: 00BC5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00BC5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00BC5C2F

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: f09551332adb77909ce0735343e5b1b93c8d9e7fd68cb77d35e1ba2e81b418bb
Instruction ID: dcb54ff35199f2f16dffb254b4a92b8fc6a62a5c6702f7f767401f369ed094bc
Opcode Fuzzy Hash: f09551332adb77909ce0735343e5b1b93c8d9e7fd68cb77d35e1ba2e81b418bb
Instruction Fuzzy Hash: 22711A31900A09AFDB20DFA9CE85FAEBBF5EB48704F10455CE546A35A0DB75BD84CB50

Function 00BDFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00BDFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00BDFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00BDFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00BDFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00BDFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00BDFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00BDFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00BDFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00BDFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00BDFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00BDFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00BDFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00BDFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00BDFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00BDFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00BDFECC
GetCursorInfo.USER32(?), ref: 00BDFEDC
GetLastError.KERNEL32 ref: 00BDFF1E

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 020fc3d61c2affb9231b430f24c66a80d8dbb4a6a032da22efe82647f6f313de
Instruction ID: 56c9844f893bb87033c82da5311713e574005a04de0079d135737e5f99e25a49
Opcode Fuzzy Hash: 020fc3d61c2affb9231b430f24c66a80d8dbb4a6a032da22efe82647f6f313de
Instruction Fuzzy Hash: 644124B0D0931AAADB109FBA8C8586EBFE8FF04754B50456AE11DE7281DB789901CF91

Function 00B800C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00B800C6

Part of subcall function 00B800ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00C3070C,00000FA0,389B18A8,?,?,?,?,00BA23B3,000000FF), ref: 00B8011C
Part of subcall function 00B800ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00BA23B3,000000FF), ref: 00B80127
Part of subcall function 00B800ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00BA23B3,000000FF), ref: 00B80138
Part of subcall function 00B800ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00B8014E
Part of subcall function 00B800ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00B8015C
Part of subcall function 00B800ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00B8016A
Part of subcall function 00B800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B80195
Part of subcall function 00B800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B801A0

___scrt_fastfail.LIBCMT ref: 00B800E7

Part of subcall function 00B800A3: __onexit.LIBCMT ref: 00B800A9

Strings

WakeAllConditionVariable, xrefs: 00B80162
SleepConditionVariableCS, xrefs: 00B80154
InitializeConditionVariable, xrefs: 00B80148
kernel32.dll, xrefs: 00B80133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00B80122

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: c21aaf78ce44e191dcbc0a2b737ce8746933ad68c9e349c73c79cdc054c20432
Instruction ID: 97a3f3e0a058ea0c0185dbb1f912e6f3a4c54a10533cd9c54530bc026c974fd9
Opcode Fuzzy Hash: c21aaf78ce44e191dcbc0a2b737ce8746933ad68c9e349c73c79cdc054c20432
Instruction Fuzzy Hash: 5521F53365470A6BE7507B64AC49B3D76D4DF06BA0F1001B9F905B32B1DF609844CB94

Function 00BC30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BC318D
_wcslen.LIBCMT ref: 00BC31F8

Strings

NAME, xrefs: 00BC3335, 00BC3346
TEXT, xrefs: 00BC347C
INSTANCE, xrefs: 00BC3453
CLASS, xrefs: 00BC3188, 00BC31A5
REGEXPCLASS, xrefs: 00BC3255, 00BC3266
CLASSNN, xrefs: 00BC31F3, 00BC3204

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 1a7770dac8fb02493774def20a0ca9ef1f7690b2ba329a5c8ffaecf756ea31f8
Instruction ID: c728bf71f633bb521140366b49d2d2fff210435b034310894740503f688535df
Opcode Fuzzy Hash: 1a7770dac8fb02493774def20a0ca9ef1f7690b2ba329a5c8ffaecf756ea31f8
Instruction Fuzzy Hash: BCE18331A005169BCF189FA8C491BEEBBE4FF54B10F94C1ADE456F7250DB30AE859790

Function 00BD44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00BFCC08), ref: 00BD4527
_wcslen.LIBCMT ref: 00BD453B
_wcslen.LIBCMT ref: 00BD4599
_wcslen.LIBCMT ref: 00BD45F4
_wcslen.LIBCMT ref: 00BD463F
_wcslen.LIBCMT ref: 00BD46A7

Part of subcall function 00B7F9F2: _wcslen.LIBCMT ref: 00B7F9FD

GetDriveTypeW.KERNEL32(?,00C26BF0,00000061), ref: 00BD4743

Strings

fixed, xrefs: 00BD4635, 00BD463A
all, xrefs: 00BD4531, 00BD4536
cdrom, xrefs: 00BD458F, 00BD4594
removable, xrefs: 00BD45EA, 00BD45EF
ramdisk, xrefs: 00BD46F1
network, xrefs: 00BD469D, 00BD46A2
unknown, xrefs: 00BD4708

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 39ebfdd4f920b1277b2f9568e87173ab5401172b1ae70dd98311046e38617c37
Instruction ID: d8e071243d06fe6be01191e69bbe35beeb4de87875279bc18ddfdf595d76c00d
Opcode Fuzzy Hash: 39ebfdd4f920b1277b2f9568e87173ab5401172b1ae70dd98311046e38617c37
Instruction Fuzzy Hash: 2FB1AD716083029FC710DF28D890A6AF7E5EFA5764F5049AEF49A87391E730D844CBA2

Function 00BE3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BFCC08), ref: 00BE40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00BE40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00BFCC08), ref: 00BE40F2
FreeLibrary.KERNEL32(00000000,?,00BFCC08), ref: 00BE413E
StringFromGUID2.OLE32(?,?,00000028,?,00BFCC08), ref: 00BE41A8
SysFreeString.OLEAUT32(00000009), ref: 00BE4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00BE42C8
SysFreeString.OLEAUT32(?), ref: 00BE42F2

Strings

GetModuleHandleExW, xrefs: 00BE40C7
kernel32.dll, xrefs: 00BE40B6

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 5dbe3c29196f607b1131e1916d34aa9e2b48ca3d4f0e35f6b65e62a977bb289b
Instruction ID: d750eceddc63f7eb2de1589928ddef5f12008970e75d3c534a8b935574038afb
Opcode Fuzzy Hash: 5dbe3c29196f607b1131e1916d34aa9e2b48ca3d4f0e35f6b65e62a977bb289b
Instruction Fuzzy Hash: 98125C75A00159EFDB14DF95C884EAEBBF9FF45314F248098E905AB251CB31ED86CBA0

Function 00B6326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00C31990), ref: 00BA2F8D
GetMenuItemCount.USER32(00C31990), ref: 00BA303D
GetCursorPos.USER32(?), ref: 00BA3081
SetForegroundWindow.USER32(00000000), ref: 00BA308A
TrackPopupMenuEx.USER32(00C31990,00000000,?,00000000,00000000,00000000), ref: 00BA309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BA30A9

Strings

0, xrefs: 00B6327D

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 537696858a3312442109e1f456c718f6dbd4d4911bc856630c932233fc2443df
Instruction ID: 4c277ed7251c99af30be6711ad1839dccce98079379d6e21d775da293be8a8c1
Opcode Fuzzy Hash: 537696858a3312442109e1f456c718f6dbd4d4911bc856630c932233fc2443df
Instruction Fuzzy Hash: 39711970648205BEEB258F28CC89FAABFE4FF05724F204296F5156B1E0C7B5A954DB90

Function 00BF6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00BF6DEB

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00BF6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00BF6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BF6E94
DestroyWindow.USER32(?), ref: 00BF6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B60000,00000000), ref: 00BF6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BF6EFD
GetDesktopWindow.USER32 ref: 00BF6F16
GetWindowRect.USER32(00000000), ref: 00BF6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BF6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00BF6F4D

Part of subcall function 00B79944: GetWindowLongW.USER32(?,000000EB), ref: 00B79952

Strings

tooltips_class32, xrefs: 00BF6E58, 00BF6EDD
0, xrefs: 00BF6D98

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 5825ca4e6dc1906f70b43e1e0cc19739df25e43491880eb0448800ff752a4a35
Instruction ID: b36a28470a82cccfd5bbdafd4fae0b6cc43c1dfe2d9774cff19ca81e3649ed62
Opcode Fuzzy Hash: 5825ca4e6dc1906f70b43e1e0cc19739df25e43491880eb0448800ff752a4a35
Instruction Fuzzy Hash: 8F715675104348AFDB21CF18D844BBABBE9FB89304F08495DFA9987261CB70AD4ADB11

Function 00BF911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

DragQueryPoint.SHELL32(?,?), ref: 00BF9147

Part of subcall function 00BF7674: ClientToScreen.USER32(?,?), ref: 00BF769A
Part of subcall function 00BF7674: GetWindowRect.USER32(?,?), ref: 00BF7710
Part of subcall function 00BF7674: PtInRect.USER32(?,?,00BF8B89), ref: 00BF7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00BF91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00BF91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00BF91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00BF9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00BF923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00BF9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00BF9277
DragFinish.SHELL32(?), ref: 00BF927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00BF9371

Strings

@GUI_DRAGID, xrefs: 00BF92E9
@GUI_DRAGFILE, xrefs: 00BF9320
@GUI_DROPID, xrefs: 00BF929E

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 86145720abbf3c85a2524ea132f1030ee2a0606ade79eb18700002888b75b028
Instruction ID: 5f5594649756cc1d1396499d132d371f2fee20a2ee0116df104b3d3219a25de2
Opcode Fuzzy Hash: 86145720abbf3c85a2524ea132f1030ee2a0606ade79eb18700002888b75b028
Instruction Fuzzy Hash: 06617B71108305AFD701DF64DD85EAFBBE8EF88750F00096EF695931A1DB709A49CB52

Function 00BDC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BDC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00BDC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00BDC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00BDC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00BDC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00BDC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BDC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BDC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00BDC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00BDC5F0
InternetCloseHandle.WININET(00000000), ref: 00BDC5FB

Strings

, xrefs: 00BDC575

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 24f5551f418558914bec63cf352f7d6a182e3702bf5d553c08a59fba3a57b094
Instruction ID: bdde50084b292b0f1f387848384df2a3f0bfe00ac6dbbc5476fd8b5518f0c1e9
Opcode Fuzzy Hash: 24f5551f418558914bec63cf352f7d6a182e3702bf5d553c08a59fba3a57b094
Instruction Fuzzy Hash: EF515AB150020ABFDB219F60D989ABBBFFCFB18744F00445AF94697210EB30E944DB60

Function 00BF856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00BF8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00BF85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00BF85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00BF85BA
GlobalLock.KERNEL32(00000000), ref: 00BF85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00BF85D7
GlobalUnlock.KERNEL32(00000000), ref: 00BF85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00BF85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00BF85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00BFFC38,?), ref: 00BF8611
GlobalFree.KERNEL32(00000000), ref: 00BF8621
GetObjectW.GDI32(?,00000018,?), ref: 00BF8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00BF8671
DeleteObject.GDI32(?), ref: 00BF8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00BF86AF

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: cab483ad0dccfbf5e499a7dfdc73b44ddb55e0287f320b009edf86d2459080f7
Instruction ID: cf8d626c54c4239c89a7fe56677ce23052ba4648d55510651f6377527985e75a
Opcode Fuzzy Hash: cab483ad0dccfbf5e499a7dfdc73b44ddb55e0287f320b009edf86d2459080f7
Instruction Fuzzy Hash: FC41F875600208BFDB11DFA5DD88EBA7BB8EF89B55F104058F905EB260DB309D45DB60

Function 00BD14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00BD1502
VariantCopy.OLEAUT32(?,?), ref: 00BD150B
VariantClear.OLEAUT32(?), ref: 00BD1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00BD15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00BD1657
VariantInit.OLEAUT32(?), ref: 00BD1708
SysFreeString.OLEAUT32(?), ref: 00BD178C
VariantClear.OLEAUT32(?), ref: 00BD17D8
VariantClear.OLEAUT32(?), ref: 00BD17E7
VariantInit.OLEAUT32(00000000), ref: 00BD1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00BD1625
Default, xrefs: 00BD16AF

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: d0285acacf342c3211be4266f5a061bd515d6cc85474449522e3fad810542fa3
Instruction ID: b010d487acfb64268e93db804ca526d8e3279e9cc726d059d92d5c4802d7b0a7
Opcode Fuzzy Hash: d0285acacf342c3211be4266f5a061bd515d6cc85474449522e3fad810542fa3
Instruction Fuzzy Hash: B6D1CC71A00505EBDB109F69E885B79F7F5FF45704F1088E6E406AB290EB38EC45DB62

Function 00BEB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BEC9F1
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA68
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BEB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00BEB80A
RegCloseKey.ADVAPI32(?), ref: 00BEB87E
RegCloseKey.ADVAPI32(?), ref: 00BEB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00BEB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BEB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00BEB922
FreeLibrary.KERNEL32(00000000), ref: 00BEB983
RegCloseKey.ADVAPI32(00000000), ref: 00BEB994

Strings

RegDeleteKeyExW, xrefs: 00BEB8FE
advapi32.dll, xrefs: 00BEB8ED

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 15ba3e19a02d7609fad9156b64b3f549bc9349fe3ae5c2ce534c98ff53ca5434
Instruction ID: 6703167818452e5f8b681d648ccc242fded752a270b92f630bd77d2be05a0bb3
Opcode Fuzzy Hash: 15ba3e19a02d7609fad9156b64b3f549bc9349fe3ae5c2ce534c98ff53ca5434
Instruction Fuzzy Hash: 52C18934208281AFD710DF25C495F2ABBE5FF84308F14859CE49A8B7A2CB75ED46CB91

Function 00BE255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BE25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00BE25E8
CreateCompatibleDC.GDI32(?), ref: 00BE25F4
SelectObject.GDI32(00000000,?), ref: 00BE2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00BE266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00BE26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00BE26D0
SelectObject.GDI32(?,?), ref: 00BE26D8
DeleteObject.GDI32(?), ref: 00BE26E1
DeleteDC.GDI32(?), ref: 00BE26E8
ReleaseDC.USER32(00000000,?), ref: 00BE26F3

Strings

(, xrefs: 00BE268D

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 00b75a0c109cdc2d63e07d71faecc0ebbaeb3445eb3a7eb44f4a8b4809bd7238
Instruction ID: 6a41e0af216bcd2845d06204222d27b7b5ae54753f2e26e065b2969cbe6eaa99
Opcode Fuzzy Hash: 00b75a0c109cdc2d63e07d71faecc0ebbaeb3445eb3a7eb44f4a8b4809bd7238
Instruction Fuzzy Hash: 5A61C075D00219EFCF04CFA8D984AAEBBF9FF48310F248569E955A7250D770A951CF50

Function 00B9DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B9DAA1

Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D659
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D66B
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D67D
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D68F
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6A1
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6B3
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6C5
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6D7
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6E9
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6FB
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D70D
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D71F
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D731

_free.LIBCMT ref: 00B9DA96

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B9DAB8
_free.LIBCMT ref: 00B9DACD
_free.LIBCMT ref: 00B9DAD8
_free.LIBCMT ref: 00B9DAFA
_free.LIBCMT ref: 00B9DB0D
_free.LIBCMT ref: 00B9DB1B
_free.LIBCMT ref: 00B9DB26
_free.LIBCMT ref: 00B9DB5E
_free.LIBCMT ref: 00B9DB65
_free.LIBCMT ref: 00B9DB82
_free.LIBCMT ref: 00B9DB9A

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 4bd014ba321d88124a7dbdd45b642f2899972074cdc682dac13b78eb384d3a7a
Instruction ID: 57a75b513357fd144cf34a461a6d2d62a15299e3d09b27498330ce3485c1d5ba
Opcode Fuzzy Hash: 4bd014ba321d88124a7dbdd45b642f2899972074cdc682dac13b78eb384d3a7a
Instruction Fuzzy Hash: 84314971A04305AFEF21AB3AE845B5AB7E9FF10320F5544B9E549D7291DF31AC90CB60

Function 00BC365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00BC369C
_wcslen.LIBCMT ref: 00BC36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00BC3797
GetClassNameW.USER32(?,?,00000400), ref: 00BC380C
GetDlgCtrlID.USER32(?), ref: 00BC385D
GetWindowRect.USER32(?,?), ref: 00BC3882
GetParent.USER32(?), ref: 00BC38A0
ScreenToClient.USER32(00000000), ref: 00BC38A7
GetClassNameW.USER32(?,?,00000100), ref: 00BC3921
GetWindowTextW.USER32(?,?,00000400), ref: 00BC395D

Strings

%s%u, xrefs: 00BC3734

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 790a6a4450617e511a34203c7c6fa63763b167877bd9ecad1f1f3115deda026e
Instruction ID: 0a662418cb9910609298a9c48058cbcb8780fd87313954375e2a878c4f0ce010
Opcode Fuzzy Hash: 790a6a4450617e511a34203c7c6fa63763b167877bd9ecad1f1f3115deda026e
Instruction Fuzzy Hash: 6491AF71204606AFDB18DF24C885FAAF7E8FF44750F40856DF99AD3190DB70AA45CB91

Function 00BC4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00BC4994
GetWindowTextW.USER32(?,?,00000400), ref: 00BC49DA
_wcslen.LIBCMT ref: 00BC49EB
CharUpperBuffW.USER32(?,00000000), ref: 00BC49F7
_wcsstr.LIBVCRUNTIME ref: 00BC4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00BC4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00BC4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00BC4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00BC4B20
GetWindowRect.USER32(?,?), ref: 00BC4B8B

Strings

ThumbnailClass, xrefs: 00BC4A6F, 00BC4AF1

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: e12977a9eaa9ad212d57a7c8f696c00e4125d8825f3dbc0e7e7e14163e7b65ad
Instruction ID: 37c9ef074b078e9307f6b2a8dc1c1c3c36836a7c4ed69cdb2fe3d8dc6515a5cf
Opcode Fuzzy Hash: e12977a9eaa9ad212d57a7c8f696c00e4125d8825f3dbc0e7e7e14163e7b65ad
Instruction Fuzzy Hash: 72919D71108209AFDB14DF14C995FAA7BE8EF44314F0484ADFD859B1A6DB30EE45CBA1

Function 00BF8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BF8D5A
GetFocus.USER32 ref: 00BF8D6A
GetDlgCtrlID.USER32(00000000), ref: 00BF8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00BF8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00BF8ECF
GetMenuItemCount.USER32(?), ref: 00BF8EEC
GetMenuItemID.USER32(?,00000000), ref: 00BF8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00BF8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00BF8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BF8FA1

Strings

0, xrefs: 00BF8E9F

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 0d2f824b8e1cadf790392677a3af9cc0045d9e5b7371dc2c4c7780fe5a468c95
Instruction ID: 8f377a3e8a9800d634c1b23e83fcf655d1b6cf7693768c2d9d08f288891e7fe0
Opcode Fuzzy Hash: 0d2f824b8e1cadf790392677a3af9cc0045d9e5b7371dc2c4c7780fe5a468c95
Instruction Fuzzy Hash: DC81AF71508309AFDB10CF14D885ABB7BE9FF98314F1409ADFA9497291DB30D948CBA1

Function 00BCBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00C31990,000000FF,00000000,00000030), ref: 00BCBFAC
SetMenuItemInfoW.USER32(00C31990,00000004,00000000,00000030), ref: 00BCBFE1
Sleep.KERNEL32(000001F4), ref: 00BCBFF3
GetMenuItemCount.USER32(?), ref: 00BCC039
GetMenuItemID.USER32(?,00000000), ref: 00BCC056
GetMenuItemID.USER32(?,-00000001), ref: 00BCC082
GetMenuItemID.USER32(?,?), ref: 00BCC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BCC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BCC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BCC145

Strings

0, xrefs: 00BCBF3D

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 0291c6ebd69301935fc82ca6e9be97df136015b77617263742dd4c7ef345b1d5
Instruction ID: 28c0d7886eb05e668a3ea4087a510ee2bcf8daa64c02a8cf68daa55645b942d4
Opcode Fuzzy Hash: 0291c6ebd69301935fc82ca6e9be97df136015b77617263742dd4c7ef345b1d5
Instruction Fuzzy Hash: 44617BB090024AAFDF11CF64DD89FBE7FE8EB25344F144099E859A3291CB35AD45CB60

Function 00BCDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00BCDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00BCDC46
_wcslen.LIBCMT ref: 00BCDC50
_wcsstr.LIBVCRUNTIME ref: 00BCDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00BCDCBC

Strings

DefaultLangCodepage, xrefs: 00BCDD1F
\VarFileInfo\Translation, xrefs: 00BCDCB4
StringFileInfo\, xrefs: 00BCDC8F
%u.%u.%u.%u, xrefs: 00BCDD9A
04090000, xrefs: 00BCDCF2

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 632d73d05a9a6f99ddb9683c53f322c6b1b444afa07bae2402b4421d6275ed7a
Instruction ID: a7cbc4b78683386f6db56293fedd3c2e7ec8487f2b05c70fed5d813b481da3ca
Opcode Fuzzy Hash: 632d73d05a9a6f99ddb9683c53f322c6b1b444afa07bae2402b4421d6275ed7a
Instruction Fuzzy Hash: 5241EE369402197ADB10BB649C43EBF7BECEF41710F1440FAF905A71A2EA649901E7A9

Function 00BECC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00BECC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00BECC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00BECD48

Part of subcall function 00BECC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00BECCAA
Part of subcall function 00BECC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00BECCBD
Part of subcall function 00BECC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BECCCF
Part of subcall function 00BECC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00BECD05
Part of subcall function 00BECC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00BECD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00BECCF3

Strings

RegDeleteKeyExW, xrefs: 00BECCC9
advapi32.dll, xrefs: 00BECCB8

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: d3124abdd6ea17dffa7763f1a39bba5687e4cc0940e5914d5ea29e26156cbdd7
Instruction ID: 27e5ab802335025db3c95aba6cad8122f5cc05c2737dbfe5d13e6fae390e326f
Opcode Fuzzy Hash: d3124abdd6ea17dffa7763f1a39bba5687e4cc0940e5914d5ea29e26156cbdd7
Instruction Fuzzy Hash: F9316E7190112DBBDB208B65DC88EFFBFBCEF55750F1041B5A906E3240DB349A86DAA0

Function 00BD3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BD3D40
_wcslen.LIBCMT ref: 00BD3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00BD3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00BD3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00BD3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00BD3E55
CloseHandle.KERNEL32(00000000), ref: 00BD3E60
CloseHandle.KERNEL32(00000000), ref: 00BD3E6B

Strings

\, xrefs: 00BD3D77
:, xrefs: 00BD3D82
\??\%s, xrefs: 00BD3D5B

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 7104db0bb2e9958d92563cee96f0c5dbcc7d5f8996ff6f133fbe657f48d00d71
Instruction ID: bcaf2bba3ea48977bd45f4e33fee99229993a83f452359c4b44add3dc6192e28
Opcode Fuzzy Hash: 7104db0bb2e9958d92563cee96f0c5dbcc7d5f8996ff6f133fbe657f48d00d71
Instruction Fuzzy Hash: 35318C7290020AAADB209FA0DC49FEB77F9EF88B40F1040B6F50997161EB709784CB25

Function 00BCE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00BCE6B4

Part of subcall function 00B7E551: timeGetTime.WINMM(?,?,00BCE6D4), ref: 00B7E555

Sleep.KERNEL32(0000000A), ref: 00BCE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00BCE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00BCE727
SetActiveWindow.USER32 ref: 00BCE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00BCE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00BCE773
Sleep.KERNEL32(000000FA), ref: 00BCE77E
IsWindow.USER32 ref: 00BCE78A
EndDialog.USER32(00000000), ref: 00BCE79B

Strings

BUTTON, xrefs: 00BCE719

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0b4a14146a00afacf17ba9b289493d3e64045bf247d44c7a0484eb4fbfc0a380
Instruction ID: dc28bba8e1343ebfa98157170e139c23c78aa59cf18839b2481e3e4fd162253f
Opcode Fuzzy Hash: 0b4a14146a00afacf17ba9b289493d3e64045bf247d44c7a0484eb4fbfc0a380
Instruction Fuzzy Hash: BE216DB1210A08EFEB005F21ED8AF3A3FA9EB54748B105469F925C31B1DF71EC50CA64

Function 00BCE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00BCEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00BCEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BCEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00BCEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00BCEAA7

Strings

play PlayMe, xrefs: 00BCEAA2
status PlayMe mode, xrefs: 00BCEA58
close PlayMe, xrefs: 00BCEA6E, 00BCEA9B
open , xrefs: 00BCEA0C
play PlayMe wait, xrefs: 00BCEA91
alias PlayMe, xrefs: 00BCEA36

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: ff0d345cef54acdce3586803bf630d89c417ccb6db8489065df14ad319cdc079
Instruction ID: f7e86c7d370909a048b63aaabd87f79ceaf36342c84149c50ada864687ac4a4d
Opcode Fuzzy Hash: ff0d345cef54acdce3586803bf630d89c417ccb6db8489065df14ad319cdc079
Instruction Fuzzy Hash: 54112131A90269BDD720B7A5ED4AEFF6AFCEBD2B40F440479B411A20D1EEB05945C9B0

Function 00BC9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00BCA012
SetKeyboardState.USER32(?), ref: 00BCA07D
GetAsyncKeyState.USER32(000000A0), ref: 00BCA09D
GetKeyState.USER32(000000A0), ref: 00BCA0B4
GetAsyncKeyState.USER32(000000A1), ref: 00BCA0E3
GetKeyState.USER32(000000A1), ref: 00BCA0F4
GetAsyncKeyState.USER32(00000011), ref: 00BCA120
GetKeyState.USER32(00000011), ref: 00BCA12E
GetAsyncKeyState.USER32(00000012), ref: 00BCA157
GetKeyState.USER32(00000012), ref: 00BCA165
GetAsyncKeyState.USER32(0000005B), ref: 00BCA18E
GetKeyState.USER32(0000005B), ref: 00BCA19C

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4ec21a27239eb749155da2cf4239256efb1002a474e6b8eae0f37846f4518810
Instruction ID: 5f3a675c79d6195c5f591beb2b72937045cc51d1649982671cc1cd5ad63e1d88
Opcode Fuzzy Hash: 4ec21a27239eb749155da2cf4239256efb1002a474e6b8eae0f37846f4518810
Instruction Fuzzy Hash: 3E51672090478C29FB35DBB08955FEAAFF5DF12384F0845DDD5C25B1C2DA54AA4CC762

Function 00BC5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00BC5CE2
GetWindowRect.USER32(00000000,?), ref: 00BC5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00BC5D59
GetDlgItem.USER32(?,00000002), ref: 00BC5D69
GetWindowRect.USER32(00000000,?), ref: 00BC5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00BC5DCF
GetDlgItem.USER32(?,000003E9), ref: 00BC5DDD
GetWindowRect.USER32(00000000,?), ref: 00BC5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00BC5E31
GetDlgItem.USER32(?,000003EA), ref: 00BC5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00BC5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00BC5E67

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 1e493fa428e2224faba850f9c3cae1a5d4038f258812ca2414ae799ad6d41dc7
Instruction ID: 891c7065b1ae8d8cf97da349696c03a5058da28a989064e055eac45085f62604
Opcode Fuzzy Hash: 1e493fa428e2224faba850f9c3cae1a5d4038f258812ca2414ae799ad6d41dc7
Instruction Fuzzy Hash: 0151FF71A00609AFDF18DF68DD89EAEBBF5EB48310F148169F516E7290DB70AE44CB50

Function 00B78BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B78F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B78BE8,?,00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00B78FC5

DestroyWindow.USER32(?), ref: 00B78C81
KillTimer.USER32(00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00B78D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00BB6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00BB69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00BB69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00B78BBA,00000000), ref: 00BB69D4
DeleteObject.GDI32(00000000), ref: 00BB69E6

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f820765fa0d69c0082d3d76d4636a2b1de96791a85b5ebad4dae3e37e8c4b396
Instruction ID: 1d58fb3908dd22fbbf287fc3437e0c1efd649b0c3320c94e03221350a25c6554
Opcode Fuzzy Hash: f820765fa0d69c0082d3d76d4636a2b1de96791a85b5ebad4dae3e37e8c4b396
Instruction Fuzzy Hash: 78618C30511704DFCB269F24DA48B79BBF1FB44322F1885A8E45A9B5A0CB75AD80CF90

Function 00B79838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00B79944: GetWindowLongW.USER32(?,000000EB), ref: 00B79952

GetSysColor.USER32(0000000F), ref: 00B79862

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 23463b65e64f6aecd5b9fd0479f3527a8e9a09d6eabc6e3ffbcfcadf894bb5a2
Instruction ID: 7afd25e9c8058e520969a49217bcdd0378fc6e7d2a2ff5f3215eaf09e80250dd
Opcode Fuzzy Hash: 23463b65e64f6aecd5b9fd0479f3527a8e9a09d6eabc6e3ffbcfcadf894bb5a2
Instruction Fuzzy Hash: 9B41F331104604AFDB209F389C84BB93BE5EB57370F148685F9B69B2E1CB709D82DB11

Function 00BC96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00BAF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00BC9717
LoadStringW.USER32(00000000,?,00BAF7F8,00000001), ref: 00BC9720

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00BAF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00BC9742
LoadStringW.USER32(00000000,?,00BAF7F8,00000001), ref: 00BC9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00BC9866

Strings

Error: , xrefs: 00BC981D
Line %d (File "%s"):, xrefs: 00BC978F
%s (%d) : ==> %s: %s %s, xrefs: 00BC984A
^ ERROR, xrefs: 00BC97FB
Line %d:, xrefs: 00BC97A0

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: fb209b2ad537a4242fbb015c1517c1e5cbb35a7454d38f9070d214e57f8f0308
Instruction ID: 5b177e8965de2d9531b11a0e3b4f725bf0c3118af132cfaffa8970d88fba2e9e
Opcode Fuzzy Hash: fb209b2ad537a4242fbb015c1517c1e5cbb35a7454d38f9070d214e57f8f0308
Instruction Fuzzy Hash: DE412B72800219AADF04EBE0DE86EEE77BCAF55740F1400A5F60573192EB396F48CB61

Function 00BC06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00BC07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00BC07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00BC07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00BC0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00BC082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BC0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BC083C

Strings

SOFTWARE\Classes\, xrefs: 00BC070E
\IPC$, xrefs: 00BC0784
\CLSID, xrefs: 00BC0724

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 253b4144dd9bc3aa79c8370a7379ac7ab5a96b0c0ee67f866b8c460c1fe32909
Instruction ID: 765cd345092acfeac217650a872825a334d4bca824c32c65d4658395a2d91791
Opcode Fuzzy Hash: 253b4144dd9bc3aa79c8370a7379ac7ab5a96b0c0ee67f866b8c460c1fe32909
Instruction Fuzzy Hash: 8C41F572C10229EBDF15EFA4DC95DEEB7B8FF04750B1441A9E901A31A1EB349E45CBA0

Function 00BF3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00BF403B
CreateCompatibleDC.GDI32(00000000), ref: 00BF4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00BF4055
SelectObject.GDI32(00000000,00000000), ref: 00BF405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00BF4068
DeleteDC.GDI32(00000000), ref: 00BF4072
GetWindowLongW.USER32(?,000000EC), ref: 00BF407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00BF4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00BF409E

Strings

static, xrefs: 00BF3FD3

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 687d4875809292c7edbd8f8d222877d13b4be48b37f2efa147051cbaf0afadae
Instruction ID: 620c669df98aa99a98119690d6054aaa41760c629b2d1a283296b8550bf1a02b
Opcode Fuzzy Hash: 687d4875809292c7edbd8f8d222877d13b4be48b37f2efa147051cbaf0afadae
Instruction Fuzzy Hash: 9C313832501219ABDF219FA8CD49FEA3FA8EF09720F110251FA14A71A0CB75D864DB54

Function 00BE3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BE3C5C
CoInitialize.OLE32(00000000), ref: 00BE3C8A
CoUninitialize.OLE32 ref: 00BE3C94
_wcslen.LIBCMT ref: 00BE3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00BE3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00BE3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00BE3F0E
CoGetObject.OLE32(?,00000000,00BFFB98,?), ref: 00BE3F2D
SetErrorMode.KERNEL32(00000000), ref: 00BE3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00BE3FC4
VariantClear.OLEAUT32(?), ref: 00BE3FD8

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 91a03ca3e12774f30e65a3ef3cd89c2a5bee6bc5c0a41b3d64d73ef449e2e553
Instruction ID: 216e34a8160e0a9b40aa2056b066288e5848fdb8d5656ac16159a470928ead39
Opcode Fuzzy Hash: 91a03ca3e12774f30e65a3ef3cd89c2a5bee6bc5c0a41b3d64d73ef449e2e553
Instruction Fuzzy Hash: 9CC159716043459FC700DF65C88892BBBE9FF89B44F1049ADF98A9B210DB31ED45CB92

Function 00BD7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00BD7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00BD7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00BD7BA3
CoCreateInstance.OLE32(00BFFD08,00000000,00000001,00C26E6C,?), ref: 00BD7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00BD7C74
CoTaskMemFree.OLE32(?,?), ref: 00BD7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00BD7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00BD7D7A
CoTaskMemFree.OLE32(00000000), ref: 00BD7D81
CoTaskMemFree.OLE32(00000000), ref: 00BD7DD6
CoUninitialize.OLE32 ref: 00BD7DDC

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 67e1e6b2181e539402e2edd04e42e52d3cae03fa1de2bb3b293872c512a144f3
Instruction ID: 9f08d36b25f48149c1256ff8b8dec8f91dce544d6d1a6abef0ab97c70d2ccbc3
Opcode Fuzzy Hash: 67e1e6b2181e539402e2edd04e42e52d3cae03fa1de2bb3b293872c512a144f3
Instruction Fuzzy Hash: 64C10C75A04109AFCB14DF64C894DAEBBF9FF48314B1484A9E91ADB361EB30ED45CB90

Function 00BF541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00BF5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BF5515
CharNextW.USER32(00000158), ref: 00BF5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00BF5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00BF559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BF55AC

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 1d8a1de4e893f2ca7fbf5dce260fdc2a6c7de5778b149ed5036e003fb64a1bf6
Instruction ID: ff663bc63516b987272200feecd80f30fa07b2e4a43b5f9f8967a202d2f02ad6
Opcode Fuzzy Hash: 1d8a1de4e893f2ca7fbf5dce260fdc2a6c7de5778b149ed5036e003fb64a1bf6
Instruction Fuzzy Hash: A5616D7490460CAFDF209F54CC85AFE7BF9EB09721F108189FB25A7290D7749A89DB60

Function 00BBFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00BBFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00BBFB08
VariantInit.OLEAUT32(?), ref: 00BBFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00BBFB3A
VariantCopy.OLEAUT32(?,?), ref: 00BBFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00BBFBA1
VariantClear.OLEAUT32(?), ref: 00BBFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00BBFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BBFBCC
VariantClear.OLEAUT32(?), ref: 00BBFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BBFBE9

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: ca216a0e7bc95e964baa73813ea88536ba216326fadb3fee4cb9f0815865858e
Instruction ID: 8265da55002ce7133f9c8214815f0655a37a4159dc8eae9c77b6807f2f3845ac
Opcode Fuzzy Hash: ca216a0e7bc95e964baa73813ea88536ba216326fadb3fee4cb9f0815865858e
Instruction Fuzzy Hash: 82415E35A0021A9FCF14DF68DC549FEBFB9EF48344F0084A9E955A7361CB70A945CBA0

Function 00BC9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00BC9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00BC9D22
GetKeyState.USER32(000000A0), ref: 00BC9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00BC9D57
GetKeyState.USER32(000000A1), ref: 00BC9D6C
GetAsyncKeyState.USER32(00000011), ref: 00BC9D84
GetKeyState.USER32(00000011), ref: 00BC9D96
GetAsyncKeyState.USER32(00000012), ref: 00BC9DAE
GetKeyState.USER32(00000012), ref: 00BC9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00BC9DD8
GetKeyState.USER32(0000005B), ref: 00BC9DEA

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b2e1262326d2f528547808ed1bab58024cefe50e77390c7b666a80d93b419b2a
Instruction ID: 36d09c95fb2711e6824339c3e967ece0b7d0e2590941d5b10b5238342ab89232
Opcode Fuzzy Hash: b2e1262326d2f528547808ed1bab58024cefe50e77390c7b666a80d93b419b2a
Instruction Fuzzy Hash: C141D8745047CA69FF308764940CBB6BEE0EB21344F0480EEDAC7675C2DBA499C8C7A2

Function 00BE055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00BE05BC
inet_addr.WSOCK32(?), ref: 00BE061C
gethostbyname.WSOCK32(?), ref: 00BE0628
IcmpCreateFile.IPHLPAPI ref: 00BE0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00BE06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00BE06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00BE07B9
WSACleanup.WSOCK32 ref: 00BE07BF

Strings

Ping, xrefs: 00BE0676

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: de675a832138765fa567e30fd6ece6988dab4367f273a070f5fd44d30b3c1fc8
Instruction ID: 201c9e1b33f2991045f88ab0262f536df5c1965d5fcda0d615152e037ee83714
Opcode Fuzzy Hash: de675a832138765fa567e30fd6ece6988dab4367f273a070f5fd44d30b3c1fc8
Instruction Fuzzy Hash: 0A919F356182419FD320EF16C588F2ABBE0EF44318F1485E9F4699B6A2C7B4ED85CF91

Function 00BE8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00BE8CF3

Part of subcall function 00BC8E54: _wcslen.LIBCMT ref: 00BC8E77

_wcslen.LIBCMT ref: 00BE8D4E
_wcslen.LIBCMT ref: 00BE8D9C
_wcslen.LIBCMT ref: 00BE8DDC
_wcslen.LIBCMT ref: 00BE8E6E

Strings

none, xrefs: 00BE8E65, 00BE8E6A
stdcall, xrefs: 00BE8DD6, 00BE8DDB
winapi, xrefs: 00BE8D96, 00BE8D9B
cdecl, xrefs: 00BE8D48, 00BE8D4D

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 8ed325ab5350143b18be1294fe5866ff4a02ba69e28961df2e36062799c4d419
Instruction ID: d5733c1c03ac805bc5e4bdbe85cddb98f2a487dc56176a52ed420dcaeff5112e
Opcode Fuzzy Hash: 8ed325ab5350143b18be1294fe5866ff4a02ba69e28961df2e36062799c4d419
Instruction Fuzzy Hash: 62519031A009569BCF24DF6DC9819BEB7E6FF64724B2042A9E42AE72C4DB35DD40C790

Function 00BE372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00BE3774
CoUninitialize.OLE32 ref: 00BE377F
CoCreateInstance.OLE32(?,00000000,00000017,00BFFB78,?), ref: 00BE37D9
IIDFromString.OLE32(?,?), ref: 00BE384C
VariantInit.OLEAUT32(?), ref: 00BE38E4
VariantClear.OLEAUT32(?), ref: 00BE3936

Strings

NULL Pointer assignment, xrefs: 00BE381E
Failed to create object, xrefs: 00BE37E4, 00BE389A
Invalid parameter, xrefs: 00BE3865

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 90ea7ed92e0bafbb27b4e8a7616963eacf18a0cc7e1c1404a5ac2c505d49b3a1
Instruction ID: e2073eada117a9c2a2c5c5b2987e0eb5aae28cb445ce8f0e3f869abb87e58550
Opcode Fuzzy Hash: 90ea7ed92e0bafbb27b4e8a7616963eacf18a0cc7e1c1404a5ac2c505d49b3a1
Instruction Fuzzy Hash: BF61B071608341AFD310DF55D888F6ABBE8EF48B14F10499DF9859B291DB70EE48CB92

Function 00BD3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00BD33CF

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00BD33F0

Strings

Error: , xrefs: 00BD34D1
^ ERROR , xrefs: 00BD349E
Line %d (File "%s"):, xrefs: 00BD3443, 00BD345C
"%s" (%d) : ==> %s:, xrefs: 00BD3522
Incorrect parameters to object property !, xrefs: 00BD34AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00BD3504

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 1021da21d7cf67635a916b2b9e4d69ec07e40c61f3ddbd33acbaeba1a4fa85aa
Instruction ID: a73d9087b3bc17a119c731022e256a8966f9d1737dc87da015606f3abaf6f485
Opcode Fuzzy Hash: 1021da21d7cf67635a916b2b9e4d69ec07e40c61f3ddbd33acbaeba1a4fa85aa
Instruction Fuzzy Hash: C9516D32900209AADF15EBA0DE46EEEB7F8EF14740F1440A5F505731A2EB356F58DB61

Function 00BCB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BCB5FC
_wcslen.LIBCMT ref: 00BCB608
_wcslen.LIBCMT ref: 00BCB64D
_wcslen.LIBCMT ref: 00BCB68C
_wcslen.LIBCMT ref: 00BCB6C7

Strings

APPEND, xrefs: 00BCB6C1, 00BCB6C6
KEYS, xrefs: 00BCB647, 00BCB64C
REMOVE, xrefs: 00BCB602, 00BCB607
EXISTS, xrefs: 00BCB686, 00BCB68B

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: d9546f7bc442abeed0ea8c49412d81e2219a8897b1ff29d753fa868c14e7dd75
Instruction ID: deb569baf99b114b1f480b418f0ceaa914ae0e1c369699c2e3dc712b622511ed
Opcode Fuzzy Hash: d9546f7bc442abeed0ea8c49412d81e2219a8897b1ff29d753fa868c14e7dd75
Instruction Fuzzy Hash: 2A419532A001269ACB206F7DC992EBEB7E5EB60B54F2441BEE465D7284E735CD81C790

Function 00BD5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BD53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00BD5416
GetLastError.KERNEL32 ref: 00BD5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00BD54A7

Strings

READY, xrefs: 00BD5460, 00BD5468
INVALID, xrefs: 00BD5459
NOTREADY, xrefs: 00BD544B
READONLY, xrefs: 00BD5452
UNKNOWN, xrefs: 00BD5444

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: d5665ad8c3d6ceda33fbff2253d2a469f4a833990c42944c53e55f11b33c0707
Instruction ID: aca7c217db1df24fcdc5ca9ffc764b825101cdb2380c6d8bd46a4ccbb700a511
Opcode Fuzzy Hash: d5665ad8c3d6ceda33fbff2253d2a469f4a833990c42944c53e55f11b33c0707
Instruction Fuzzy Hash: 18319375A005089FCB20DF68C584AAABBF4EF45305F1480AAE405DB356EB71DD86CF92

Function 00BF3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00BF3C79
SetMenu.USER32(?,00000000), ref: 00BF3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BF3D10
IsMenu.USER32(?), ref: 00BF3D24
CreatePopupMenu.USER32 ref: 00BF3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BF3D5B
DrawMenuBar.USER32 ref: 00BF3D63

Strings

F, xrefs: 00BF3D4E
0, xrefs: 00BF3C54

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 1423eb9fd20769e4a489113b912db91430b3fd6b384a323d8b09a5ce325d0fee
Instruction ID: f93e26c0566d58c56abc9ee8d4bdac78d67dc44f5a2b13ae1b4507b5e3051035
Opcode Fuzzy Hash: 1423eb9fd20769e4a489113b912db91430b3fd6b384a323d8b09a5ce325d0fee
Instruction Fuzzy Hash: 0B416779A01209EFDB14DF64D884BAA7BF5FF49750F140068EA56A7360D730AA18CF94

Function 00BC1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00BC1F64
GetDlgCtrlID.USER32 ref: 00BC1F6F
GetParent.USER32 ref: 00BC1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BC1F8E
GetDlgCtrlID.USER32(?), ref: 00BC1F97
GetParent.USER32(?), ref: 00BC1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BC1FAE

Strings

ListBox, xrefs: 00BC1F21
ComboBox, xrefs: 00BC1EEC

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 87c46047cda797fd875bd6ca598a57ebc4142eb7c37ec318fc02c1e2f93a898f
Instruction ID: f4e65f321312a423ec6b77be12c54819ab2b56f22216e13f33b99035e8f8a7fb
Opcode Fuzzy Hash: 87c46047cda797fd875bd6ca598a57ebc4142eb7c37ec318fc02c1e2f93a898f
Instruction Fuzzy Hash: E821C270A00218BBCF04AFA4DC85EFEBBF8EF16350F004599F961A7291CB385958DB60

Function 00BC1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00BC2043
GetDlgCtrlID.USER32 ref: 00BC204E
GetParent.USER32 ref: 00BC206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BC206D
GetDlgCtrlID.USER32(?), ref: 00BC2076
GetParent.USER32(?), ref: 00BC208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BC208D

Strings

ListBox, xrefs: 00BC2002
ComboBox, xrefs: 00BC1FCD

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: ccab9642058b3b477b78173ff4b128b6d8fc68d07f747fc095de7e34476702a0
Instruction ID: d6d51195d1ca378cfbb03194bfdd7cf89c9f0add173faa15aae51255b8ecec58
Opcode Fuzzy Hash: ccab9642058b3b477b78173ff4b128b6d8fc68d07f747fc095de7e34476702a0
Instruction Fuzzy Hash: 3521C375A00218BBCF14AFA0DD85EFEBFF8EF15340F00409AF951A71A1DA798954DB60

Function 00BF3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00BF3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00BF3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00BF3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BF3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00BF3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00BF3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00BF3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00BF3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00BF3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00BF3C13

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b381c857980687635a5d1beaf54e1a525b642591a3b31675fcb9c2574ac1aa13
Instruction ID: 623e301219065cf71ad0b4a94211fcffedb686c07a877f92bba4d723f1b3fbb5
Opcode Fuzzy Hash: b381c857980687635a5d1beaf54e1a525b642591a3b31675fcb9c2574ac1aa13
Instruction Fuzzy Hash: 60613775A00248AFDB10DFA8CC81FFE77F8EB09710F144199FA15A72A2D774AA45DB50

Function 00BCB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00BCB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00BCA1E1,?,00000001), ref: 00BCB165
GetWindowThreadProcessId.USER32(00000000), ref: 00BCB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BCA1E1,?,00000001), ref: 00BCB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BCB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00BCA1E1,?,00000001), ref: 00BCB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BCA1E1,?,00000001), ref: 00BCB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00BCA1E1,?,00000001), ref: 00BCB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00BCA1E1,?,00000001), ref: 00BCB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00BCA1E1,?,00000001), ref: 00BCB21D

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: c4d15176880925156602fbc6771bfb076182f94c8c3256a8df90b7081959530e
Instruction ID: ee772ae089e9403ff231fac9cde06604f48caeee4a0fee98eb0e3babefd7e297
Opcode Fuzzy Hash: c4d15176880925156602fbc6771bfb076182f94c8c3256a8df90b7081959530e
Instruction Fuzzy Hash: F4316771520208BFDB249F24DD8AFBE7FA9EB51311F244049FA01DB190DBB89E808B60

Function 00B92C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B92C94

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B92CA0
_free.LIBCMT ref: 00B92CAB
_free.LIBCMT ref: 00B92CB6
_free.LIBCMT ref: 00B92CC1
_free.LIBCMT ref: 00B92CCC
_free.LIBCMT ref: 00B92CD7
_free.LIBCMT ref: 00B92CE2
_free.LIBCMT ref: 00B92CED
_free.LIBCMT ref: 00B92CFB

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 21bc71fa06f005f563a6c4ab7db46d3d14216f72aa6341639c71d8a6980c9fe2
Instruction ID: 8444479e3de099674d58b9a10b088086dd399b6f3f3e1445aa0d5de05fa5705c
Opcode Fuzzy Hash: 21bc71fa06f005f563a6c4ab7db46d3d14216f72aa6341639c71d8a6980c9fe2
Instruction Fuzzy Hash: DE114076910108BFCF02EF94D982CDD7BA9FF05350F9145B5FA489B322DA31EA509B90

Function 00BD7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BD7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD7FC1
GetFileAttributesW.KERNEL32(?), ref: 00BD7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00BD8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00BD80B0

Strings

*.*, xrefs: 00BD8066

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: d8cfafaa19be46b49621509ab89ace4912c1473b33e71195b094938aa5365614
Instruction ID: f34d7d00ec18bda9e99ad0354551049f2a8be8618df09bbe4d4ed6e6317e13dd
Opcode Fuzzy Hash: d8cfafaa19be46b49621509ab89ace4912c1473b33e71195b094938aa5365614
Instruction Fuzzy Hash: 998180715482459BCB20EF54C8849AAF7E8EB88314F14489FF889D7351FB35DD49CB92

Function 00B65BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00B65C7A

Part of subcall function 00B65D0A: GetClientRect.USER32(?,?), ref: 00B65D30
Part of subcall function 00B65D0A: GetWindowRect.USER32(?,?), ref: 00B65D71
Part of subcall function 00B65D0A: ScreenToClient.USER32(?,?), ref: 00B65D99

GetDC.USER32 ref: 00BA46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BA4708
SelectObject.GDI32(00000000,00000000), ref: 00BA4716
SelectObject.GDI32(00000000,00000000), ref: 00BA472B
ReleaseDC.USER32(?,00000000), ref: 00BA4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BA47C4

Strings

U, xrefs: 00BA4693

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3e67e69b4e77a465b32157cff37ea7e4a46cfe6813176aca97ca3775dbf4cc19
Instruction ID: 0d09926c3da35a362d789e787ac76fb9331e6d5bcad8216702e6ff3ec2284211
Opcode Fuzzy Hash: 3e67e69b4e77a465b32157cff37ea7e4a46cfe6813176aca97ca3775dbf4cc19
Instruction Fuzzy Hash: DB71D031408249DFCF218F68C984ABA7BF5FF8A320F1842E9ED555A1A6C7B49C91DF50

Function 00BD359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00BD35E4

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

LoadStringW.USER32(00C32390,?,00000FFF,?), ref: 00BD360A

Strings

Error: , xrefs: 00BD36EF
Line %d (File "%s"):, xrefs: 00BD366B
"%s" (%d) : ==> %s:, xrefs: 00BD3742
"%s" (%d) : ==> %s:%s%s, xrefs: 00BD3724
^ ERROR, xrefs: 00BD36C9

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 5a91b6b1a2a56e700a45a02ff256892a261427ce0b78bdfed9cc84347b8dde91
Instruction ID: 8491cd3d8cfe838364c74644932389faac0254ca149e3cc9e1e194e0e90c5011
Opcode Fuzzy Hash: 5a91b6b1a2a56e700a45a02ff256892a261427ce0b78bdfed9cc84347b8dde91
Instruction Fuzzy Hash: 73518F72800209BADF14EBA0DD42EEDBBF8EF14700F1441A5F505721A2EB345B98DFA5

Function 00BF8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

Part of subcall function 00B7912D: GetCursorPos.USER32(?), ref: 00B79141
Part of subcall function 00B7912D: ScreenToClient.USER32(00000000,?), ref: 00B7915E
Part of subcall function 00B7912D: GetAsyncKeyState.USER32(00000001), ref: 00B79183
Part of subcall function 00B7912D: GetAsyncKeyState.USER32(00000002), ref: 00B7919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00BF8B6B
ImageList_EndDrag.COMCTL32 ref: 00BF8B71
ReleaseCapture.USER32 ref: 00BF8B77
SetWindowTextW.USER32(?,00000000), ref: 00BF8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00BF8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00BF8CFF

Strings

@GUI_DRAGFILE, xrefs: 00BF8C9A
@GUI_DROPID, xrefs: 00BF8C51

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 1adf09686805324cc73af40d1aba2d3673bf676e532f7385ed07b7da90f96957
Instruction ID: 2f8258229a1a802262ed88bb276ffbc57f70d66dc9066e71ae7359653e46c215
Opcode Fuzzy Hash: 1adf09686805324cc73af40d1aba2d3673bf676e532f7385ed07b7da90f96957
Instruction Fuzzy Hash: B6517B71204308AFD704DF24DD96BBA7BE4FB88750F040669FA96972E1CB749948CB62

Function 00BDC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BDC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BDC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BDC2CA
GetLastError.KERNEL32 ref: 00BDC322
SetEvent.KERNEL32(?), ref: 00BDC336
InternetCloseHandle.WININET(00000000), ref: 00BDC341

Strings

, xrefs: 00BDC2BB

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8f196d55576fafb7e670897eae903ee893fd7e53ef8b9b7b4c3c5046e0a9df96
Instruction ID: 3efc66c9eb69827050057f14b0bef1072f5dcce8d440809031c876df6ee020a5
Opcode Fuzzy Hash: 8f196d55576fafb7e670897eae903ee893fd7e53ef8b9b7b4c3c5046e0a9df96
Instruction Fuzzy Hash: 93316BB1600609AFDB21AF658988ABBBFFCEB49754B10855EF44693310EB30ED44DB64

Function 00BC989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00BA3AAF,?,?,Bad directive syntax error,00BFCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00BC98BC
LoadStringW.USER32(00000000,?,00BA3AAF,?), ref: 00BC98C3

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00BC9987

Strings

Error: , xrefs: 00BC9955
Line %d (File "%s"):, xrefs: 00BC992D
., xrefs: 00BC996D
%s (%d) : ==> %s.: %s %s, xrefs: 00BC98F1
Line %d:, xrefs: 00BC9912

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 028af32b8cbf6d446da098dae3bb73f36fb323de8c702f4e1a9749007fd528ee
Instruction ID: 743e5ce878b0df147e7a0b418b0506e6ba4638a948c80711cda7375568f7982a
Opcode Fuzzy Hash: 028af32b8cbf6d446da098dae3bb73f36fb323de8c702f4e1a9749007fd528ee
Instruction Fuzzy Hash: A021803180021EABDF11EF90CC0AEFE77B9FF18700F0444A9F515620A2EB759A58DB60

Function 00BC209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00BC20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00BC20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00BC214D

Strings

list, xrefs: 00BC212F
details, xrefs: 00BC20FB
smallicons, xrefs: 00BC2115
largeicons, xrefs: 00BC20E1
SHELLDLL_DefView, xrefs: 00BC20CC

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 76bd63e64d11535e195845196cd2637c88c1cd937fb83069e505a2472a0fb40d
Instruction ID: a3442e7a54a616f781eb62f36f1282e39662e0d8762f4e06af52822231b3a9b9
Opcode Fuzzy Hash: 76bd63e64d11535e195845196cd2637c88c1cd937fb83069e505a2472a0fb40d
Instruction Fuzzy Hash: 4411C676688717BAFA157720EC06EB777DCDF05725B2001BAFB04FA0E1EE7168419A14

Function 00B98D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d569d7e095ecfa9189968394314080498e5d56d931f76af64e254cc24438add
Instruction ID: b2aa85dac2e3af061b5ffb18d17f7ba6a7ca4622392b47d9d1a46720936c66d7
Opcode Fuzzy Hash: 8d569d7e095ecfa9189968394314080498e5d56d931f76af64e254cc24438add
Instruction Fuzzy Hash: 74C1BE75D04249AFDF11EFACC891BADBBF0AF0A310F1440E9F425A7292D7309941CB61

Function 00B9CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00B9CEB7
_free.LIBCMT ref: 00B9CF22
_free.LIBCMT ref: 00B9CF48
_free.LIBCMT ref: 00B9CF71
_free.LIBCMT ref: 00B9CFA9
_free.LIBCMT ref: 00B9CFDA
_free.LIBCMT ref: 00B9D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00B9D09C
_free.LIBCMT ref: 00B9D0B5

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: c44f3277601b8f797dffcc2bf3285e7fa44c9a2c8e3378df2db363b699683b60
Instruction ID: 8e7351d4a81bbdfbbe08626227bf8c22a3db63cd793d5e8120135a86d15f4e72
Opcode Fuzzy Hash: c44f3277601b8f797dffcc2bf3285e7fa44c9a2c8e3378df2db363b699683b60
Instruction Fuzzy Hash: DC61E072A04205AFDF21AFB49891BAE7FE5EF05360F1441FDF945A7282E7329D098790

Function 00B78B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00BB6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00BB68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00BB68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00BB68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BB68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B78874,00000000,00000000,00000000,000000FF,00000000), ref: 00BB6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BB691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B78874,00000000,00000000,00000000,000000FF,00000000), ref: 00BB692D

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 339bf5e69b7ac45d1be17f0c12ee32762add0f5a9142d3c51b935f2f97dd28fb
Instruction ID: 75301d2f0f70e593cb4c113fbceaea3f3e7efc9587810cf17ce7463fa9180001
Opcode Fuzzy Hash: 339bf5e69b7ac45d1be17f0c12ee32762add0f5a9142d3c51b935f2f97dd28fb
Instruction Fuzzy Hash: 08518A70600209EFDB20CF24CC95BBA7BF5EB48760F108558F95A972A0DBB1ED90DB50

Function 00BDC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BDC182
GetLastError.KERNEL32 ref: 00BDC195
SetEvent.KERNEL32(?), ref: 00BDC1A9

Part of subcall function 00BDC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BDC272
Part of subcall function 00BDC253: GetLastError.KERNEL32 ref: 00BDC322
Part of subcall function 00BDC253: SetEvent.KERNEL32(?), ref: 00BDC336
Part of subcall function 00BDC253: InternetCloseHandle.WININET(00000000), ref: 00BDC341

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 303f5bbfffe902531f33a7845081d9255065a7d540cad9b9a4803c39803717da
Instruction ID: 5513cb2c31a5d7f73f52bb89bad3d47f3984a741ea2f456787b4b0d177a88380
Opcode Fuzzy Hash: 303f5bbfffe902531f33a7845081d9255065a7d540cad9b9a4803c39803717da
Instruction Fuzzy Hash: A1314771600A06AFDB219FA59D44A76FFE9FF18300B14446EF95A93710EB31E854DBA0

Function 00BC25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC3A57
Part of subcall function 00BC3A3D: GetCurrentThreadId.KERNEL32 ref: 00BC3A5E
Part of subcall function 00BC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BC25B3), ref: 00BC3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00BC25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00BC25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00BC25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00BC25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00BC2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00BC2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00BC260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00BC2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00BC2627

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6053fe05029f5726704e8a7c6c9ed0ad16d8df85ee582f15e889d9eb894ef6da
Instruction ID: 304151a10dfd8c92194e63de886a9292f9a94674b4f5ea51ee7696dac245cd4b
Opcode Fuzzy Hash: 6053fe05029f5726704e8a7c6c9ed0ad16d8df85ee582f15e889d9eb894ef6da
Instruction Fuzzy Hash: C801D430394214BBFB1067689C8AF693F99DF4EB12F600015F318AF0D1CDF26494CA69

Function 00BC1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00BC1449,?,?,00000000), ref: 00BC180C
HeapAlloc.KERNEL32(00000000,?,00BC1449,?,?,00000000), ref: 00BC1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BC1449,?,?,00000000), ref: 00BC1828
GetCurrentProcess.KERNEL32(?,00000000,?,00BC1449,?,?,00000000), ref: 00BC1830
DuplicateHandle.KERNEL32(00000000,?,00BC1449,?,?,00000000), ref: 00BC1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BC1449,?,?,00000000), ref: 00BC1843
GetCurrentProcess.KERNEL32(00BC1449,00000000,?,00BC1449,?,?,00000000), ref: 00BC184B
DuplicateHandle.KERNEL32(00000000,?,00BC1449,?,?,00000000), ref: 00BC184E
CreateThread.KERNEL32(00000000,00000000,00BC1874,00000000,00000000,00000000), ref: 00BC1868

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 190588a69bdee4f7d3d48346bcd83d82e356f76403443114547dd8dc268186a7
Instruction ID: 606141d915eacb2bccd0f5b83b8abfa18ebd4183ca8f91eddd1a1ff491c9a547
Opcode Fuzzy Hash: 190588a69bdee4f7d3d48346bcd83d82e356f76403443114547dd8dc268186a7
Instruction Fuzzy Hash: C901BBB5240308BFE710ABA5DD4DF6B3FACEB89B11F104411FA05EB1A2CA709950DB60

Function 00BEA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00BCD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00BCD501
Part of subcall function 00BCD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00BCD50F
Part of subcall function 00BCD4DC: CloseHandle.KERNELBASE(00000000), ref: 00BCD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BEA16D
GetLastError.KERNEL32 ref: 00BEA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BEA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00BEA268
GetLastError.KERNEL32(00000000), ref: 00BEA273
CloseHandle.KERNEL32(00000000), ref: 00BEA2C4

Strings

SeDebugPrivilege, xrefs: 00BEA18F

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 425108eaf639c1a4c993e7d07674cc68e1446e6ffd3ce97fe366a3ab5e248728
Instruction ID: 7c616e683ae85e4fd78e0518455f45d9fd70f9f8df1d240a5d5ffc79d562d765
Opcode Fuzzy Hash: 425108eaf639c1a4c993e7d07674cc68e1446e6ffd3ce97fe366a3ab5e248728
Instruction Fuzzy Hash: 1C617A302042829FD710DF19C494F25BBE5AF44318F1484DCE56A9B7A3C776ED89CB92

Function 00BF3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00BF3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00BF393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00BF3954
_wcslen.LIBCMT ref: 00BF3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00BF39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00BF39F4

Strings

SysListView32, xrefs: 00BF38F7

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 0159503e845be8baab70f1521e95bd95da2cea71f1dde515e835d84f88782261
Instruction ID: d049b83cc5f7e5b82a73512a447a945b8b74efa5de25825fd0a1a01bab62203e
Opcode Fuzzy Hash: 0159503e845be8baab70f1521e95bd95da2cea71f1dde515e835d84f88782261
Instruction Fuzzy Hash: 5641C231A0021CABDF219F64CC45BFA7BE9EF08750F100566FA49E7281D7B59A84CB90

Function 00BCBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BCBCFD
IsMenu.USER32(00000000), ref: 00BCBD1D
CreatePopupMenu.USER32 ref: 00BCBD53
GetMenuItemCount.USER32(014F5948), ref: 00BCBDA4
InsertMenuItemW.USER32(014F5948,?,00000001,00000030), ref: 00BCBDCC

Strings

2, xrefs: 00BCBD37
0, xrefs: 00BCBCA8

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2126d93e4768ef5a9ada0c9937b9dad1b23dcc45eac39a1e0d853a2d00931fbb
Instruction ID: 4e7c3768990505f8585a67135a639e6b8b64e22221766fc71f604a1dbeae0d82
Opcode Fuzzy Hash: 2126d93e4768ef5a9ada0c9937b9dad1b23dcc45eac39a1e0d853a2d00931fbb
Instruction Fuzzy Hash: 2951BC70A00209ABDB10CFA8D8C6FAEBBF8FF55314F2441ADE452EB290D7709945CB61

Function 00BCC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00BCC913

Strings

warning, xrefs: 00BCC8FC
question, xrefs: 00BCC8CC
stop, xrefs: 00BCC8E4
blank, xrefs: 00BCC895
info, xrefs: 00BCC8B4

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e20b02f3a68267f948b97e098d4b48ed905a9c0e82286c899685397f32532764
Instruction ID: ebe80c66337142715050f04b7cb591ee244a20fc2bc08b4ab48bf177b9d92e32
Opcode Fuzzy Hash: e20b02f3a68267f948b97e098d4b48ed905a9c0e82286c899685397f32532764
Instruction Fuzzy Hash: 35110D31689317BAE705AB54AC83EAB6BECDF25754B1000BEF508A62D2D7F09D409365

Function 00BCDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00BCDE42
gethostname.WSOCK32(?,00000100), ref: 00BCDE5C
gethostbyname.WSOCK32(?), ref: 00BCDE69
inet_ntoa.WSOCK32(?), ref: 00BCDEAB
_strcat.LIBCMT ref: 00BCDEB9
WSACleanup.WSOCK32 ref: 00BCDEDE

Strings

0.0.0.0, xrefs: 00BCDE87

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: b524ec74af5f65e1e6787335e4f7e1e5469474bb40d3b4dab53e8d56eb90ad88
Instruction ID: 667017a02837bf1d224c82395bb0f8784442a58cb6d1a5a07f982677e7756e3c
Opcode Fuzzy Hash: b524ec74af5f65e1e6787335e4f7e1e5469474bb40d3b4dab53e8d56eb90ad88
Instruction Fuzzy Hash: 6911D53590411AAFCB207B249C4AEEA77ECDB14711F0101FEF509970A1EF708A85CB60

Function 00BF9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

GetSystemMetrics.USER32(0000000F), ref: 00BF9FC7
GetSystemMetrics.USER32(0000000F), ref: 00BF9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00BFA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00BFA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00BFA263
ShowWindow.USER32(00000003,00000000), ref: 00BFA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00BFA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00BFA2CA

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 4463c9b604474054d3863e0cfe01bafa9965d13d91f02c9cbd180eaf879cc0c0
Instruction ID: 1a7f220199eca48cb7a02757bd77fae59af984a3dee1b9260376b0ea55e27211
Opcode Fuzzy Hash: 4463c9b604474054d3863e0cfe01bafa9965d13d91f02c9cbd180eaf879cc0c0
Instruction Fuzzy Hash: AFB18B716002199FDF18CF68C9857BE7BF2FF44701F0980A9EE49AB295D731AA44CB51

Function 00BCED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00BCED2A
_wcslen.LIBCMT ref: 00BCED3B
_wcslen.LIBCMT ref: 00BCED79
_wcslen.LIBCMT ref: 00BCEDAF
_wcslen.LIBCMT ref: 00BCEDDF
_wcslen.LIBCMT ref: 00BCEDEF
_wcslen.LIBCMT ref: 00BCEE2B
_wcslen.LIBCMT ref: 00BCEE5A

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: cc29b8e023ce0fc8fff1297bba620e47201b3d98fcb793194db202c5fd376237
Instruction ID: f2bd29289de704be0bf733d6b79551ad65d479a58ca0ddfb7f38bef225dd3758
Opcode Fuzzy Hash: cc29b8e023ce0fc8fff1297bba620e47201b3d98fcb793194db202c5fd376237
Instruction Fuzzy Hash: BB418365C10119B6CB21FBB4C88AACFB7E8AF45710F5084A7E528E3172FB34D655C3A5

Function 00B7F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BB682C,00000004,00000000,00000000), ref: 00B7F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00BB682C,00000004,00000000,00000000), ref: 00BBF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BB682C,00000004,00000000,00000000), ref: 00BBF454

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 76d1cc5174ab850c2e64f49eb4f4d03495febd78eb9e249f66e0cc35852c02dd
Instruction ID: dced9dd6682ce9a39781d1d660f8e1c8ddac22809183e66c86f6e5e2d71fd03b
Opcode Fuzzy Hash: 76d1cc5174ab850c2e64f49eb4f4d03495febd78eb9e249f66e0cc35852c02dd
Instruction Fuzzy Hash: 9C41F831608642BBC7399B2D8DC87BA7BD2EB56310F14C4BCE66F57660DA71E880CB15

Function 00BF2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BF2D1B
GetDC.USER32(00000000), ref: 00BF2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BF2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00BF2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00BF2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BF2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00BF5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00BF2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00BF2DE1

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d82331c70930a2e59056d8741134deae886f41c1d011bdb9a7dd6daa419c73c0
Instruction ID: 613d5b36c4ff6a7eea2501f5d643b411f537d021f8f459bc4b868a3e6b165938
Opcode Fuzzy Hash: d82331c70930a2e59056d8741134deae886f41c1d011bdb9a7dd6daa419c73c0
Instruction Fuzzy Hash: 91317C76201618BBEB118F50CC89FBB3FA9EB09711F044065FE08DB291CA759C95C7A0

Function 00BC5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00BC5637
_memcmp.LIBVCRUNTIME ref: 00BC5659
_memcmp.LIBVCRUNTIME ref: 00BC5671
_memcmp.LIBVCRUNTIME ref: 00BC5684
_memcmp.LIBVCRUNTIME ref: 00BC569E
_memcmp.LIBVCRUNTIME ref: 00BC56B1
_memcmp.LIBVCRUNTIME ref: 00BC56C9
_memcmp.LIBVCRUNTIME ref: 00BC56E4

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 938d8fa97ffa333bdb66455a3f433932943f92d119dfdebac5534f5312d2196b
Instruction ID: 10d0d7793e72490df4f11d1104a24b9d657e36314f92b375968173210a135cf4
Opcode Fuzzy Hash: 938d8fa97ffa333bdb66455a3f433932943f92d119dfdebac5534f5312d2196b
Instruction Fuzzy Hash: B521A761641A1A77D624AE248D82FBA33DCEF21384F4404F9FE049B591F721FD95C2A9

Function 00BE4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00BE502E, 00BE5383
Not an Object type, xrefs: 00BE5007

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: d8d41ce020985458f196b693ac8f3fde3e7a2c608e7c60064a660996300d80ac
Instruction ID: ac2fdc356ff952315e573d323f962a4986ab324afa8414d2bc5f1ec2e213f01f
Opcode Fuzzy Hash: d8d41ce020985458f196b693ac8f3fde3e7a2c608e7c60064a660996300d80ac
Instruction Fuzzy Hash: 30D1B371A0064A9FDF20CF99C881BAEB7F5FF48358F1481A9E915AB281E770DD45CB50

Function 00BA1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00BA17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00BA15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BA1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00BA17FB,?,00BA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BA16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BA16FB

Part of subcall function 00B93820: RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00BA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BA1777
__freea.LIBCMT ref: 00BA17A2
__freea.LIBCMT ref: 00BA17AE

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 9a23e65992c7ca0c7672f64fce822725ae70a034ad371052dd16c617fae4244f
Instruction ID: bf60ec053638ef62ee9cdbfd8ad0e1fba2925c1b3753182f89bac65c82ac3a8b
Opcode Fuzzy Hash: 9a23e65992c7ca0c7672f64fce822725ae70a034ad371052dd16c617fae4244f
Instruction Fuzzy Hash: D991C571E082169ADF648E7CC881EEE7BF5DF5A710F184AA9E802E7181DB35DD40CB60

Function 00BE4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BE4648
VariantInit.OLEAUT32(?), ref: 00BE4749
VariantClear.OLEAUT32(?), ref: 00BE4753
VariantClear.OLEAUT32(?), ref: 00BE47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00BE45D8, 00BE4706, 00BE47BE
Incorrect Object type in FOR..IN loop, xrefs: 00BE472C

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 995af9f4efd17268a86db86b23557912c20411f6ad47ee134c46ac332bdcb4e5
Instruction ID: 4784eb15f87aa7c2332968a474570f57347111e2528e92ca192fed2518548a86
Opcode Fuzzy Hash: 995af9f4efd17268a86db86b23557912c20411f6ad47ee134c46ac332bdcb4e5
Instruction Fuzzy Hash: 1A917F71A00259AFDF20CFA6D884FAEBBF8EF46714F108599F515AB280D7709D45CBA0

Function 00BD1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00BD125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00BD1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00BD12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BD12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BD135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BD13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BD1430

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 05a24d38d145c4eeea7177ffc3bcddf0031e3500015e3f4f17eeeb62e54df7b4
Instruction ID: 05dcdb139bf826fc901a052c3850097aba3dd4a4eb93897ff1c4104956f300ce
Opcode Fuzzy Hash: 05a24d38d145c4eeea7177ffc3bcddf0031e3500015e3f4f17eeeb62e54df7b4
Instruction Fuzzy Hash: 5491AF71A00209AFDB009F98C885BBEB7F5FF45325F1488AAE910E7391E775A941CF94

Function 00B7948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 20f52b5242d2c8aca5a0fc8db78c598802b7526467f84aae4834beea3381aaf3
Instruction ID: 7e0f5f80849f88698f780e25daf0d9980e83fc5a7025ac35b65323ce7dfb073a
Opcode Fuzzy Hash: 20f52b5242d2c8aca5a0fc8db78c598802b7526467f84aae4834beea3381aaf3
Instruction Fuzzy Hash: 8E911571D44219EFCB10CFA9C884AEEBBF8FF89320F148595E525B7251D774AA42CB60

Function 00BE3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BE396B
CharUpperBuffW.USER32(?,?), ref: 00BE3A7A
_wcslen.LIBCMT ref: 00BE3A8A
VariantClear.OLEAUT32(?), ref: 00BE3C1F

Part of subcall function 00BD0CDF: VariantInit.OLEAUT32(00000000), ref: 00BD0D1F
Part of subcall function 00BD0CDF: VariantCopy.OLEAUT32(?,?), ref: 00BD0D28
Part of subcall function 00BD0CDF: VariantClear.OLEAUT32(?), ref: 00BD0D34

Strings

AUTOIT.ERROR, xrefs: 00BE3A80, 00BE3A85
Incorrect Parameter format, xrefs: 00BE39A6, 00BE3BA1

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 09504ff35b931a626e4ba75e7e40683f60ca362f8769b2f81d613029944d3f09
Instruction ID: fe477084ab3aa2942362a2812249800ce5f61d8af616535cc425329bdf147282
Opcode Fuzzy Hash: 09504ff35b931a626e4ba75e7e40683f60ca362f8769b2f81d613029944d3f09
Instruction Fuzzy Hash: 37918B746083459FC700DF29C58496AB7E4FF88714F1488AEF88A9B351DB31EE45CB92

Function 00BE4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00BC000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?,?,00BC035E), ref: 00BC002B
Part of subcall function 00BC000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0046
Part of subcall function 00BC000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0054
Part of subcall function 00BC000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?), ref: 00BC0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00BE4C51
_wcslen.LIBCMT ref: 00BE4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00BE4DCF
CoTaskMemFree.OLE32(?), ref: 00BE4DDA

Strings

NULL Pointer assignment, xrefs: 00BE4E23, 00BE4E52

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 6defa4a1fc88a2fd9ba0e56d4b2eb8cf282caea402dc7ea7fc74cb32c8d27545
Instruction ID: de88e52f17a56de4ae72d9372a387f2defdd04dd0f202cc3a4db50950f8bba51
Opcode Fuzzy Hash: 6defa4a1fc88a2fd9ba0e56d4b2eb8cf282caea402dc7ea7fc74cb32c8d27545
Instruction Fuzzy Hash: 49910471D0025DAFDF14DFA5D891AEEBBB8FF08300F1085A9E915A7291EB749A44CF60

Function 00BF20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00BF2183
GetMenuItemCount.USER32(00000000), ref: 00BF21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00BF21DD
_wcslen.LIBCMT ref: 00BF2213
GetMenuItemID.USER32(?,?), ref: 00BF224D
GetSubMenu.USER32(?,?), ref: 00BF225B

Part of subcall function 00BC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC3A57
Part of subcall function 00BC3A3D: GetCurrentThreadId.KERNEL32 ref: 00BC3A5E
Part of subcall function 00BC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BC25B3), ref: 00BC3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BF22E3

Part of subcall function 00BCE97B: Sleep.KERNEL32 ref: 00BCE9F3

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: bc9fa0daf1d3b2bd5634f60ab56ac4c77907fc24e37954046f5e9a9d454b8c7c
Instruction ID: ddd7979de55ee07af6c4959d8520a24ef909db7ec5ba5baf360e9900f26db47a
Opcode Fuzzy Hash: bc9fa0daf1d3b2bd5634f60ab56ac4c77907fc24e37954046f5e9a9d454b8c7c
Instruction Fuzzy Hash: 30714E75A00209AFCB14DFA4C885ABEBBF5EF48310F148499E956EB351DB34EE45CB90

Function 00BF7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(014F5A38), ref: 00BF7F37
IsWindowEnabled.USER32(014F5A38), ref: 00BF7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00BF801E
SendMessageW.USER32(014F5A38,000000B0,?,?), ref: 00BF8051
IsDlgButtonChecked.USER32(?,?), ref: 00BF8089
GetWindowLongW.USER32(014F5A38,000000EC), ref: 00BF80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00BF80C3

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: a7082954fe187c4fa6857d1cd91af081781db5546297be8fffbd1268ca1e88ad
Instruction ID: 04d9626f55bfff08a8ae17f42585e7e823280b1daba2f402153c2301ea3bea05
Opcode Fuzzy Hash: a7082954fe187c4fa6857d1cd91af081781db5546297be8fffbd1268ca1e88ad
Instruction Fuzzy Hash: 37717D3464824DAFEB219F64C884FFABBF9EF19300F1444D9EA45972A1CF31A949DB50

Function 00BCAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00BCAEF9
GetKeyboardState.USER32(?), ref: 00BCAF0E
SetKeyboardState.USER32(?), ref: 00BCAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00BCAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00BCAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00BCAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00BCB020

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0f44895ca20cb1f9d6363384e78c3b6732fbf3c71687d0aafb281eaf8c0448df
Instruction ID: 44dab5380b61decde1b2667889c437abb2c498baf5f7e3f75ab7e1f71d826201
Opcode Fuzzy Hash: 0f44895ca20cb1f9d6363384e78c3b6732fbf3c71687d0aafb281eaf8c0448df
Instruction Fuzzy Hash: 2F5192A06046D93DFB3652348C46FBE7EE99B06308F0885CDE1D5968C2D7A9ACC4D752

Function 00BCACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00BCAD19
GetKeyboardState.USER32(?), ref: 00BCAD2E
SetKeyboardState.USER32(?), ref: 00BCAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00BCADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00BCADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00BCAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00BCAE38

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1c6fbea113725d3e65dc7c496383735b0b49fdffcc88a16578e95761a1eddf4a
Instruction ID: 4ac61b30f1aab688da738adc49e129bdf5e42709dbda6ec14ac173848e07fa56
Opcode Fuzzy Hash: 1c6fbea113725d3e65dc7c496383735b0b49fdffcc88a16578e95761a1eddf4a
Instruction Fuzzy Hash: FB51E6A15047DA3DFB3283348C85F7ABEE89B45309F0884DCE1D6968C3C694EC84D7A2

Function 00B9542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00BA3CD6,?,?,?,?,?,?,?,?,00B95BA3,?,?,00BA3CD6,?,?), ref: 00B95470
__fassign.LIBCMT ref: 00B954EB
__fassign.LIBCMT ref: 00B95506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00BA3CD6,00000005,00000000,00000000), ref: 00B9552C
WriteFile.KERNEL32(?,00BA3CD6,00000000,00B95BA3,00000000,?,?,?,?,?,?,?,?,?,00B95BA3,?), ref: 00B9554B
WriteFile.KERNEL32(?,?,00000001,00B95BA3,00000000,?,?,?,?,?,?,?,?,?,00B95BA3,?), ref: 00B95584

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1674fec7c898b2e5c991e4f0af44a96eeac21a51c66c2ed311893efc215f128a
Instruction ID: 0a278ce0bdc047bed412c5ec7e6f9c2ae2abcb15ca8b8bf63413664988776301
Opcode Fuzzy Hash: 1674fec7c898b2e5c991e4f0af44a96eeac21a51c66c2ed311893efc215f128a
Instruction Fuzzy Hash: 9551D471A006099FDF21CFA8D885BEEBBF9EF19300F1541AAF555E7292D7309A41CB60

Function 00B82D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B82D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00B82D53
_ValidateLocalCookies.LIBCMT ref: 00B82DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00B82E0C
_ValidateLocalCookies.LIBCMT ref: 00B82E61

Strings

csm, xrefs: 00B82DF6

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 298818f65833379b2e4e7318679e50d1d115c487f2c9566d1446ffc0b33e30c0
Instruction ID: 728a610ab9a0c00dbdf6108306ff88c35d47b9eea178f02f16bdb945ee8367be
Opcode Fuzzy Hash: 298818f65833379b2e4e7318679e50d1d115c487f2c9566d1446ffc0b33e30c0
Instruction Fuzzy Hash: 51418434A00209ABCF10EF68C885A9EBFF5FF45724F1481A5E8156B3B2D7759A15CBD0

Function 00BE10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE304E: inet_addr.WSOCK32(?), ref: 00BE307A
Part of subcall function 00BE304E: _wcslen.LIBCMT ref: 00BE309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00BE1112
WSAGetLastError.WSOCK32 ref: 00BE1121
WSAGetLastError.WSOCK32 ref: 00BE11C9
closesocket.WSOCK32(00000000), ref: 00BE11F9

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: bb3c34883fe33be57e19f99cae1a1b6caa95d5b657b3777c125d0268922837cf
Instruction ID: 178760ef1a448ab2add51490d1e508bf99e404e67b8e2be4be6fad29c6336f54
Opcode Fuzzy Hash: bb3c34883fe33be57e19f99cae1a1b6caa95d5b657b3777c125d0268922837cf
Instruction Fuzzy Hash: F7411A31600144AFDB109F59C884BB9BBE9FF45354F248499FD05AB291CB74ED85CBE2

Function 00BCCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BCDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BCCF22,?), ref: 00BCDDFD

Part of subcall function 00BCDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BCCF22,?), ref: 00BCDE16

lstrcmpiW.KERNEL32(?,?), ref: 00BCCF45
MoveFileW.KERNEL32(?,?), ref: 00BCCF7F
_wcslen.LIBCMT ref: 00BCD005
_wcslen.LIBCMT ref: 00BCD01B
SHFileOperationW.SHELL32(?), ref: 00BCD061

Strings

\*.*, xrefs: 00BCCFF3

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 5d61f9c1b35af916270c271e9d96351e8ad6711e2bdba58130cb1b380fc5658b
Instruction ID: 96a9312dcedbbef6d34e3d54b5aa2a3607b9f0f5da5eb45fbde109f639f702f2
Opcode Fuzzy Hash: 5d61f9c1b35af916270c271e9d96351e8ad6711e2bdba58130cb1b380fc5658b
Instruction Fuzzy Hash: 084143759052189EDF12EBA4C981FDDB7F8EF18380F0000EEE509EB141EA34A688CB50

Function 00BF2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00BF2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00BF2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00BF2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00BF2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00BF2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00BF2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BF2F0B

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8e41bca9ddd2d1a2ececaaad011cb0d036b35b56258a52b8299bfef9a7126969
Instruction ID: 5283d219c2857174a77466762a577f6b29e53b22423390235bf35208ac44c10a
Opcode Fuzzy Hash: 8e41bca9ddd2d1a2ececaaad011cb0d036b35b56258a52b8299bfef9a7126969
Instruction Fuzzy Hash: 4031F630654258EFDB218F58DD85F793BE1EB5A720F2901A4FA00CF2B1CB71A848DB41

Function 00BC7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BC7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BC778F
SysAllocString.OLEAUT32(00000000), ref: 00BC7792
SysAllocString.OLEAUT32(?), ref: 00BC77B0
SysFreeString.OLEAUT32(?), ref: 00BC77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00BC77DE
SysAllocString.OLEAUT32(?), ref: 00BC77EC

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6ed65ee5375747d19d157d725a7750cb6e782d63e63de153ca14d09b2569bbe2
Instruction ID: 822dbbe826ae9475395a4b68bf0b75ea139edadf68f7f03b6913acaffc19c3ca
Opcode Fuzzy Hash: 6ed65ee5375747d19d157d725a7750cb6e782d63e63de153ca14d09b2569bbe2
Instruction Fuzzy Hash: F821B27660421DAFDB10DFA8CC88DBB77ECEB09364700806AF914DB250DA70DC85CBA4

Function 00BC77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BC7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BC7868
SysAllocString.OLEAUT32(00000000), ref: 00BC786B
SysAllocString.OLEAUT32 ref: 00BC788C
SysFreeString.OLEAUT32 ref: 00BC7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00BC78AF
SysAllocString.OLEAUT32(?), ref: 00BC78BD

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2c7b6420a507113a5263a5e6f1b1f390877acb5607de65508f5cfd08acc37117
Instruction ID: 83ffa6d2e784f7297a58d6582b2d49a25ea08bc8789b2e16b557d8f26b79dacb
Opcode Fuzzy Hash: 2c7b6420a507113a5263a5e6f1b1f390877acb5607de65508f5cfd08acc37117
Instruction Fuzzy Hash: DD214735604109AFDB109FA9DC8DEBA7BECEB097607108169FA15CB2A1DE74DC41CB64

Function 00BD04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00BD04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BD052E

Strings

nul, xrefs: 00BD0567

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 44a3fae4aadc80ca9fe2d3e7c5e53d8e9519a81449a17f2b109b6a29f660dc8a
Instruction ID: 342fd00cc89bdbd42cacd7480db5d3186b9712561f22af3560d750a5c7c60eb9
Opcode Fuzzy Hash: 44a3fae4aadc80ca9fe2d3e7c5e53d8e9519a81449a17f2b109b6a29f660dc8a
Instruction Fuzzy Hash: 3E215175510305DBDB20AF29E885B5ABBF4EF54728F204A5AECA1D72E0E7709950DF20

Function 00BD05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00BD05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BD0601

Strings

nul, xrefs: 00BD0639

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 49207d3eb4eed52e4c087f90ebd99865c52a00a456db0109f904b399409a6b64
Instruction ID: 3587786f35b7ec6815b5e14d395a1af839df1fe66bc1f7fe985b89f489608e3f
Opcode Fuzzy Hash: 49207d3eb4eed52e4c087f90ebd99865c52a00a456db0109f904b399409a6b64
Instruction Fuzzy Hash: 6D2144755103059BDB20AF799C44B5AB7E4EF95724F200A9AE8A1E73D0E770D960CB10

Function 00BF40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B6604C
Part of subcall function 00B6600E: GetStockObject.GDI32(00000011), ref: 00B66060
Part of subcall function 00B6600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B6606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00BF4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00BF411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00BF412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00BF4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00BF4145

Strings

Msctls_Progress32, xrefs: 00BF40E3

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 430d87b5db8039b733a1c62fe98d17b35f8ac72e2d0627e2df1395276f91d410
Instruction ID: 05421f643ad82d52a49812f3a427ac5dbf58bfa20cd516cf30d69e4c86a24ba2
Opcode Fuzzy Hash: 430d87b5db8039b733a1c62fe98d17b35f8ac72e2d0627e2df1395276f91d410
Instruction Fuzzy Hash: B2118EB215021DBEEF118E64CC85EE77F9DEF08798F014110BB18A7090CB729C61DBA4

Function 00B9D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B9D7A3: _free.LIBCMT ref: 00B9D7CC

_free.LIBCMT ref: 00B9D82D

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B9D838
_free.LIBCMT ref: 00B9D843
_free.LIBCMT ref: 00B9D897
_free.LIBCMT ref: 00B9D8A2
_free.LIBCMT ref: 00B9D8AD
_free.LIBCMT ref: 00B9D8B8

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 92cd939704d49c68216578c674035423cf9d4060196888192ea6c8844692a1be
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 33112B71940B04BADE21FFF1CC47FCB7BDCAF04700F4148B5B29DA6592DA69B90586A0

Function 00BCDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00BCDA74
LoadStringW.USER32(00000000), ref: 00BCDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00BCDA91
LoadStringW.USER32(00000000), ref: 00BCDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00BCDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00BCDAB9

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 138e56dbda104e7ee105c574f21f29be7fe1050a26865bbd4532e1fd39b84ae5
Instruction ID: 644244fd1f52abecd460ef13b69c2c8a6f4b70d819f95df686f9875255324ff5
Opcode Fuzzy Hash: 138e56dbda104e7ee105c574f21f29be7fe1050a26865bbd4532e1fd39b84ae5
Instruction Fuzzy Hash: 880162F650020C7FE750ABA49E89EF7766CE708701F4004A5B746E3041EA749EC48F74

Function 00BD096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(014EE2A8,014EE2A8), ref: 00BD097B
EnterCriticalSection.KERNEL32(014EE288,00000000), ref: 00BD098D
TerminateThread.KERNEL32(?,000001F6), ref: 00BD099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00BD09A9
CloseHandle.KERNEL32(?), ref: 00BD09B8
InterlockedExchange.KERNEL32(014EE2A8,000001F6), ref: 00BD09C8
LeaveCriticalSection.KERNEL32(014EE288), ref: 00BD09CF

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c595e68e132ce3e507036ecb0f50c8b340c8c6451729c17a28b8845f472e66bb
Instruction ID: e6b52668b84aa7a284f2734b90cb95db28f99b3390085713a84c6fef983a6f9b
Opcode Fuzzy Hash: c595e68e132ce3e507036ecb0f50c8b340c8c6451729c17a28b8845f472e66bb
Instruction Fuzzy Hash: 84F01D31442506ABD7415B94EF88BE6BA25FF01702F501016F101928A0DB7494A5DF90

Function 00BE1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00BE1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00BE1DE1
WSAGetLastError.WSOCK32 ref: 00BE1DF2
htons.WSOCK32(?), ref: 00BE1EDB
inet_ntoa.WSOCK32(?), ref: 00BE1E8C

Part of subcall function 00BC39E8: _strlen.LIBCMT ref: 00BC39F2

Part of subcall function 00BE3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00BDEC0C), ref: 00BE3240

_strlen.LIBCMT ref: 00BE1F35

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 0e6daf2081aee7fe7c9a3182bd84d83cfd6d22ef6b2ce39d195169a0e36f45ec
Instruction ID: c1067ec90bcf36aa480a64769bf376ff3ada06823b6363ed119b609cc2de4ad9
Opcode Fuzzy Hash: 0e6daf2081aee7fe7c9a3182bd84d83cfd6d22ef6b2ce39d195169a0e36f45ec
Instruction Fuzzy Hash: C4B1B231204380AFC324DF29C895E2A7BE5EF84318F64899CF4569B2E2DB71ED45CB91

Function 00B65D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00B65D30
GetWindowRect.USER32(?,?), ref: 00B65D71
ScreenToClient.USER32(?,?), ref: 00B65D99
GetClientRect.USER32(?,?), ref: 00B65ED7
GetWindowRect.USER32(?,?), ref: 00B65EF8

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 6a58de99e7ba4e720471cf613b1d6e4d21ad30164529f388395ca975073bd219
Instruction ID: e098f947d25a4f1485226cc08f9921528fedaae72109c9d756d527279d0251f7
Opcode Fuzzy Hash: 6a58de99e7ba4e720471cf613b1d6e4d21ad30164529f388395ca975073bd219
Instruction Fuzzy Hash: 3BB17A34A0464ADFDB20CFA8C4807EEB7F1FF58310F14845AE8A9D7250DB78AA61DB50

Function 00B901B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00B900BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B900D6
__allrem.LIBCMT ref: 00B900ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B9010B
__allrem.LIBCMT ref: 00B90122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B90140

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: c7a4d79a12cd9cddd16cb0ee4c1e0667e016db6e5ee0e07ef3345d6209432145
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 6181E572A017169FEB24BF68CC81B6BB3E9EF41724F2445BAF551D6291E770D900CB90

Function 00B961FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B882D9,00B882D9,?,?,?,00B9644F,00000001,00000001,8BE85006), ref: 00B96258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B9644F,00000001,00000001,8BE85006,?,?,?), ref: 00B962DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B963D8
__freea.LIBCMT ref: 00B963E5

Part of subcall function 00B93820: RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

__freea.LIBCMT ref: 00B963EE
__freea.LIBCMT ref: 00B96413

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3e503fa73bdb211c55b68cdbdf18da1dbe0a2f157913ab0ca7e1eccc259fc775
Instruction ID: ea4978aee00d3f5a66997484be552d2524c8bfe2efb2833054e53c7826f36015
Opcode Fuzzy Hash: 3e503fa73bdb211c55b68cdbdf18da1dbe0a2f157913ab0ca7e1eccc259fc775
Instruction Fuzzy Hash: A451CF72A04216ABEF268F68CC81EAF7BE9EB44750F1546B9F805D7140EB34DC50D664

Function 00BEBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BEC9F1
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA68
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BEBD25
RegCloseKey.ADVAPI32(00000000), ref: 00BEBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00BEBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BEBDF3
RegCloseKey.ADVAPI32(?), ref: 00BEBDFF

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 7509095c697ea3bbd276c78bb2022628909f599de96f440f73d42e65a64c824a
Instruction ID: a16a8b3298521ecb86673f712827c83a6546bfe9b57734365195ddd9200e5bd6
Opcode Fuzzy Hash: 7509095c697ea3bbd276c78bb2022628909f599de96f440f73d42e65a64c824a
Instruction Fuzzy Hash: D3816F31118241AFD714DF25C895E2BBBE5FF84308F1489ACF55A4B2A2DB31ED45CB92

Function 00BBF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00BBF7B9
SysAllocString.OLEAUT32(00000001), ref: 00BBF860
VariantCopy.OLEAUT32(00BBFA64,00000000), ref: 00BBF889
VariantClear.OLEAUT32(00BBFA64), ref: 00BBF8AD
VariantCopy.OLEAUT32(00BBFA64,00000000), ref: 00BBF8B1
VariantClear.OLEAUT32(?), ref: 00BBF8BB

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: d0a07fe738af5b72af6e5569b00fe814cd3ef2d3ab714ad4d06e9d4742cfc5b1
Instruction ID: dde9eef3057df425278935626b781da9cf32d06906812d368c6e3b19ca9abbc3
Opcode Fuzzy Hash: d0a07fe738af5b72af6e5569b00fe814cd3ef2d3ab714ad4d06e9d4742cfc5b1
Instruction Fuzzy Hash: E6519E31600312BBCF24AB65DC95BB9B3E8EF45710B2494F7E906DF291DAB08C40CB96

Function 00BD910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00BD94E5
_wcslen.LIBCMT ref: 00BD9506
_wcslen.LIBCMT ref: 00BD952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00BD9585

Strings

X, xrefs: 00BD9412

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 0e1436b216a5180f18b439f98b3b7acc71f8cfd6f7843626a7c9745c147cdfb9
Instruction ID: 584c3c7a00f78273f104e760d8b5fcb326d78d65d90af0731ca50cc3a25b8b07
Opcode Fuzzy Hash: 0e1436b216a5180f18b439f98b3b7acc71f8cfd6f7843626a7c9745c147cdfb9
Instruction Fuzzy Hash: 25E1A2315043009FD724EF24C881A6AB7E4FF95314F1489AEF8999B3A2EB31DD45CB92

Function 00B7920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

BeginPaint.USER32(?,?,?), ref: 00B79241
GetWindowRect.USER32(?,?), ref: 00B792A5
ScreenToClient.USER32(?,?), ref: 00B792C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B792D3
EndPaint.USER32(?,?,?,?,?), ref: 00B79321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00BB71EA

Part of subcall function 00B79339: BeginPath.GDI32(00000000), ref: 00B79357

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 3d322bc52137260b679e7604c641a8a3d31ff6d2a727a39541148276263cbe29
Instruction ID: 7d86c8ae4e42f309bfd45307eb9c9f27d410ebf6ade2e62de31476b87927a25b
Opcode Fuzzy Hash: 3d322bc52137260b679e7604c641a8a3d31ff6d2a727a39541148276263cbe29
Instruction Fuzzy Hash: FA41AD70108300AFD710DF28DC84FBA7BE8EF85320F1442A9F9A9972A2CB719845DB61

Function 00BD07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00BD080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00BD0847
EnterCriticalSection.KERNEL32(?), ref: 00BD0863
LeaveCriticalSection.KERNEL32(?), ref: 00BD08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00BD08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00BD0921

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: e779c1b98f68d56ef6a4a772f225a42ecb64b61726534072952acfe078c913c3
Instruction ID: 9db1c0a9fbf72fcb768f456900bb8eb1392b3fd88f20d8c9afd803c623774bc1
Opcode Fuzzy Hash: e779c1b98f68d56ef6a4a772f225a42ecb64b61726534072952acfe078c913c3
Instruction Fuzzy Hash: 17417C71910205EBDF14AF54DC85B6ABBB8FF04300F1480A5ED04AB297EB31DE65DBA4

Function 00BF81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00BBF3AB,00000000,?,?,00000000,?,00BB682C,00000004,00000000,00000000), ref: 00BF824C
EnableWindow.USER32(?,00000000), ref: 00BF8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00BF82D1
ShowWindow.USER32(?,00000004), ref: 00BF82E5
EnableWindow.USER32(?,00000001), ref: 00BF830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00BF832F

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: db0b944bde3579417e84244d78c08606f022c8f7999c88ad9192916f89449613
Instruction ID: 515ab2914329974fea48a7b2ff0ce42810cccc390e0771bb2fe8b574a935e470
Opcode Fuzzy Hash: db0b944bde3579417e84244d78c08606f022c8f7999c88ad9192916f89449613
Instruction Fuzzy Hash: F9413234601648EFDB16CF15D999BF87BE1FB4A714F1841A9EA084B272CB31A849CF54

Function 00BC4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00BC4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00BC4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00BC4CEA
_wcslen.LIBCMT ref: 00BC4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00BC4D10
_wcsstr.LIBVCRUNTIME ref: 00BC4D1A

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: f6b0190d54574255c323ce37bca7c04c1220612a54e65547005f834b79b13757
Instruction ID: 2c63171db84ee437f95b903624d8dee3750b38071dbefdd816830d5d77d28236
Opcode Fuzzy Hash: f6b0190d54574255c323ce37bca7c04c1220612a54e65547005f834b79b13757
Instruction Fuzzy Hash: 3421C5326042057BEB256B299D59F7B7BE8DF45750F1080BDF80ACB1A1EB61DD40D6A0

Function 00BD581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B63A97,?,?,00B62E7F,?,?,?,00000000), ref: 00B63AC2

_wcslen.LIBCMT ref: 00BD587B
CoInitialize.OLE32(00000000), ref: 00BD5995
CoCreateInstance.OLE32(00BFFCF8,00000000,00000001,00BFFB68,?), ref: 00BD59AE
CoUninitialize.OLE32 ref: 00BD59CC

Strings

.lnk, xrefs: 00BD5876, 00BD58C1, 00BD5985

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 0bc86a027a8cf54faaffde3444f2545e9efc12f2a6d729f3303af093f9abdc6f
Instruction ID: a3ee5d9709c4a83cf9aceb63a00e9f42b3d97be1b823ca1c2d6c8a1d7061d08f
Opcode Fuzzy Hash: 0bc86a027a8cf54faaffde3444f2545e9efc12f2a6d729f3303af093f9abdc6f
Instruction Fuzzy Hash: CDD154716047019FC724DF24C490A2AFBE5EF89714F14889EF88A9B361EB35EC45CB92

Function 00BC175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BC0FCA
Part of subcall function 00BC0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BC0FD6
Part of subcall function 00BC0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BC0FE5
Part of subcall function 00BC0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BC0FEC
Part of subcall function 00BC0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BC1002

GetLengthSid.ADVAPI32(?,00000000,00BC1335), ref: 00BC17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00BC17BA
HeapAlloc.KERNEL32(00000000), ref: 00BC17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00BC17DA
GetProcessHeap.KERNEL32(00000000,00000000,00BC1335), ref: 00BC17EE
HeapFree.KERNEL32(00000000), ref: 00BC17F5

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 7a0bac7c0c966abb5cbd259a161d76c912078d5fe6f40f6caf718aed1f615309
Instruction ID: 4e0b49b38e720cc359cd8a23dce4f66657bd9b27626dde9761a68ec64a3cc5c2
Opcode Fuzzy Hash: 7a0bac7c0c966abb5cbd259a161d76c912078d5fe6f40f6caf718aed1f615309
Instruction Fuzzy Hash: 10118C71500209EFDB109FA8CD49FAE7BE9EF42355F10485DE441A7211CB359D95CB60

Function 00BC14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00BC14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00BC1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00BC1515
CloseHandle.KERNEL32(00000004), ref: 00BC1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BC154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00BC1563

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b31095102a73a5da545ff9d438654744a7f795b3effcc9d9ac27af2a8db7aa99
Instruction ID: 130f9bef2bc3f02b651f40dd5428dda9b7566cdcacc9cc889831d1bd6a213091
Opcode Fuzzy Hash: b31095102a73a5da545ff9d438654744a7f795b3effcc9d9ac27af2a8db7aa99
Instruction Fuzzy Hash: 6D11597250020DABDF11CFA8DE49FEE7BA9EF49744F044058FA05A2160C771CEA5EB60

Function 00B83382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B83379,00B82FE5), ref: 00B83390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B8339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B833B7
SetLastError.KERNEL32(00000000,?,00B83379,00B82FE5), ref: 00B83409

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0d25e61c4b57a033284fe3e44e08a692f9a234869d8179054a229a6ece3e2b97
Instruction ID: d0e2358e1caa019ecfcc505d96e39735c58ea9f8761cb98bb1ac4c60f0ab9cc8
Opcode Fuzzy Hash: 0d25e61c4b57a033284fe3e44e08a692f9a234869d8179054a229a6ece3e2b97
Instruction Fuzzy Hash: 3601D43261D311BEAA2537B8BCC5B6E2AD4EB05F7972002A9F410822F1EF114E02D788

Function 00B92D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B95686,00BA3CD6,?,00000000,?,00B95B6A,?,?,?,?,?,00B8E6D1,?,00C28A48), ref: 00B92D78
_free.LIBCMT ref: 00B92DAB
_free.LIBCMT ref: 00B92DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00B8E6D1,?,00C28A48,00000010,00B64F4A,?,?,00000000,00BA3CD6), ref: 00B92DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00B8E6D1,?,00C28A48,00000010,00B64F4A,?,?,00000000,00BA3CD6), ref: 00B92DEC
_abort.LIBCMT ref: 00B92DF2

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a143a439da81c05d4d07b3c38238b145a5ce406d604cb91b71ff899a1185d2a1
Instruction ID: 9b5849caaac8cd4e276f359096ef2949949d83b9e82681affa0352a4513cc1dd
Opcode Fuzzy Hash: a143a439da81c05d4d07b3c38238b145a5ce406d604cb91b71ff899a1185d2a1
Instruction Fuzzy Hash: 56F0A436D0560037CE226738AC46F2E29E9EFC27A1F2505B9F824932A2EE34884241A0

Function 00BF8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00B79639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B79693
Part of subcall function 00B79639: SelectObject.GDI32(?,00000000), ref: 00B796A2
Part of subcall function 00B79639: BeginPath.GDI32(?), ref: 00B796B9
Part of subcall function 00B79639: SelectObject.GDI32(?,00000000), ref: 00B796E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00BF8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00BF8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00BF8A70
LineTo.GDI32(?,00000000,00000003), ref: 00BF8A80
EndPath.GDI32(?), ref: 00BF8A90
StrokePath.GDI32(?), ref: 00BF8AA0

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 78bf04cc8f7ce7ec9003ccabc6fa8e9e3effc5c792bb9130602c6aa0aae12700
Instruction ID: a4f0c500e77750c55e7ce9d60acc84c35834f009bc996b8f0f842d0217b79591
Opcode Fuzzy Hash: 78bf04cc8f7ce7ec9003ccabc6fa8e9e3effc5c792bb9130602c6aa0aae12700
Instruction Fuzzy Hash: 1E11C97600010DFFDB129F94DD88FAA7FADEB08354F048052BA199B1A1DB719D95DBA0

Function 00BC51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BC5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00BC5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BC5230
ReleaseDC.USER32(00000000,00000000), ref: 00BC5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00BC524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00BC5261

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 5f04c63ee24f6239d48db4e1521d1f1a710b76d5f55b84ee21d9cac9dc18eabf
Instruction ID: 12390649eb028f6a91a75c3d3eef5b661f1fb75106c8442db70dc2c8f1d382ab
Opcode Fuzzy Hash: 5f04c63ee24f6239d48db4e1521d1f1a710b76d5f55b84ee21d9cac9dc18eabf
Instruction Fuzzy Hash: 9C018F75A00708BBEB109BA59D49F6EBFB8EB48351F044065FA04EB380DA709850CBA0

Function 00B61BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B61BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B61BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B61C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B61C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B61C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B61C22

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: f0f65917348a286a9d721dca1227baca62466f0b9dc45aa6a7076a32fe05225d
Instruction ID: e7ec3db64bf007369be1484dda33aed18ca5ecd60fb317313d04a77bc7b2ed6a
Opcode Fuzzy Hash: f0f65917348a286a9d721dca1227baca62466f0b9dc45aa6a7076a32fe05225d
Instruction Fuzzy Hash: D5016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 00BCEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00BCEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00BCEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00BCEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BCEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BCEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BCEB75

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 1cb417ab88f70b97c87315c1c40cc94aba8d91c8224abc4f0a118cc41a8fe71b
Instruction ID: fb9115e4b6dc9fa0d6b187e19d71a22c91b993787f9eb2de9eb7c11bdd7d950d
Opcode Fuzzy Hash: 1cb417ab88f70b97c87315c1c40cc94aba8d91c8224abc4f0a118cc41a8fe71b
Instruction Fuzzy Hash: 49F01772240158BBE7215B629D0EEFB3E7CEFCAB11F000158F611E30919BA05A41D6B5

Function 00BB7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00BB7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00BB7469
GetWindowDC.USER32(?), ref: 00BB7475
GetPixel.GDI32(00000000,?,?), ref: 00BB7484
ReleaseDC.USER32(?,00000000), ref: 00BB7496
GetSysColor.USER32(00000005), ref: 00BB74B0

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 3e7ea766de640aa8ed81f92d89451bcb9db2bf8946fdd86c87026cfc1f5e26b1
Instruction ID: 70aac4c39f47842a9a5437f909f4ca8c252afc03c7aeaa1e930484fb1075ca58
Opcode Fuzzy Hash: 3e7ea766de640aa8ed81f92d89451bcb9db2bf8946fdd86c87026cfc1f5e26b1
Instruction Fuzzy Hash: 08014031404209EFEB505BA4DE09BBA7EB5FB04322F2400A0E926A32A0CF311E91EB10

Function 00BC1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BC187F
UnloadUserProfile.USERENV(?,?), ref: 00BC188B
CloseHandle.KERNEL32(?), ref: 00BC1894
CloseHandle.KERNEL32(?), ref: 00BC189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00BC18A5
HeapFree.KERNEL32(00000000), ref: 00BC18AC

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 5b8cd7b2282abcf9d9b55b85b60f92b3e93368151b2af008d33e6ba6d73bcb2c
Instruction ID: a9d707b0d2b30bf5ac819f359464e056480c78b574b2bf929c7154cf26a746fd
Opcode Fuzzy Hash: 5b8cd7b2282abcf9d9b55b85b60f92b3e93368151b2af008d33e6ba6d73bcb2c
Instruction Fuzzy Hash: 7DE0C236004109BBDA016BA1EE0CD1ABF29FF49B22B108220F22593070CF3294B0EB50

Function 00BCC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BCC6EE
_wcslen.LIBCMT ref: 00BCC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BCC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00BCC7CA

Strings

0, xrefs: 00BCC6AF

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: b22aa3c1df43a862e26b279290e85fc3c9a9eb5adbd2cfbbcd5dd4c3096daf5a
Instruction ID: 0fa090313945fc4dfd1c7dde76c8d17c3c6360e14bb3786779de5da33e15dfa2
Opcode Fuzzy Hash: b22aa3c1df43a862e26b279290e85fc3c9a9eb5adbd2cfbbcd5dd4c3096daf5a
Instruction Fuzzy Hash: D551BE716143019BD7119F28C985F6BBBE4EB69310F080AAEF999D31A0DB74DD04CB56

Function 00BEAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00BEAEA3

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

GetProcessId.KERNEL32(00000000), ref: 00BEAF38
CloseHandle.KERNEL32(00000000), ref: 00BEAF67

Strings

@, xrefs: 00BEAE72
<, xrefs: 00BEAE6B

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: cefb6b1b906f6967d888e35fb3b1ced45880445c77c0b098c225dc3c326a006c
Instruction ID: ddec7bcabedff63ca9ecce53857f19a07013b881a314e2686aa5939d9e327e96
Opcode Fuzzy Hash: cefb6b1b906f6967d888e35fb3b1ced45880445c77c0b098c225dc3c326a006c
Instruction Fuzzy Hash: 59715670A00259DFCB14EF55C494A9EBBF4FF08314F148499E81AAB3A2CB74ED45CB91

Function 00BC719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00BC7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00BC723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00BC724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00BC72CF

Strings

DllGetClassObject, xrefs: 00BC7242

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: c797d73879f708d6ac1b41da0c128a1c28d2b321324fb9322b4397f591c095f7
Instruction ID: 212bc71b234119c132469deefe61589ad35dc7d2369b277f7d638a7480410086
Opcode Fuzzy Hash: c797d73879f708d6ac1b41da0c128a1c28d2b321324fb9322b4397f591c095f7
Instruction Fuzzy Hash: 6D411A71A44204AFDB15CF54C984FAA7BE9EF45310B2480ADBD099F20ADBB1DA45CFA0

Function 00BF3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BF3E35
IsMenu.USER32(?), ref: 00BF3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BF3E92
DrawMenuBar.USER32 ref: 00BF3EA5

Strings

0, xrefs: 00BF3D89

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 5d65b27fff5db33f3b56fad76d58d20dd0845f8670274fb1c807e107055e31f8
Instruction ID: 099920541fdd8f7566eaa677b0b17bc342731ab6ed43834f63ac86a7688e3257
Opcode Fuzzy Hash: 5d65b27fff5db33f3b56fad76d58d20dd0845f8670274fb1c807e107055e31f8
Instruction Fuzzy Hash: DC412475A1120DEFDF10DF60D884AEABBF9FF48764F0441A9EA05A7250D730AE49CB60

Function 00BC1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00BC1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00BC1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00BC1EA9

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

Strings

ListBox, xrefs: 00BC1E25
ComboBox, xrefs: 00BC1DF0

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 7f7695f37eb6c8bd9810465ee93e9f3805d15cb8ba8b561ab1e0d0be3c0200ed
Instruction ID: a85e5f4f829e58b650c2d12a6f94db08c946ab4b2b9efa15d6ccd132cb3bebfe
Opcode Fuzzy Hash: 7f7695f37eb6c8bd9810465ee93e9f3805d15cb8ba8b561ab1e0d0be3c0200ed
Instruction Fuzzy Hash: 6C213571A00109BBDB14AB68DD46DFFBBF8DF46350B1485ADF825E31E2DB38494AC620

Function 00BF2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00BF2F8D
LoadLibraryW.KERNEL32(?), ref: 00BF2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00BF2FA9
DestroyWindow.USER32(?), ref: 00BF2FB1

Strings

SysAnimate32, xrefs: 00BF2F68

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 6034d1f6c542770ac4193e8bb5f04b981f61065badb8f7d509cfc4832cde167d
Instruction ID: 382ad4b961e5294a09213c52082f864c75dc6c5e3272bf45d15c21c246e04562
Opcode Fuzzy Hash: 6034d1f6c542770ac4193e8bb5f04b981f61065badb8f7d509cfc4832cde167d
Instruction Fuzzy Hash: 2721977222420AABEB104FA4DC80EBB37F9EB69364F104668FA50D31A0D771DC959760

Function 00B84D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B84D1E,00B928E9,?,00B84CBE,00B928E9,00C288B8,0000000C,00B84E15,00B928E9,00000002), ref: 00B84D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B84DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00B84D1E,00B928E9,?,00B84CBE,00B928E9,00C288B8,0000000C,00B84E15,00B928E9,00000002,00000000), ref: 00B84DC3

Strings

CorExitProcess, xrefs: 00B84D98
mscoree.dll, xrefs: 00B84D86

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4c58a28c722a5ccbffa1faf875c6c25a8ab1ceaf6dd2c3e25eaa41fb45a62465
Instruction ID: 7985d461c7e29fb880a7633de9cce7ee5cbea796bffa3bfaff8a75aeb089338d
Opcode Fuzzy Hash: 4c58a28c722a5ccbffa1faf875c6c25a8ab1ceaf6dd2c3e25eaa41fb45a62465
Instruction Fuzzy Hash: B4F03C34A40219ABDB11AB94DD49BAEBFF5EF44751F0000A4A809A36A0CF745E94CB91

Function 00B64E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B64EDD,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B64EAE
FreeLibrary.KERNEL32(00000000,?,?,00B64EDD,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00B64EA8
kernel32.dll, xrefs: 00B64E94

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: d77d8c085f3bcca413307422f9e50021e30f2b33103bc6a9a171fbe987f62046
Instruction ID: 04bb6d0d7d370203b3e571386688a4f5af7010cfa1fac1893f1aadaaed79cadb
Opcode Fuzzy Hash: d77d8c085f3bcca413307422f9e50021e30f2b33103bc6a9a171fbe987f62046
Instruction Fuzzy Hash: 09E0CD35E019365BD23117257D18B7F69D4EF81F627050165FD04F3111DF68CE45C4A0

Function 00B64E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BA3CDE,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B64E74
FreeLibrary.KERNEL32(00000000,?,?,00BA3CDE,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E87

Strings

kernel32.dll, xrefs: 00B64E5B
Wow64RevertWow64FsRedirection, xrefs: 00B64E6E

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 657966b4e0b9391d8d7dd75778a5639409031f19dc425a0a7e956a67133886c6
Instruction ID: 45dffb9b90085b16ba97048670ef24e25219371248e47046fb9115fd399583db
Opcode Fuzzy Hash: 657966b4e0b9391d8d7dd75778a5639409031f19dc425a0a7e956a67133886c6
Instruction Fuzzy Hash: C7D0C239502A365B46221B247C08EAB6E58EF81B113050161B904B3110CF29CE52C1D0

Function 00BD2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BD2C05
DeleteFileW.KERNEL32(?), ref: 00BD2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00BD2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BD2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BD2CC0

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 9890e46e2c684a41fa398d574a65a9660aafcd199d12b4328e5dc58aca80cab2
Instruction ID: 06b4200732f028a7c8d19594177911e6bc17313dc5ee00d6cd9bd35ac5abf4bb
Opcode Fuzzy Hash: 9890e46e2c684a41fa398d574a65a9660aafcd199d12b4328e5dc58aca80cab2
Instruction Fuzzy Hash: 21B13C71D00119ABDF21EBA4CC85EEEBBBDEF59350F1040E6F909A7251EA349E44CB61

Function 00BEA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00BEA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00BEA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00BEA468
CloseHandle.KERNEL32(?), ref: 00BEA63D

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 580f5a3bab08eb919c49f71fe34b650059b0de3eceb49bd65b11678b1acce516
Instruction ID: b4d22cbb12453d829f53fa9c8f11ca24eb3cb4e312b159805aaf30972bb2d28b
Opcode Fuzzy Hash: 580f5a3bab08eb919c49f71fe34b650059b0de3eceb49bd65b11678b1acce516
Instruction Fuzzy Hash: 9EA18E71604340AFD720DF25C886F2AB7E5AF84714F14889DF59A9B392DBB4EC41CB92

Function 00B9BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C03700), ref: 00B9BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00C3121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00B9BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00C31270,000000FF,?,0000003F,00000000,?), ref: 00B9BC36
_free.LIBCMT ref: 00B9BB7F

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B9BD4B

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 3aafa2ece81c14385a96bffed8f9f0e87bd9a497c8fc7296f98dfec903819835
Instruction ID: 8736192072a22797bec6001265404353bff8d1ac24bcde561532392f151a6a47
Opcode Fuzzy Hash: 3aafa2ece81c14385a96bffed8f9f0e87bd9a497c8fc7296f98dfec903819835
Instruction Fuzzy Hash: F751CA71904209AFCF14EF65AE81EAEB7F8EF44360B1442FAE454D71A1DB709E41C790

Function 00BCE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BCDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BCCF22,?), ref: 00BCDDFD

Part of subcall function 00BCDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BCCF22,?), ref: 00BCDE16

Part of subcall function 00BCE199: GetFileAttributesW.KERNEL32(?,00BCCF95), ref: 00BCE19A

lstrcmpiW.KERNEL32(?,?), ref: 00BCE473
MoveFileW.KERNEL32(?,?), ref: 00BCE4AC
_wcslen.LIBCMT ref: 00BCE5EB
_wcslen.LIBCMT ref: 00BCE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00BCE650

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 143d765cb7846b330ad04736f1e3a607c28e5951ada430c1ac29dbb5a26b9db1
Instruction ID: b09171b5480c546f82863b7ba67dbc14c80fac2e78afc5afaeba31addfd6922a
Opcode Fuzzy Hash: 143d765cb7846b330ad04736f1e3a607c28e5951ada430c1ac29dbb5a26b9db1
Instruction Fuzzy Hash: 46514FB24087459BC724EB90D881EDFB7ECEF94340F00496EF59993191EE74E688CB66

Function 00BEB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BEC9F1
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA68
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BEBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00BEBB63
RegCloseKey.ADVAPI32(?,?), ref: 00BEBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00BEBBB3

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 347f532e24463c481a67deb9dace676a55c364d769326daec6b0936bf4a00fee
Instruction ID: 9fa35ac41d19b13a34fbaaea0ac02d3e34490cb526495f10b8069032d1dfea74
Opcode Fuzzy Hash: 347f532e24463c481a67deb9dace676a55c364d769326daec6b0936bf4a00fee
Instruction Fuzzy Hash: 25618131208241AFD714DF25C890E2BBBE5FF84348F5495ACF4998B2A2DB35ED45CB92

Function 00BC8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BC8BCD
VariantClear.OLEAUT32 ref: 00BC8C3E
VariantClear.OLEAUT32 ref: 00BC8C9D
VariantClear.OLEAUT32(?), ref: 00BC8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00BC8D3B

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: ea2f38f77451a6e484b91f11472ea0c620b94ac91a57ea151065f53377315a84
Instruction ID: 257a24d76785055fa94d7b2b900574b8a7f99b29993b93b253bc904a12c619f2
Opcode Fuzzy Hash: ea2f38f77451a6e484b91f11472ea0c620b94ac91a57ea151065f53377315a84
Instruction Fuzzy Hash: B0515BB5A00219EFCB14CF58D894EAABBF5FF89310B15856DE906DB350E730E911CB90

Function 00BD8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00BD8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00BD8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00BD8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00BD8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00BD8C5F

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 6dc482c04fa1154ae32de72faad01310bd8d799e421e1d43ecf3190ab250e3b3
Instruction ID: 7a6acc52a455250e220334d9d30c85e5c854eb337b498718bf04898a9b7a85c4
Opcode Fuzzy Hash: 6dc482c04fa1154ae32de72faad01310bd8d799e421e1d43ecf3190ab250e3b3
Instruction Fuzzy Hash: 3A515A35A10219EFCB05DF64C880A6DBBF5FF48314F088099E84AAB362DB35ED51CB90

Function 00BE8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00BE8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00BE8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00BE8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00BE9032
FreeLibrary.KERNEL32(00000000), ref: 00BE9052

Part of subcall function 00B7F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00BD1043,?,7529E610), ref: 00B7F6E6
Part of subcall function 00B7F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00BBFA64,00000000,00000000,?,?,00BD1043,?,7529E610,?,00BBFA64), ref: 00B7F70D

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 3b0805eac6c84ed49ce590193140337fcb75576026ce52c55fa49256b09a6e40
Instruction ID: ce72ddf07ffb619fa484046b561da2ae6ec0ee74c7dcebf335a6ebb61b405c85
Opcode Fuzzy Hash: 3b0805eac6c84ed49ce590193140337fcb75576026ce52c55fa49256b09a6e40
Instruction Fuzzy Hash: 11513835600645DFCB11DF59C4948ADBBF1FF59324B0480E9E80AAB362DB31ED85CB90

Function 00BF6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00BF6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00BF6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00BF6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00BDAB79,00000000,00000000), ref: 00BF6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00BF6CC7

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 626ff1ee4e8029142c522ca9cf36d1410532ea3751f8d785316362d80282b7c6
Instruction ID: 4fa8cf00e02610c1c98bf31e2b48553f849cc0f4d94e99fdc34c898c725b1a11
Opcode Fuzzy Hash: 626ff1ee4e8029142c522ca9cf36d1410532ea3751f8d785316362d80282b7c6
Instruction Fuzzy Hash: B941AF35A04108AFDB24CF68CD99FB97BE5EB09360F1502A8EE95E72A1C771AD45CA40

Function 00B92051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B920C3
_free.LIBCMT ref: 00B920E3

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c59e0398f1c20ccf84b78b4d21f438ba11cdbada708ddaf19d8bbf5bd38b20ca
Instruction ID: bf089363635f7fa964a4b40d5d3d1993e19ed568f7a343aafa5b36af7d96a6a5
Opcode Fuzzy Hash: c59e0398f1c20ccf84b78b4d21f438ba11cdbada708ddaf19d8bbf5bd38b20ca
Instruction Fuzzy Hash: 8241AF32E00210AFCF24DF78C881A6DB7E5EF89314F1585B9E615EB392DA31AD01CB81

Function 00B7912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B79141
ScreenToClient.USER32(00000000,?), ref: 00B7915E
GetAsyncKeyState.USER32(00000001), ref: 00B79183
GetAsyncKeyState.USER32(00000002), ref: 00B7919D

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: bdda7b454c86e7539a06be4d4a908f87d1cd7eb0dccd7496594005b74bf8291c
Instruction ID: f6933155710367d3133cc1a196fbd9de9ef1e65793b959a437478036545e2e48
Opcode Fuzzy Hash: bdda7b454c86e7539a06be4d4a908f87d1cd7eb0dccd7496594005b74bf8291c
Instruction Fuzzy Hash: 7D416E7190850ABBDF059F68C844BFEB7B4FB45320F208295E429B72D0CB745954DBA1

Function 00BD3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00BD38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00BD3922
TranslateMessage.USER32(?), ref: 00BD394B
DispatchMessageW.USER32(?), ref: 00BD3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BD3966

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4b98ec6da0f0593bc7613cc22c9cea3923fa53c700a82442e1a619babfdbfb94
Instruction ID: 5e79f1c35f966855a9d6d4d8edfeb7beda31f368aee9c6cb5997400793ccd23f
Opcode Fuzzy Hash: 4b98ec6da0f0593bc7613cc22c9cea3923fa53c700a82442e1a619babfdbfb94
Instruction Fuzzy Hash: FB31FB705143419EEB35CB349898B76BBE4DB05710F0805ABE463832E2F7F99A84DB13

Function 00BDCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00BDC21E,00000000), ref: 00BDCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00BDCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00BDC21E,00000000), ref: 00BDCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00BDC21E,00000000), ref: 00BDCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00BDC21E,00000000), ref: 00BDCFF2

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 1f437a85bd7299135b793ff45561b617ee3bc908b2ba3f33b74c972659bf4810
Instruction ID: fad84aafe533676f2a08b15ed646965d53ff12a239306c0620b9260f55ad508f
Opcode Fuzzy Hash: 1f437a85bd7299135b793ff45561b617ee3bc908b2ba3f33b74c972659bf4810
Instruction Fuzzy Hash: F4312F71504206AFDB20DFA5C9849ABBFF9EB14351B1044AEF51AD3251EB30AD49DB60

Function 00BC1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BC1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00BC19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00BC19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00BC19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00BC19E2

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 3ae4c43f1d29fe559be876aad6e0f0e14372aceb9f6de411ebac2edd2b86c8e6
Instruction ID: fa263ea4d20b9ff15390b8633494e508820ee7d44931ea3395d833d455e8124c
Opcode Fuzzy Hash: 3ae4c43f1d29fe559be876aad6e0f0e14372aceb9f6de411ebac2edd2b86c8e6
Instruction Fuzzy Hash: F731CF71A00219EFCB00CFACC998BEE7BB5EB05314F108669F921E72D1C7B09955CB90

Function 00BF5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00BF5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00BF579D
_wcslen.LIBCMT ref: 00BF57AF
_wcslen.LIBCMT ref: 00BF57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BF5816

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 5855abe6ee3dd5c84b2f7edab7d9c400760b1a2c82711f19973a92897ce4c1c4
Instruction ID: 20ea9a62e8c37ddf25d34b1d7fce10280fbe2276e367a7b5c893d778a73a63ae
Opcode Fuzzy Hash: 5855abe6ee3dd5c84b2f7edab7d9c400760b1a2c82711f19973a92897ce4c1c4
Instruction Fuzzy Hash: F521307190461CAADB309F64CC85AFDBBF8EF04724F108296EB29EB194D7709989CF50

Function 00BE0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00BE0951
GetForegroundWindow.USER32 ref: 00BE0968
GetDC.USER32(00000000), ref: 00BE09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00BE09B0
ReleaseDC.USER32(00000000,00000003), ref: 00BE09E8

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b3d5d251b33e81f544bc9fc23685e74d6a010a897067fe7b4eda70c495bf6514
Instruction ID: 2cdd91d11ba6004a2fabb7a7077e68ba4f44e4c411aa0241662e14c011f1bfe5
Opcode Fuzzy Hash: b3d5d251b33e81f544bc9fc23685e74d6a010a897067fe7b4eda70c495bf6514
Instruction Fuzzy Hash: FA219335600204AFD704EF69D984AAEBBF5EF44700F0484ADF84AD7362DB74AD44CB50

Function 00B9CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B9CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B9CDE9

Part of subcall function 00B93820: RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B9CE0F
_free.LIBCMT ref: 00B9CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B9CE31

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 275461099c054bf378a9320df33f2de97eda8e09029a4deed161e7844112cdd0
Instruction ID: 17d637374272fa676da1ee0ad5a1826ccd3785572fa2fb1932679dd6ed5cb9a0
Opcode Fuzzy Hash: 275461099c054bf378a9320df33f2de97eda8e09029a4deed161e7844112cdd0
Instruction Fuzzy Hash: EF01D472601A157F2B211ABA6C88C7B6EEDDEC6BA131501B9F906D7200EE609E01C2B4

Function 00B79639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B79693
SelectObject.GDI32(?,00000000), ref: 00B796A2
BeginPath.GDI32(?), ref: 00B796B9
SelectObject.GDI32(?,00000000), ref: 00B796E2

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7a963d730cc0a759ec70035eeddb446674b7b29fad70cf6bdfbdbd2afb9a4e86
Instruction ID: ff0afcd27ffec59acc371080a0ebf8946ad9ca9fb18d318510da65025d26f311
Opcode Fuzzy Hash: 7a963d730cc0a759ec70035eeddb446674b7b29fad70cf6bdfbdbd2afb9a4e86
Instruction Fuzzy Hash: 36217C30812305EFDB119F28ED08BBD3BE8FB41725F188396F828A71A0D7709991CB94

Function 00BC5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00BC5726
_memcmp.LIBVCRUNTIME ref: 00BC5744
_memcmp.LIBVCRUNTIME ref: 00BC5757
_memcmp.LIBVCRUNTIME ref: 00BC576F
_memcmp.LIBVCRUNTIME ref: 00BC5787

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 15f3affdbab19036f0874525d4148cb5555da34de9258615f664166dbe04835c
Instruction ID: e2b11cbef11613b6e2878b2a49103dd010621e982a8b7e102d88f9fe3fb3765b
Opcode Fuzzy Hash: 15f3affdbab19036f0874525d4148cb5555da34de9258615f664166dbe04835c
Instruction Fuzzy Hash: 59019671741619BA922866149D82FBA63DCDF21394B0044AAFE049B251F660FD95C2A8

Function 00B92DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00B8F2DE,00B93863,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6), ref: 00B92DFD
_free.LIBCMT ref: 00B92E32
_free.LIBCMT ref: 00B92E59
SetLastError.KERNEL32(00000000,00B61129), ref: 00B92E66
SetLastError.KERNEL32(00000000,00B61129), ref: 00B92E6F

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ab89fb94a0a24751f479d508f6ce39e8f0da4824cfb8fb93993389a8187c8b59
Instruction ID: 0f7634020965e4e23ee2e83bb1d8afa43b6dca3e4e819759692b05f081f0fd49
Opcode Fuzzy Hash: ab89fb94a0a24751f479d508f6ce39e8f0da4824cfb8fb93993389a8187c8b59
Instruction Fuzzy Hash: A801A432E45E007BCE1267746DC6E2F2AEDEFD17A5B2540B9F425A3292EF748C414160

Function 00BC000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?,?,00BC035E), ref: 00BC002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?), ref: 00BC0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0070

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 65c03519d2b984e7fad8bb4b6e078180deed23bfd653066e96fed2e15385818f
Instruction ID: 63ee7f907a7a3f93215cd4d3223324cf917b230b33f2c9d600a8162422ca895f
Opcode Fuzzy Hash: 65c03519d2b984e7fad8bb4b6e078180deed23bfd653066e96fed2e15385818f
Instruction Fuzzy Hash: EB017872610208EBDB116F68ED44FBA7EEDEB44792F154168F905D3210EB71DD808BA0

Function 00BCE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00BCE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00BCE9A5
Sleep.KERNEL32(00000000), ref: 00BCE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00BCE9B7
Sleep.KERNEL32 ref: 00BCE9F3

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: abe3a935ddab4894fb2abfc23cb6262445d387017f124a2f4ff8374c7710bf31
Instruction ID: b3b31a8491767dc1ddb20fda7542b2439dc9ce6f7cbebd4a77bc9453cf381466
Opcode Fuzzy Hash: abe3a935ddab4894fb2abfc23cb6262445d387017f124a2f4ff8374c7710bf31
Instruction Fuzzy Hash: 5F015B31C0152DDBCF009BE4D949BEDBBB8FF09700F00458AE512B3140CB709691C761

Function 00BC10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BC1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BC114D

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 99900af56b0b4e855f4421ba562fa7dbebba298f2fa4ccfbac145f7c61b7eac8
Instruction ID: 4397722efd2e0f99e69dcd69761ff486307b5d5e008e5e242cff739933c14546
Opcode Fuzzy Hash: 99900af56b0b4e855f4421ba562fa7dbebba298f2fa4ccfbac145f7c61b7eac8
Instruction Fuzzy Hash: DC016975200209BFDB115FA8DD49E6A3FAEEF8A3A0B240458FA41E3360DF31DD50CA60

Function 00BC0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BC0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BC0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BC0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BC0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BC1002

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 936ad223598d764f8570a9ea3764de7504efa193dcf759752b0dacfdce58db1f
Instruction ID: fbad009cf51d697a4753cc4703fa8df460f11a25b617b02d68066083942ce72b
Opcode Fuzzy Hash: 936ad223598d764f8570a9ea3764de7504efa193dcf759752b0dacfdce58db1f
Instruction Fuzzy Hash: 04F04F35100305ABD7214FA89D49F663FADEF8A761F114455FA45D7251CE70DC90CA60

Function 00BC1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BC102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1062

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ad757b49923f5aeef3b1bd0bfe3e44efd95c5b9e39a064aee57795e43ca3d403
Instruction ID: ec296a61ed3218a6803b28c5a8e9a23e32b77eb7c7780ee85f0e715d8cbd06b9
Opcode Fuzzy Hash: ad757b49923f5aeef3b1bd0bfe3e44efd95c5b9e39a064aee57795e43ca3d403
Instruction Fuzzy Hash: 3FF06D35240309EBDB215FA8ED49F663FADEF8A761F210818FE45E7251CE70D990CA60

Function 00BD030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD0324
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD0331
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD033E
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD034B
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD0358
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD0365

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 83703273b3e065cc907a27b8d34bbfe75b7c692ce09b8e700c2161ae9dec6e77
Instruction ID: 483bcf64eedabcf0c3e701d156d4fee600ff7b3044dd7c6f80d224fc220773a2
Opcode Fuzzy Hash: 83703273b3e065cc907a27b8d34bbfe75b7c692ce09b8e700c2161ae9dec6e77
Instruction Fuzzy Hash: BB01EE72800B058FCB30AF66D880812FBF9FF603253058A3FD19252A30C3B0A998CF84

Function 00B9D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B9D752

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B9D764
_free.LIBCMT ref: 00B9D776
_free.LIBCMT ref: 00B9D788
_free.LIBCMT ref: 00B9D79A

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2a958a70170cfddb5bdf42502541db6a1297df8dcbbf72aa6a80f756127bd71e
Instruction ID: 02fcbf584666ef8764ed7c4bb6734f25ba44e78799aaaa8cd4b7f1f349f051ae
Opcode Fuzzy Hash: 2a958a70170cfddb5bdf42502541db6a1297df8dcbbf72aa6a80f756127bd71e
Instruction Fuzzy Hash: B3F0FF32954204ABCA21EBA5F9C5E1E77DDFB447107A508A5F04CE7A51CB24FC8086A4

Function 00BC5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00BC5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00BC5C6F
MessageBeep.USER32(00000000), ref: 00BC5C87
KillTimer.USER32(?,0000040A), ref: 00BC5CA3
EndDialog.USER32(?,00000001), ref: 00BC5CBD

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 23e48524f3dadbcbeb7428d135896715bc3dd975064b2c48f535f9b07b951e80
Instruction ID: 81c10f070d55f98790de775bc8cd5e52053cd4b74897acf5278700de4de9f7d5
Opcode Fuzzy Hash: 23e48524f3dadbcbeb7428d135896715bc3dd975064b2c48f535f9b07b951e80
Instruction Fuzzy Hash: 85011230504B08ABEB315B10DE4EFA67BF8FB04B05F04159DA592A34E1DBF4B9C8CA90

Function 00B922A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B922BE

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B922D0
_free.LIBCMT ref: 00B922E3
_free.LIBCMT ref: 00B922F4
_free.LIBCMT ref: 00B92305

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ce54eaaff56d3c3f9ba28989fff83e6acd73b358ff7eebd1c4a9428bad82b8d2
Instruction ID: 317de6f3d4c37173c311067874a6247ed5f55cdce27eac43df33d7510f50fa2e
Opcode Fuzzy Hash: ce54eaaff56d3c3f9ba28989fff83e6acd73b358ff7eebd1c4a9428bad82b8d2
Instruction Fuzzy Hash: 53F05E71C20620AF8E22EF94BC41B0D3BE4F71876071405AAF814D63B1C7310912EFE4

Function 00B795C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00B795D4
StrokeAndFillPath.GDI32(?,?,00BB71F7,00000000,?,?,?), ref: 00B795F0
SelectObject.GDI32(?,00000000), ref: 00B79603
DeleteObject.GDI32 ref: 00B79616
StrokePath.GDI32(?), ref: 00B79631

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 566690ac6dd55763d6495676b6ba935614e7c2373e4c45a404025a2e0bd9cc76
Instruction ID: c30a26b86a19ecde1cba983a1aa1974cf889c94462fb587e58e21431da063e2b
Opcode Fuzzy Hash: 566690ac6dd55763d6495676b6ba935614e7c2373e4c45a404025a2e0bd9cc76
Instruction Fuzzy Hash: 49F0C935015708EFDB169F65EE18B683FA5EB11332F088354F869560F1CB308AA5DF20

Function 00B90F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00B910F9
__freea.LIBCMT ref: 00B91117

Part of subcall function 00B91537: _free.LIBCMT ref: 00B9154F

Strings

am/pm, xrefs: 00B9117A
a/p, xrefs: 00B911DE

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 4c14d949fcccbc6103ba7bfc2d8db7c5cb285a8f16a603bc6266113ff1e09033
Instruction ID: e621cf13604ea87f267c507a219d1a9e3afafe4d041b97439285087cb1685e2b
Opcode Fuzzy Hash: 4c14d949fcccbc6103ba7bfc2d8db7c5cb285a8f16a603bc6266113ff1e09033
Instruction Fuzzy Hash: 9BD1D031904207EADF299F6CC895BBAB7F0EF05700F2449F9E901AB651D3359D80EB65

Function 00BE7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00B80242: EnterCriticalSection.KERNEL32(00C3070C,00C31884,?,?,00B7198B,00C32518,?,?,?,00B612F9,00000000), ref: 00B8024D
Part of subcall function 00B80242: LeaveCriticalSection.KERNEL32(00C3070C,?,00B7198B,00C32518,?,?,?,00B612F9,00000000), ref: 00B8028A

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00B800A3: __onexit.LIBCMT ref: 00B800A9

__Init_thread_footer.LIBCMT ref: 00BE7BFB

Part of subcall function 00B801F8: EnterCriticalSection.KERNEL32(00C3070C,?,?,00B78747,00C32514), ref: 00B80202
Part of subcall function 00B801F8: LeaveCriticalSection.KERNEL32(00C3070C,?,00B78747,00C32514), ref: 00B80235

Strings

Variable must be of type 'Object'., xrefs: 00BE7C3A
G, xrefs: 00BE7C7F
5, xrefs: 00BE7C78

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: c02b2705cae13d59684a8590d5c79d34782e5b0054fc1d594b7412ba4bb5026d
Instruction ID: bdabea0b558265132df91db7b114c34068b34645d05dbefce4518474bc727e14
Opcode Fuzzy Hash: c02b2705cae13d59684a8590d5c79d34782e5b0054fc1d594b7412ba4bb5026d
Instruction Fuzzy Hash: 6D91AA70A44289EFCB04EF55D8809BDB7F5FF48300F108099F806AB292DB71AE45CB91

Function 00BC2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BCB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BC21D0,?,?,00000034,00000800,?,00000034), ref: 00BCB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00BC2760

Part of subcall function 00BCB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BC21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00BCB3F8

Part of subcall function 00BCB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00BCB355
Part of subcall function 00BCB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00BC2194,00000034,?,?,00001004,00000000,00000000), ref: 00BCB365
Part of subcall function 00BCB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00BC2194,00000034,?,?,00001004,00000000,00000000), ref: 00BCB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BC27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BC281A

Strings

@, xrefs: 00BC2832

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b62b5bb811b864d6ec3d95926e0ac4eb382111e481a24a49fc8e78e08c42f5de
Instruction ID: 8962a3f6435fc98c9bad39578ac5631eee464436e54b8bb69b90cc8584861367
Opcode Fuzzy Hash: b62b5bb811b864d6ec3d95926e0ac4eb382111e481a24a49fc8e78e08c42f5de
Instruction Fuzzy Hash: 8341FB76900218AFDB10DBA4CD86FEEBBB8EF49700F104099FA55B7181DB706E45CBA1

Function 00B9172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00B91769
_free.LIBCMT ref: 00B91834
_free.LIBCMT ref: 00B9183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00B91760, 00B91767, 00B91796, 00B917CE

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 0a33d9840e2e57d967f4eec1febb7e87bbc9fb91141d5063d57d629e581b64b0
Instruction ID: 78155bc22b4b6eab409285b3bf6f03eceb0528bb4992866e43d6f8c93f6f0ba9
Opcode Fuzzy Hash: 0a33d9840e2e57d967f4eec1febb7e87bbc9fb91141d5063d57d629e581b64b0
Instruction Fuzzy Hash: 0F3150B5A0021AAFDF21DF999885E9EBBFCEB85350B1445F6F80497211D6708E41EBA0

Function 00BCC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00BCC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00BCC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C31990,014F5948), ref: 00BCC395

Strings

0, xrefs: 00BCC2DF

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 167f8a68094778a338a67ad8ba595eef1763b55222adeb42537541a36c80f632
Instruction ID: 0b865291ee27b18092d269f193cf7965c8cb721a5180d7752fc91686c8220604
Opcode Fuzzy Hash: 167f8a68094778a338a67ad8ba595eef1763b55222adeb42537541a36c80f632
Instruction Fuzzy Hash: E94191712043419FD720DF24E885F1ABFE4EBE5310F10869DF8A9D7292D730A904CB66

Function 00BF4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00BFCC08,00000000,?,?,?,?), ref: 00BF44AA
GetWindowLongW.USER32 ref: 00BF44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BF44D7

Strings

SysTreeView32, xrefs: 00BF447C

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: cf52e181eef25015396354d2e5a592b79bd42ecd7e463f17ad2ade683551d730
Instruction ID: 5cb16f8f46c467e845109bf158ca25fd3d579c38e247afcbce9d7594970fbf58
Opcode Fuzzy Hash: cf52e181eef25015396354d2e5a592b79bd42ecd7e463f17ad2ade683551d730
Instruction Fuzzy Hash: 13316D31214209AFDB209E78DC45BEB7BE9EB08324F204755FA75A32E0DB74EC549B50

Function 00BE304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00BE3077,?,?), ref: 00BE3378

inet_addr.WSOCK32(?), ref: 00BE307A
_wcslen.LIBCMT ref: 00BE309B
htons.WSOCK32(00000000), ref: 00BE3106

Strings

255.255.255.255, xrefs: 00BE3095, 00BE309A

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: ce3382875029262488bea9f66f0619f13382eba5fbdeecc2bd51081f8501f7d9
Instruction ID: 83574f8d0f22482da9f42e050e0269e6a24cecbd1e0ac41e9bfe2cedc614db23
Opcode Fuzzy Hash: ce3382875029262488bea9f66f0619f13382eba5fbdeecc2bd51081f8501f7d9
Instruction Fuzzy Hash: 7331F3352002859FCB20CF6AC589FAA77E0EF54718F2480D9E8159B393CB36EE41C761

Function 00BF3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00BF3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00BF3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BF3F78

Strings

SysMonthCal32, xrefs: 00BF3F0B

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 9af99fa777bbc112435367f00ddf7025000807ae7cfc3f847fae6d6d6ef32583
Instruction ID: e76235a1c1c6c3caa0888af6915e67c769a28bd168a993816779ac9257d1593f
Opcode Fuzzy Hash: 9af99fa777bbc112435367f00ddf7025000807ae7cfc3f847fae6d6d6ef32583
Instruction Fuzzy Hash: 2D219F32610219BFDF118F50DC86FEA3BB5EF48724F110254FA15AB1D0D6B5AD94CBA0

Function 00BF4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00BF4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00BF4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00BF471A

Strings

msctls_updown32, xrefs: 00BF4684

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c97e0ce3644450e04dea76565fa59ea56d44e03adbd7bde72bc460aadb2a015b
Instruction ID: 3870e6325ff1b4ec5e7a008462262772166c8dc45a45c7876afa7384309f71fb
Opcode Fuzzy Hash: c97e0ce3644450e04dea76565fa59ea56d44e03adbd7bde72bc460aadb2a015b
Instruction Fuzzy Hash: 11213EB5604209AFDB10DF64DCD1EBB37EDEB9A3A8B040199FA009B251CB71EC55CB60

Function 00BC95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BC961D

Strings

#OnAutoItStartRegister, xrefs: 00BC95F3
#notrayicon, xrefs: 00BC95B7
#requireadmin, xrefs: 00BC95D9

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 56a9c3566907a1f19f1b8ed051bf27796e993bc87f2c295eb91a49dadcae21d4
Instruction ID: 95d6f08b247bb3647ef477e5d99e20cb0bed692c822f33155f9c4baef3f37b3f
Opcode Fuzzy Hash: 56a9c3566907a1f19f1b8ed051bf27796e993bc87f2c295eb91a49dadcae21d4
Instruction Fuzzy Hash: DC21573220421167E331BB28DC4AFBB73D8EFA5714F5040BEFA8A97091EB65AD45C395

Function 00BF37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00BF3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00BF3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00BF3876

Strings

Listbox, xrefs: 00BF380F

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 816221c31188a2303ec3aa443db08c39593247fbb74adeec011db203d006f06e
Instruction ID: d51a26672cef85de5195f24a7b89dd43d743970454140857f0199e82d27722b4
Opcode Fuzzy Hash: 816221c31188a2303ec3aa443db08c39593247fbb74adeec011db203d006f06e
Instruction Fuzzy Hash: 5D21B072610118BBEB119F54CC81FBB37EAEF89B90F118164FA009B190CA75DC55C7A0

Function 00BD49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BD4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00BD4A5C
SetErrorMode.KERNEL32(00000000,?,?,00BFCC08), ref: 00BD4AD0

Strings

%lu, xrefs: 00BD4A6F

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 7f2e020fa87a6b9bc42425b04d8961173d716ef45e52815863f646e92efd4dc9
Instruction ID: 3d76d8fa192781e058542c3723248ef8b6d144513ed5f25faa23ab7d5bd9f8d0
Opcode Fuzzy Hash: 7f2e020fa87a6b9bc42425b04d8961173d716ef45e52815863f646e92efd4dc9
Instruction Fuzzy Hash: A3314175A00109AFDB10DF54C985EAABBF8EF04318F1480A5F509DB362DB75EE45CB61

Function 00BF41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00BF424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00BF4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00BF4271

Strings

msctls_trackbar32, xrefs: 00BF4226

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 7ba4d1719d45411638d6c2b74fac829815c501dc5790f99736169631f041cef5
Instruction ID: 9c6f0b6246125e4a8144bb1d1afa5602c56e8c378fe410bedd900defdd018c91
Opcode Fuzzy Hash: 7ba4d1719d45411638d6c2b74fac829815c501dc5790f99736169631f041cef5
Instruction Fuzzy Hash: 4B11CE31250248BEEF205E28CC46FBB3BE8EB85B64F010624FA55E70A0D671D851DB20

Function 00BC2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

Part of subcall function 00BC2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BC2DC5
Part of subcall function 00BC2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC2DD6
Part of subcall function 00BC2DA7: GetCurrentThreadId.KERNEL32 ref: 00BC2DDD
Part of subcall function 00BC2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00BC2DE4

GetFocus.USER32 ref: 00BC2F78

Part of subcall function 00BC2DEE: GetParent.USER32(00000000), ref: 00BC2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00BC2FC3
EnumChildWindows.USER32(?,00BC303B), ref: 00BC2FEB

Strings

%s%d, xrefs: 00BC2FFF

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 9a174489aad9e68919c3ae08db5b93bd919204ad90d5bb1f0739e7c823894539
Instruction ID: e5ae622abd35578b20979adb0f9cd0752049045824f789e7c83ffbd080b59c67
Opcode Fuzzy Hash: 9a174489aad9e68919c3ae08db5b93bd919204ad90d5bb1f0739e7c823894539
Instruction Fuzzy Hash: C6119071600209ABDF556F649C86FFE37EAAF94304F0480B9B9099B292DE7099498B60

Function 00BF5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00BF58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00BF58EE
DrawMenuBar.USER32(?), ref: 00BF58FD

Strings

0, xrefs: 00BF588F

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 2a87fba39269ed25640685d1904aa0e164f27073a78e9c215ba2dce64af4c306
Instruction ID: f5f609239115ff110c10f86b3622ac1d6e61d76cb137bc555d55f5e6ef66180b
Opcode Fuzzy Hash: 2a87fba39269ed25640685d1904aa0e164f27073a78e9c215ba2dce64af4c306
Instruction Fuzzy Hash: 4E012731500218AEDB219F25DC85BBABBB4FB45360F10C0D9EA49D7251DB708A88EF21

Function 00BBD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00BBD3BF
FreeLibrary.KERNEL32 ref: 00BBD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00BBD3B9
X64, xrefs: 00BBD2A8

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: b0a0793fb91d1167d6f0c9c959d536835a781fc1a1b8d9524dd4ef3455b9c222
Instruction ID: d97bf8592bba89dbf1b8e6f3ea95abcba488701fdd0dfcb0f4515f14b8eeeed3
Opcode Fuzzy Hash: b0a0793fb91d1167d6f0c9c959d536835a781fc1a1b8d9524dd4ef3455b9c222
Instruction Fuzzy Hash: F2F0552240075A8BC7741210CC98AFD77E4EF10741BA982E9F016F30A5FBF8CD88C64A

Function 00BC007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028cd8b6d1a30935a210dca48b8b5abd7c44564005934521eeead680cf553835
Instruction ID: f580e428b0b6067efb05a41bc7cb55a1ebe36304a47dd372b0a80815e652f51e
Opcode Fuzzy Hash: 028cd8b6d1a30935a210dca48b8b5abd7c44564005934521eeead680cf553835
Instruction Fuzzy Hash: 8BC14775A1021AEFDB14DFA8C894FAAB7B5FF88304F248598E505EB251D731EE41CB90

Function 00B93E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B93F0B
__alldvrm.LIBCMT ref: 00B9410C
__alldvrm.LIBCMT ref: 00B9412E

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 561f21f11133bf88cdbaf92e6c43b666358b6c9c4dcc8d088982a42de72fce8a
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 0DA12476A042969FDF25CF28C891BAABFE5EF62350F1841FDE5859B281C3348982C750

Function 00BE342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00BE3459
CoUninitialize.OLE32 ref: 00BE3463
VariantInit.OLEAUT32(?), ref: 00BE346E
VariantClear.OLEAUT32(?), ref: 00BE371B

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 428d7c567e8b306f117c6af049472d920b062f65ff411a2915027b9a19bf830f
Instruction ID: b811ed85736baa0abff8271cea535327a93426f432dcca25f37aafeba0f6d0f4
Opcode Fuzzy Hash: 428d7c567e8b306f117c6af049472d920b062f65ff411a2915027b9a19bf830f
Instruction Fuzzy Hash: F2A15C752183009FC710DF29C595A2AB7E5FF88714F04889DF98A9B362DB34EE45CB91

Function 00BC0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00BFFC08,?), ref: 00BC05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00BFFC08,?), ref: 00BC0608
CLSIDFromProgID.OLE32(?,?,00000000,00BFCC40,000000FF,?,00000000,00000800,00000000,?,00BFFC08,?), ref: 00BC062D
_memcmp.LIBVCRUNTIME ref: 00BC064E

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 46d974dabc746846f938c24171a2334639eac11df185078e67e5f78b4568c2c7
Instruction ID: 7095cafc3edb9e0b33b39002795b7937c08592006e05b322acd508cbd6cf1916
Opcode Fuzzy Hash: 46d974dabc746846f938c24171a2334639eac11df185078e67e5f78b4568c2c7
Instruction Fuzzy Hash: 0981F771A10109EFCB04DF94C984EEEB7F9FF89315F204598E516AB250DB71AE46CB60

Function 00BEA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00BEA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00BEA6BA

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Process32NextW.KERNEL32(00000000,?), ref: 00BEA79C
CloseHandle.KERNEL32(00000000), ref: 00BEA7AB

Part of subcall function 00B7CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00BA3303,?), ref: 00B7CE8A

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 6782b7267fee2d9fa8634d34deee698a57569ea56243619428e2dc6a10b55357
Instruction ID: 9e379616a46b1a419e7cdd80ea176a512aabf9c3996e3695fdc0da981411221c
Opcode Fuzzy Hash: 6782b7267fee2d9fa8634d34deee698a57569ea56243619428e2dc6a10b55357
Instruction Fuzzy Hash: 94514D715083409FD710EF25C886E6BBBE8FF89754F00895DF599972A1EB34E904CB92

Function 00BA1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BA14C0

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f990d31baaac1b997f84817c75fa151b11c77769295d323fadaa9d7c7c985caf
Instruction ID: f72489724c00b113058df7fea9db04c7339c3ab74d48cb35d38a9c71c94e7807
Opcode Fuzzy Hash: f990d31baaac1b997f84817c75fa151b11c77769295d323fadaa9d7c7c985caf
Instruction Fuzzy Hash: F5414931A08115ABDF617FBD8C85ABE3AE4EF4B370F144AE5F418D6391EA3448419BA1

Function 00BF6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BF62E2
ScreenToClient.USER32(?,?), ref: 00BF6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00BF6382

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4e2008a2c03fe1035ae9ea9989e52b677b06dd251b4a06fa8664ca988b95311f
Instruction ID: 765628753a7a7b3cbabf58d20488951b4873fed8469f3c50262d6a4e54cf09a7
Opcode Fuzzy Hash: 4e2008a2c03fe1035ae9ea9989e52b677b06dd251b4a06fa8664ca988b95311f
Instruction Fuzzy Hash: 78511874A00209EFCB14DF68D980ABE7BF5EB55360F1481A9FE159B2A1D730ED85CB90

Function 00BE1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00BE1AFD
WSAGetLastError.WSOCK32 ref: 00BE1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00BE1B8A
WSAGetLastError.WSOCK32 ref: 00BE1B94

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 2c34bf9661adbf8c64097e679a0d79dc390035caf36a233e706316a5aec383ea
Instruction ID: 60728a79e6192a405f8e5a2f01e85dd5f238c6500f6546cb80c9c617b0de4ed2
Opcode Fuzzy Hash: 2c34bf9661adbf8c64097e679a0d79dc390035caf36a233e706316a5aec383ea
Instruction Fuzzy Hash: 9441A034600200AFE720AF24C886F2A77E5EB44718F54C498F95A9F3D2D776ED41CB90

Function 00B9B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b25a880021febd963755f2bf97e600434a61381399c9dc9229d71ea3b425b8b3
Instruction ID: c8f8dba693bb113e66d86ff29b24461e22aa0cca9f75fd0278024c48752e389c
Opcode Fuzzy Hash: b25a880021febd963755f2bf97e600434a61381399c9dc9229d71ea3b425b8b3
Instruction Fuzzy Hash: C441E275A00304AFDB24AF78D941FAABBE9EB88710F1045BEF151DB392D77199018780

Function 00BD56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00BD5783
GetLastError.KERNEL32(?,00000000), ref: 00BD57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00BD57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00BD57FA

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b80457177f267fc60a7c2cdba9e05d11e262f653e63a16692b7c8843e8e63e6e
Instruction ID: 0337e65802d103bdcae73b2525830202a7319d0b874840b0a235dccc439e3b31
Opcode Fuzzy Hash: b80457177f267fc60a7c2cdba9e05d11e262f653e63a16692b7c8843e8e63e6e
Instruction Fuzzy Hash: 89415B39210610DFCB20EF15C554A5EBBF2EF99324B1884D9E84AAB362DB34FD40CB91

Function 00B9D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00B86D71,00000000,00000000,00B882D9,?,00B882D9,?,00000001,00B86D71,8BE85006,00000001,00B882D9,00B882D9), ref: 00B9D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B9D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00B9D9AB
__freea.LIBCMT ref: 00B9D9B4

Part of subcall function 00B93820: RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 9e3da7b0e4ec6ab20deab0d400397c9535516d84edf37349c2325dd28ff8bc2f
Instruction ID: e9c4d980eb7775e76f7cddd91b3d99ec9cd6603866592fe1c35b26fe4d02fb24
Opcode Fuzzy Hash: 9e3da7b0e4ec6ab20deab0d400397c9535516d84edf37349c2325dd28ff8bc2f
Instruction Fuzzy Hash: 6831AE72A0020AABDF24AF65DC85EAE7BE5EB40710B1542A9FC05D7160EB35CD54CB90

Function 00BF52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00BF5352
GetWindowLongW.USER32(?,000000F0), ref: 00BF5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BF5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BF53A8

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: e76e2708ea77752b8d7d804448f2e4093cbd2fcf1d8838ed5ec1c383a90febbc
Instruction ID: 4554e05cd0cf2d08c77635921554c616d228d67370c8030a48c19da50832cd20
Opcode Fuzzy Hash: e76e2708ea77752b8d7d804448f2e4093cbd2fcf1d8838ed5ec1c383a90febbc
Instruction Fuzzy Hash: 57319234A55A0CEFEB309A1CCC45BF877E5EB05390F584181FB12971E1C7B09988DB4A

Function 00BCAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00BCABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00BCAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00BCAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00BCACC6

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2b4e21755bce2cc00b8169e8dd6318e35796f503e5667dc6c8b0cf1c13caae8f
Instruction ID: ea022528e725d910f21317ea607730794c12a4a55afc3833e9bce53acfae9a6a
Opcode Fuzzy Hash: 2b4e21755bce2cc00b8169e8dd6318e35796f503e5667dc6c8b0cf1c13caae8f
Instruction Fuzzy Hash: A3311230A4421CAFFB248B688C09FFB7BE5EB89318F04429EE491971D1C374998587A2

Function 00BF7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00BF769A
GetWindowRect.USER32(?,?), ref: 00BF7710
PtInRect.USER32(?,?,00BF8B89), ref: 00BF7720
MessageBeep.USER32(00000000), ref: 00BF778C

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 805077369599b63997f5a55ec05ca79fd4b9c6f087140e5ef116aa20670970f7
Instruction ID: 751fe95a1aa11c3ba3eb1a87295b655ab3bf42d4a680cec02e3d3518cb35e95b
Opcode Fuzzy Hash: 805077369599b63997f5a55ec05ca79fd4b9c6f087140e5ef116aa20670970f7
Instruction Fuzzy Hash: 97416D34655218EFCB01EF58C894FB97BF5FB49314F1940E8EA249B261CB30AD49CB90

Function 00BF16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00BF16EB

Part of subcall function 00BC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC3A57
Part of subcall function 00BC3A3D: GetCurrentThreadId.KERNEL32 ref: 00BC3A5E
Part of subcall function 00BC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BC25B3), ref: 00BC3A65

GetCaretPos.USER32(?), ref: 00BF16FF
ClientToScreen.USER32(00000000,?), ref: 00BF174C
GetForegroundWindow.USER32 ref: 00BF1752

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 81cfb653c61773f2927d37a0483970b6f51eb780492493a244588dc21a242b13
Instruction ID: a04757acb5833d8986e783c4a8a718bfaa5ac6e04069c1f647861e91df6204b4
Opcode Fuzzy Hash: 81cfb653c61773f2927d37a0483970b6f51eb780492493a244588dc21a242b13
Instruction Fuzzy Hash: D6313E75D00249AFC704EFA9C981DBEBBF9EF48304B5084AAE415E7211EA35DE45CFA0

Function 00BCDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

_wcslen.LIBCMT ref: 00BCDFCB
_wcslen.LIBCMT ref: 00BCDFE2
_wcslen.LIBCMT ref: 00BCE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00BCE018

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 7f02fb332338f208ea88dd15f2770bf7a565a2e0238ea67c144f2fb4f62c6d91
Instruction ID: d8ad960a29efe2564fd7dd1cec91f82baefc05a191409d056549d34873006250
Opcode Fuzzy Hash: 7f02fb332338f208ea88dd15f2770bf7a565a2e0238ea67c144f2fb4f62c6d91
Instruction Fuzzy Hash: 3F21A375900215EFCB20EFA8D982B6EB7F8EF45760F1440A9E805BB281D7709E41CBA1

Function 00BF8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

GetCursorPos.USER32(?), ref: 00BF9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00BB7711,?,?,?,?,?), ref: 00BF9016
GetCursorPos.USER32(?), ref: 00BF905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00BB7711,?,?,?), ref: 00BF9094

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 7f2549eebf61840f4b2180d73f39c4eade524d36134dd750496beae7ac59fafb
Instruction ID: 03a83a3dc1ccc4c84b487391c4085837187644bacb100a397dd251e35d4c09aa
Opcode Fuzzy Hash: 7f2549eebf61840f4b2180d73f39c4eade524d36134dd750496beae7ac59fafb
Instruction Fuzzy Hash: 04216D3560011CEFDB258FA4C859FFA7BF9EB89360F1440A5FA058B2A1CB319994DF60

Function 00BCD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00BFCB68), ref: 00BCD2FB
GetLastError.KERNEL32 ref: 00BCD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00BCD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00BFCB68), ref: 00BCD376

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 57a0d45449f13cfec7400fe4b22161d053a971d2905a1de3b2722cd8ff29de31
Instruction ID: 429f27679db1e851dcb4dd88c04f0065c9cb4267cc176da0072d550b38f1e145
Opcode Fuzzy Hash: 57a0d45449f13cfec7400fe4b22161d053a971d2905a1de3b2722cd8ff29de31
Instruction Fuzzy Hash: AA21B7745043059F8300DF24C98196E7BE8EF95364F104AADF495C72A1DB30D949CB97

Function 00BC1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BC102A
Part of subcall function 00BC1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1036
Part of subcall function 00BC1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1045
Part of subcall function 00BC1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC104C
Part of subcall function 00BC1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00BC15BE
_memcmp.LIBVCRUNTIME ref: 00BC15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC1617
HeapFree.KERNEL32(00000000), ref: 00BC161E

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 6d832aa329d1d5ddae5e2d7cdef985bb63e115262e3121858b54b2001c375a77
Instruction ID: 9b0734dac24b7d1db9a3f4ec637d7d43512fe679e36a60c989faf155aed8817f
Opcode Fuzzy Hash: 6d832aa329d1d5ddae5e2d7cdef985bb63e115262e3121858b54b2001c375a77
Instruction Fuzzy Hash: 4F217C71E00108AFDB00DFA8C945FEEB7F8EF45344F184899E441B7242D730AA45DB50

Function 00BF2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00BF280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BF2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BF2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00BF2840

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 54e6f6949b5a1a2316d7c148d53a03e109e107546e3676dc1194c2c4055068a8
Instruction ID: fea500f652b9f9678b64519088c43727e050c8d103c1ef044aad224a2c78a6bd
Opcode Fuzzy Hash: 54e6f6949b5a1a2316d7c148d53a03e109e107546e3676dc1194c2c4055068a8
Instruction Fuzzy Hash: A4212131204119AFD7109B24C841FBA7BE5EF45324F148198F526CB6E2CB71FC86C790

Function 00BC78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00BC790A,?,000000FF,?,00BC8754,00000000,?,0000001C,?,?), ref: 00BC8D8C
Part of subcall function 00BC8D7D: lstrcpyW.KERNEL32(00000000,?,?,00BC790A,?,000000FF,?,00BC8754,00000000,?,0000001C,?,?,00000000), ref: 00BC8DB2
Part of subcall function 00BC8D7D: lstrcmpiW.KERNEL32(00000000,?,00BC790A,?,000000FF,?,00BC8754,00000000,?,0000001C,?,?), ref: 00BC8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00BC8754,00000000,?,0000001C,?,?,00000000), ref: 00BC7923
lstrcpyW.KERNEL32(00000000,?,?,00BC8754,00000000,?,0000001C,?,?,00000000), ref: 00BC7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00BC8754,00000000,?,0000001C,?,?,00000000), ref: 00BC7984

Strings

cdecl, xrefs: 00BC797B

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 346152672e805bd88df06d433e27dfe18cea9bd84fed4399f31dfd81dafe3295
Instruction ID: aacb7449364b5f39c120b8b5af30f3566a860313e1c7820b71ae9a2e7ec01abb
Opcode Fuzzy Hash: 346152672e805bd88df06d433e27dfe18cea9bd84fed4399f31dfd81dafe3295
Instruction Fuzzy Hash: ED11263A200302BBCB159F38D844E7A77E9FF85390B50806EF846C72A4EF719811CBA1

Function 00BF7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00BF7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00BF7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00BF7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00BDB7AD,00000000), ref: 00BF7D6B

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 679ad0b3203e983e2872edb385764ceb974dc87c4166ee63132e43bdf28da443
Instruction ID: c0325f569df874c250cd9ebdd2c6188e0f8fbda47bcacbe049f402466ecbd58e
Opcode Fuzzy Hash: 679ad0b3203e983e2872edb385764ceb974dc87c4166ee63132e43bdf28da443
Instruction Fuzzy Hash: 8411AC75258619AFCB108F28CC04ABA3BE5EF45360B5583B4F939CB2E0DB308965CB80

Function 00BF5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00BF56BB
_wcslen.LIBCMT ref: 00BF56CD
_wcslen.LIBCMT ref: 00BF56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BF5816

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e8d32471beb16865159df164003ad44c0ea685a4e47ede5c99f5fe0eb524ce85
Instruction ID: 075230d18467b01c07654758266691476637bd3b94771390f8fcca7a64f49856
Opcode Fuzzy Hash: e8d32471beb16865159df164003ad44c0ea685a4e47ede5c99f5fe0eb524ce85
Instruction Fuzzy Hash: 3811B47160060CAADB30AF61CCC5AFE77ECEF11760B1080A6FB15D7181EB709988CB64

Function 00B91D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72752929b44c8d9ad9736a4d1a0dd594ced88daa7b26ccba82aa7cf58e36602
Instruction ID: 5dacd50412efb4e713db70e28fdf487ac910c64d2faff7aa81f89e03c2264658
Opcode Fuzzy Hash: e72752929b44c8d9ad9736a4d1a0dd594ced88daa7b26ccba82aa7cf58e36602
Instruction Fuzzy Hash: 90014FB260561B7EFE11167C6CC1F67669DDF413B8B340BB5F535621E2DB608D40A170

Function 00BC1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00BC1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BC1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BC1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BC1A8A

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 224c7db61abe98b8a2e2f7ebcc48eae10a24978635597dbc7f62f59e9eb2f7ce
Instruction ID: 3c834d8ad43b551803091f5c07fa7f8c6c3d1de160a23c4de16094ac92d127ee
Opcode Fuzzy Hash: 224c7db61abe98b8a2e2f7ebcc48eae10a24978635597dbc7f62f59e9eb2f7ce
Instruction Fuzzy Hash: A411393AD01219FFEB10DFA8CD85FADBBB8EB08750F200495EA10B7290D6716E50DB94

Function 00BCE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00BCE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00BCE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00BCE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00BCE24D

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: f394bbe7c9a9580682eb31f81ea143ce4f0c8d3a6ac6e298fb5926cbbc6269ab
Instruction ID: cca0b31f656596c6f317b54d692f4b29b65011d504012177a5a236af32b7b29a
Opcode Fuzzy Hash: f394bbe7c9a9580682eb31f81ea143ce4f0c8d3a6ac6e298fb5926cbbc6269ab
Instruction Fuzzy Hash: 0511C876904258BFC7019FA89C05FAE7FECDB45320F044259F924E72A1D770CD048BA0

Function 00B8D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00B8CFF9,00000000,00000004,00000000), ref: 00B8D218
GetLastError.KERNEL32 ref: 00B8D224
__dosmaperr.LIBCMT ref: 00B8D22B
ResumeThread.KERNEL32(00000000), ref: 00B8D249

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: f6aaabda64df2a4371873000517ff76b03ef44804e3230a93f537ed54017b087
Instruction ID: 82a56bf7cc15440a1299f11aa3570778857447ec703b21c1cbfafb7885cd3859
Opcode Fuzzy Hash: f6aaabda64df2a4371873000517ff76b03ef44804e3230a93f537ed54017b087
Instruction Fuzzy Hash: A601C036805209BBDB117FA5DC09AAA7FA9EF81330F10029AF925A21F0CF708945C7A0

Function 00B7990E Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,?), ref: 00B798D6
SetBkMode.GDI32(?,00000001), ref: 00B798E9
GetStockObject.GDI32(00000005), ref: 00B798F1
GetWindowLongW.USER32(?,000000EB), ref: 00B79952

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ColorLongModeObjectStockTextWindow
String ID:
API String ID: 2960364272-0
Opcode ID: 6be271b19b862f6de262eac5863584d4f168ced4788585535d91b1a01078149c
Instruction ID: 75f426b9f063dabeb1d87c5c2020b74e73eab64a4ab40a81b26fbc975cb9e242
Opcode Fuzzy Hash: 6be271b19b862f6de262eac5863584d4f168ced4788585535d91b1a01078149c
Instruction Fuzzy Hash: 2A118C322462109FD7118F20EC94FFA7FA5DF6B365B08419DFA468B2A2DB314891C751

Function 00BF9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

GetClientRect.USER32(?,?), ref: 00BF9F31
GetCursorPos.USER32(?), ref: 00BF9F3B
ScreenToClient.USER32(?,?), ref: 00BF9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00BF9F7A

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: e1b58f1d1dfdfd2b78a19f9ae5592af6f40c0ffc8be64e58120c6240eee88ff6
Instruction ID: 1b30be844fde807f8375787aba0b9982dd2df9f9fa47fc2d87e075bf7167a273
Opcode Fuzzy Hash: e1b58f1d1dfdfd2b78a19f9ae5592af6f40c0ffc8be64e58120c6240eee88ff6
Instruction Fuzzy Hash: 00112A3290011EABDB10DF68D985AFE7BB9FF45311F104495FA11E7151D730BA89CBA1

Function 00B6600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B6604C
GetStockObject.GDI32(00000011), ref: 00B66060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B6606A

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 71a181c6d31c548e56afd592932fd50b540c94512300edeb168d6f2a184645c9
Instruction ID: cf2e1819eeecd88704105b277c745d4eb202ba50d33c3471e69064121d08d563
Opcode Fuzzy Hash: 71a181c6d31c548e56afd592932fd50b540c94512300edeb168d6f2a184645c9
Instruction Fuzzy Hash: 5B116D72501508BFEF165FA49C84EEABFADFF093A4F040265FA1553110DB369CA0DBA0

Function 00B83B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00B83B56

Part of subcall function 00B83AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00B83AD2
Part of subcall function 00B83AA3: ___AdjustPointer.LIBCMT ref: 00B83AED

_UnwindNestedFrames.LIBCMT ref: 00B83B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00B83B7C
CallCatchBlock.LIBVCRUNTIME ref: 00B83BA4

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 28d4f055bf347d8418a261e86557f490ff8caff64c1e664f5fab9bc221c58108
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: AB012972100149BBDF126E95CC42EEB7FE9EF48B54F044094FE4856131D732E961DBA0

Function 00B93073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00B613C6,00000000,00000000,?,00B9301A,00B613C6,00000000,00000000,00000000,?,00B9328B,00000006,FlsSetValue), ref: 00B930A5
GetLastError.KERNEL32(?,00B9301A,00B613C6,00000000,00000000,00000000,?,00B9328B,00000006,FlsSetValue,00C02290,FlsSetValue,00000000,00000364,?,00B92E46), ref: 00B930B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B9301A,00B613C6,00000000,00000000,00000000,?,00B9328B,00000006,FlsSetValue,00C02290,FlsSetValue,00000000), ref: 00B930BF

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 226ceee353212825a90963020ce4b25b2bf8922c8c95c33d08c849b00180649b
Instruction ID: 092c838fbbe09517e1aa4e2ed5c3d994e2f2156bb86c7487a00a97e8673457f0
Opcode Fuzzy Hash: 226ceee353212825a90963020ce4b25b2bf8922c8c95c33d08c849b00180649b
Instruction Fuzzy Hash: B501D432301226ABCF314A789C84B6B7FD8EF05FA1B250670F915E3140CB21D945C6E0

Function 00BC7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00BC747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00BC7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00BC74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00BC74CA

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 9453c453874a4b7d1f66b3221157bc242fcc335c1c78627fec2715a5baa17f86
Instruction ID: d28d37e36325cca6f2b1406bcea936a10f77db2eee3d62bd5861fe39db8070e7
Opcode Fuzzy Hash: 9453c453874a4b7d1f66b3221157bc242fcc335c1c78627fec2715a5baa17f86
Instruction Fuzzy Hash: B711A1B12453149BE7208F14ED49FA2BFFCEB00B00F1085ADA626D7251DB70E944DF90

Function 00BCB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00BCACD3,?,00008000), ref: 00BCB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BCACD3,?,00008000), ref: 00BCB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00BCACD3,?,00008000), ref: 00BCB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BCACD3,?,00008000), ref: 00BCB126

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 58dc9af120a001922c7d8dece8dc97978ce0d55b9a117481e3f49288759254ad
Instruction ID: 202f7b70c55e9eb5cdd6b0780652616dfb2da5204232c71c5edc9af7096f9c3d
Opcode Fuzzy Hash: 58dc9af120a001922c7d8dece8dc97978ce0d55b9a117481e3f49288759254ad
Instruction Fuzzy Hash: 48111831C1151CD7CF009FA4E99AFEEBBB8FF09711F114089D951B3181CB3056508B52

Function 00BF7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BF7E33
ScreenToClient.USER32(?,?), ref: 00BF7E4B
ScreenToClient.USER32(?,?), ref: 00BF7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BF7E8A

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 3d5b1168b58b9474107cc73b6bef7c6105f4f50f215ad33554999747d1c9dc7d
Instruction ID: 772fbc8cbcdf69dfe5792c10fd8e741c51daaaec392fcd05c1381399fd1bb0e8
Opcode Fuzzy Hash: 3d5b1168b58b9474107cc73b6bef7c6105f4f50f215ad33554999747d1c9dc7d
Instruction Fuzzy Hash: EA1113B9D0424EAFDB41DF98C9849EEBBF9FB08310F505096E915E3210D735AA95CF50

Function 00BC2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BC2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC2DD6
GetCurrentThreadId.KERNEL32 ref: 00BC2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00BC2DE4

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d75dd678d91386612f604db688dd4da2587f233dd614aba4b007168308b1088d
Instruction ID: b46d639db9bdb30ff03508325bf41004801d04b19ea168ce224f033ef3397712
Opcode Fuzzy Hash: d75dd678d91386612f604db688dd4da2587f233dd614aba4b007168308b1088d
Instruction Fuzzy Hash: 00E092711052287BD7201B729D0DFFB3EACEF53BA1F100069F506D30809EA0C980C6B0

Function 00BF8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00B79639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B79693
Part of subcall function 00B79639: SelectObject.GDI32(?,00000000), ref: 00B796A2
Part of subcall function 00B79639: BeginPath.GDI32(?), ref: 00B796B9
Part of subcall function 00B79639: SelectObject.GDI32(?,00000000), ref: 00B796E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00BF8887
LineTo.GDI32(?,?,?), ref: 00BF8894
EndPath.GDI32(?), ref: 00BF88A4
StrokePath.GDI32(?), ref: 00BF88B2

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 6ac02bf02c1cd76765752751979273671fccf8871d00a694c12d021ed3f0a334
Instruction ID: b5a19d7b014a8bd265c5efd4bfc6112729222909e9bbec36a0839f1bc3b5b43e
Opcode Fuzzy Hash: 6ac02bf02c1cd76765752751979273671fccf8871d00a694c12d021ed3f0a334
Instruction Fuzzy Hash: 24F03A36041259BADB125FA4AD09FEE3E59AF06310F048141FA11670E2CB755561CBA5

Function 00B798B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B798CC
SetTextColor.GDI32(?,?), ref: 00B798D6
SetBkMode.GDI32(?,00000001), ref: 00B798E9
GetStockObject.GDI32(00000005), ref: 00B798F1

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 07a2f1f81cb02c50a78ce0292fed580d73a7366e16d4a9be421056ff0bf402fb
Instruction ID: 397bca79d9d55b38aeb446828ac028df905800b86157697f4d9ade65da4f4f6c
Opcode Fuzzy Hash: 07a2f1f81cb02c50a78ce0292fed580d73a7366e16d4a9be421056ff0bf402fb
Instruction Fuzzy Hash: 12E06531244244ABEB215F74AD09BF83F50EB51336F148259F6F95A1E1CB714790DB10

Function 00BC162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00BC1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00BC11D9), ref: 00BC163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00BC11D9), ref: 00BC1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00BC11D9), ref: 00BC164F

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 995914fe9d5997ee557650e68099fbb02cc69740f7176d33f87bfd19b7e263b1
Instruction ID: d41d7299af9e0297e9e16c929adc7090c8697176364b604a0a604368be93a95b
Opcode Fuzzy Hash: 995914fe9d5997ee557650e68099fbb02cc69740f7176d33f87bfd19b7e263b1
Instruction Fuzzy Hash: 4FE04632602215ABD7201BB4AE0DFA63FA8EF45792F148858F245DB080EE348485CB68

Function 00BBD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BBD858
GetDC.USER32(00000000), ref: 00BBD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BBD882
ReleaseDC.USER32(?), ref: 00BBD8A3

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c4ba6e95fddb2572aedc1a979ac1e66024e24a85a74c9e73d3354a8459ffd3fb
Instruction ID: 4fdb7d93eeb330ee62f8c24a7bcf288ddcc667466670ea810dad60f9820443af
Opcode Fuzzy Hash: c4ba6e95fddb2572aedc1a979ac1e66024e24a85a74c9e73d3354a8459ffd3fb
Instruction Fuzzy Hash: 6FE0E5B0804208EFCB419FA09A48A7DBFF1AB08311F109449E84AE7350CB784995EF40

Function 00BBD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BBD86C
GetDC.USER32(00000000), ref: 00BBD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BBD882
ReleaseDC.USER32(?), ref: 00BBD8A3

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 393f537c9ff17693ee54c8a1f7bd1416c674d24682d073ac03cc399bef790f3f
Instruction ID: 7f5d248e336cc2e8e751f070c45dd191f060c8d8ef76343e2e91123b2e10e548
Opcode Fuzzy Hash: 393f537c9ff17693ee54c8a1f7bd1416c674d24682d073ac03cc399bef790f3f
Instruction Fuzzy Hash: FDE012B0804208EFCB40AFA0DA08A7DBFF1BB08310F109448E84AE7350CF385996EF40

Function 00BD4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00BD4ED4

Strings

LPT, xrefs: 00BD4DFB
*, xrefs: 00BD4E10

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: c688e29ca542ba71f3242cc447709910d31dd1f272a73d5efa983704d46fe290
Instruction ID: 0d75ff6f0c613a30bf390f612582a18fcea57d63d14ab2b1917975ac62ebb14c
Opcode Fuzzy Hash: c688e29ca542ba71f3242cc447709910d31dd1f272a73d5efa983704d46fe290
Instruction Fuzzy Hash: 39913D75A002449FCB14DF58C494EAABBF5EF44308F1980DAE80A9F362E775ED85CB91

Function 00B8E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00B8E30D

Strings

pow, xrefs: 00B8E2E5, 00B8E302

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 7e1e9291ed64bf2e1ce2107c1c4add28042d6be81da241a4877d9a012c7d9ef3
Instruction ID: cef3df1ccf47fcaa2cdae1d0210e4777749c11f7a2d0a73bd7365cc36d9929d2
Opcode Fuzzy Hash: 7e1e9291ed64bf2e1ce2107c1c4add28042d6be81da241a4877d9a012c7d9ef3
Instruction Fuzzy Hash: F0514AA1A6C60296CF167B18C9417BD3BE8EF40740F3449F8E4A5422B9DF34CC91DB4A

Function 00B7E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00B7E1B1

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e9067d61f3d12bea72a4a0367f778e5ea24dc12128b8dc3114ce3e86d695a253
Instruction ID: db2d04e5a78e158b7daee6816cb15fbcb27aa9eb71eb7388feb66c7b33e38512
Opcode Fuzzy Hash: e9067d61f3d12bea72a4a0367f778e5ea24dc12128b8dc3114ce3e86d695a253
Instruction Fuzzy Hash: 40510035504246EFDB15DF68C4816FA7BE8EF19310F2480D9E8B1AB2A1DB74DD42CBA0

Function 00B7F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00B7F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00B7F2BB

Strings

@, xrefs: 00B7F2AF

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c9e9e902ab5f4783233ea7738ab2a53b626e889a86a3f21414606fc7ad5d64ef
Instruction ID: 05a200053483bc5b51e425af46cabc34e43b2e80af18f0d322edc2aa44f65c2b
Opcode Fuzzy Hash: c9e9e902ab5f4783233ea7738ab2a53b626e889a86a3f21414606fc7ad5d64ef
Instruction Fuzzy Hash: AC5155714187459BD320AF50D886BAFBBF8FB84304F81888DF2D9411A5EB758529CB66

Function 00BE5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00BE57E0
_wcslen.LIBCMT ref: 00BE57EC

Strings

CALLARGARRAY, xrefs: 00BE57E6, 00BE57EB

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: ee452b6849baa4fe34a561b5dc042c3023377cde994d9215021a133f7beb8b34
Instruction ID: d5d9f4b7862b9f13f8ad491b9047d6d327ec9a33ab6c04df86fc86ba557325c8
Opcode Fuzzy Hash: ee452b6849baa4fe34a561b5dc042c3023377cde994d9215021a133f7beb8b34
Instruction Fuzzy Hash: F041B231E00109DFCB24DFA9C8819BEBBF9FF59318F1441A9E515A7251EB349D81CB90

Function 00BDD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BDD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00BDD13A

Strings

|, xrefs: 00BDD10B

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: a1809a2930ed09f66dd920ac6aa5fd8beb634fab4db4cd3887e870a560b8c27f
Instruction ID: 8e3851e289471ca7bfba4ab6de5d53430d14defa0f9147fa3088c5fda3241e9d
Opcode Fuzzy Hash: a1809a2930ed09f66dd920ac6aa5fd8beb634fab4db4cd3887e870a560b8c27f
Instruction Fuzzy Hash: 99311A71D00209ABCF15EFA4CC85AEEBFF9FF04300F000199F915A6261E735AA46DB90

Function 00BF356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00BF3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00BF365C

Strings

static, xrefs: 00BF35BC

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 384d38a52507e055c220fb6c91325ca350c68f25a4fbdd595fb351d5ad129b33
Instruction ID: 9e6aa7a70188d289f28eaa15894817d7cc6a4454b2791da5eb9a4c693acb2e15
Opcode Fuzzy Hash: 384d38a52507e055c220fb6c91325ca350c68f25a4fbdd595fb351d5ad129b33
Instruction Fuzzy Hash: F0318D71110208AEDB109F68DC80EBB77E9FF98B24F008659FAA5D7290DA30ED95D760

Function 00BF4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00BF461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BF4634

Strings

', xrefs: 00BF458E

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4a5d30b3083b35ebb5624011e3c8b17dd14e958dbc25f9f91f70de1bfac47a99
Instruction ID: f81806e267f1acbf5d932555ffbc80353ac4a561680f7389bec3d976c968f827
Opcode Fuzzy Hash: 4a5d30b3083b35ebb5624011e3c8b17dd14e958dbc25f9f91f70de1bfac47a99
Instruction Fuzzy Hash: 1131F574A01209AFDF14DFA9C990BEABBF5FB59300F1440AAEA05AB351D770A945CF90

Function 00BF31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BF327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BF3287

Strings

Combobox, xrefs: 00BF3249

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 91db9745cbcd6e36b76e18038df17bd4a7026103a9fc58c3c959c891b5ff8cb2
Instruction ID: 1b5bc8cf1faaa9438df18e3dcd65959829ffb4d90d416a79ae7336dba3e05076
Opcode Fuzzy Hash: 91db9745cbcd6e36b76e18038df17bd4a7026103a9fc58c3c959c891b5ff8cb2
Instruction Fuzzy Hash: B311B27130020C7FFF219E54DC80EBB3BEAEB98764F104265FA1897290D631DD559760

Function 00BF3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B6600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B6604C
Part of subcall function 00B6600E: GetStockObject.GDI32(00000011), ref: 00B66060
Part of subcall function 00B6600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B6606A

GetWindowRect.USER32(00000000,?), ref: 00BF377A
GetSysColor.USER32(00000012), ref: 00BF3794

Strings

static, xrefs: 00BF3757

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: bd34ef6514d44be0a301e09b38554096361e9b0bafceb91c7b5e890b96ad3ccd
Instruction ID: e515e2949e018783128516f4419cd790ee59ba8d8072be2c04027862ed9f99ca
Opcode Fuzzy Hash: bd34ef6514d44be0a301e09b38554096361e9b0bafceb91c7b5e890b96ad3ccd
Instruction Fuzzy Hash: 601106B2610209AFDB00EFA8C846EBA7BE8EB08714F004954FA55E3250DB35E955DB50

Function 00BDCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00BDCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00BDCDA6

Strings

<local>, xrefs: 00BDCD66

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 8b6200835cd926703463c3a8eae30a2a7c0745b09cef9fc3ddddb39763b0f562
Instruction ID: 12d047f736f68bf2506bbb1d7eb98331c7696e9f380adf1cadbba8db4efd6f71
Opcode Fuzzy Hash: 8b6200835cd926703463c3a8eae30a2a7c0745b09cef9fc3ddddb39763b0f562
Instruction Fuzzy Hash: 0611A3712056367AD7284A668C85EF7FEAAEF127A4F104277B11A83290E6609840D6F0

Function 00BF3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00BF34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00BF34BA

Strings

edit, xrefs: 00BF348F

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: f18174672af4df32cc201ebb93a6ef144630e030ed1ec4ea7fe3a9d2b99cd8da
Instruction ID: 9bf704fb37aa702a2897cb02ede15fc7e2d396f3ce390f0d4c53d8a65e6f6c74
Opcode Fuzzy Hash: f18174672af4df32cc201ebb93a6ef144630e030ed1ec4ea7fe3a9d2b99cd8da
Instruction Fuzzy Hash: 5311BC7110020CAFEB128E64DC80ABB3BEAEB04B74F504364FA60932E0C771DD999B60

Function 00BC6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

CharUpperBuffW.USER32(?,?,?), ref: 00BC6CB6
_wcslen.LIBCMT ref: 00BC6CC2

Strings

STOP, xrefs: 00BC6CBC, 00BC6CC1

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: b6c94653cb922d4c22f3190372f41438dfd58d7ab995298816d7e108d28a4d9b
Instruction ID: 440ccae411bc6831978dde2c9ee29e3f70e4ff9bbf23b64c08662de7313e8e62
Opcode Fuzzy Hash: b6c94653cb922d4c22f3190372f41438dfd58d7ab995298816d7e108d28a4d9b
Instruction Fuzzy Hash: 5801C032A1052A8BCB20AFFDDC80EBF77E9EB61720B1005BCE86297194EB35D940C650

Function 00BC1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00BC1D4C

Strings

ListBox, xrefs: 00BC1D16
ComboBox, xrefs: 00BC1CEB

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: be1f406c1ed3832dbc5f829a40d0cd14b8f39019a9fbc6fd823a636775da47af
Instruction ID: 2f51347b4b1936385fac12de1e773d6871b811221fb8c0407bf2f417c44ba22c
Opcode Fuzzy Hash: be1f406c1ed3832dbc5f829a40d0cd14b8f39019a9fbc6fd823a636775da47af
Instruction Fuzzy Hash: EF01D871601218ABCB04EBA4CD51EFF77E8EB57350B140DADF823672C2EA349908C660

Function 00BC1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00BC1C46

Strings

ListBox, xrefs: 00BC1C10
ComboBox, xrefs: 00BC1BE5

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c1fb60aee2098d8ffecac0dbba04d1874dd494d1051296499d4a20039f19a992
Instruction ID: 12b6f48af06cec1687725d1c05c500c598c7bd211ffb21393db5aa4f7d7035c5
Opcode Fuzzy Hash: c1fb60aee2098d8ffecac0dbba04d1874dd494d1051296499d4a20039f19a992
Instruction Fuzzy Hash: 0B01A77578110867CB04EB94CA51FFF77ECDB12340F14049DB40677282EA349E18E6B1

Function 00BC1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00BC1CC8

Strings

ListBox, xrefs: 00BC1C94
ComboBox, xrefs: 00BC1C69

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1bac771f184acf773829f4e0bebd191a1a6cd7c0407f25d4ca9d90cb400545f3
Instruction ID: fb8ed551bb2dd66ca77e6f851cc4fc5ea068b5ad95f7128020109fda7cfb8ce2
Opcode Fuzzy Hash: 1bac771f184acf773829f4e0bebd191a1a6cd7c0407f25d4ca9d90cb400545f3
Instruction Fuzzy Hash: EB018F7168021867CB04EBA4CA51FFF77ECDB12380F540499B802B7282EA349E18D671

Function 00BC1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00BC1DD3

Strings

ListBox, xrefs: 00BC1DA0
ComboBox, xrefs: 00BC1D75

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ab76c764f2af69d57401cdd12dd52cd807a7ca6cfd172498d0d2025b68402473
Instruction ID: de1b0562150d1d98f03f9cd5dc258b149098e8acc577c653bdcb614202f9139e
Opcode Fuzzy Hash: ab76c764f2af69d57401cdd12dd52cd807a7ca6cfd172498d0d2025b68402473
Instruction Fuzzy Hash: 36F0A471B5121867DB04F7A8DD92FFF77ECEB12750F440DA9B822B32C2DA7459088660

Function 00BE747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BE7493
_wcslen.LIBCMT ref: 00BE74B9

Strings

3, 3, 16, 1, xrefs: 00BE7483

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: da760fe68ea81731eb82ffbda04c4acb24a22dc91b2956f7bd2745e0690aa379
Instruction ID: 4ecba43e7b40aa2a556c173ecdedc5952c1f236109186aeee7978457c84247d3
Opcode Fuzzy Hash: da760fe68ea81731eb82ffbda04c4acb24a22dc91b2956f7bd2745e0690aa379
Instruction Fuzzy Hash: 1EE02B02245261149231227BECC197F56D9CFC975071018ABF985C23B6EF94CD91D3A0

Function 00BC0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00BC0B23

Strings

Error allocating memory., xrefs: 00BC0B1C
AutoIt, xrefs: 00BC0B17

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 053dfe9d28a4094bb4772393a1ee8e420391ebcf1ddd226503584c5887ccd77a
Instruction ID: d8e88e696489b7d943f4b96163b3f2ce9675cc8689080b899aa0c352d2ab43ae
Opcode Fuzzy Hash: 053dfe9d28a4094bb4772393a1ee8e420391ebcf1ddd226503584c5887ccd77a
Instruction Fuzzy Hash: 45E0483228931D6AD21436557D03FA97FC4CF05B51F1044AAFB58965D38FE168D087ED

Function 00B80D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B7F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B80D71,?,?,?,00B6100A), ref: 00B7F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00B6100A), ref: 00B80D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B6100A), ref: 00B80D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B80D7F

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: a4b20efc0cc0ec14c3d271ea3199d81aeda7b4c3e581db28635f863d9d476049
Instruction ID: be2abcea14b7e2849324af7e5059b9445af116dccd0ec66beff47760a54adc95
Opcode Fuzzy Hash: a4b20efc0cc0ec14c3d271ea3199d81aeda7b4c3e581db28635f863d9d476049
Instruction Fuzzy Hash: F2E06D702103028FD3A0BFB9E5043667BE4EF00780F0489BDE886C7661DBB4E488CB91

Function 00BD3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00BD302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00BD3044

Strings

aut, xrefs: 00BD3038

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 26b84ea9826e6f6d3955c82965cf4925c987e02f5aba6e164c6be25e7b063cef
Instruction ID: d71c12389162d9b464c834a3a3d117d09acf34809e73d49eee5ddf3694efc890
Opcode Fuzzy Hash: 26b84ea9826e6f6d3955c82965cf4925c987e02f5aba6e164c6be25e7b063cef
Instruction Fuzzy Hash: 50D05E72500328A7DA20A7A4AD0EFDB3E6CDB04750F0002A1B655E3092DEB09984CAE0

Function 00BBD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00BBD220

Strings

%.3d, xrefs: 00BBD22B
X64, xrefs: 00BBD2A8

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: a081c41b1cc86b247b9e3a619085f12db897235df51e5c2b8892b2d49c8cf397
Instruction ID: ddec2e7207602ad899893e688b6fe174c83e711a1680c50edf2ac22ee110061a
Opcode Fuzzy Hash: a081c41b1cc86b247b9e3a619085f12db897235df51e5c2b8892b2d49c8cf397
Instruction Fuzzy Hash: 47D01261C09159EBCB50D7D0DCC59F9B7FCEB08341F5084E2F91A92040F66CC948AB61

Function 00BF2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BF232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00BF233F

Part of subcall function 00BCE97B: Sleep.KERNEL32 ref: 00BCE9F3

Strings

Shell_TrayWnd, xrefs: 00BF2325

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3904485b0501d268d7756f141df1c10b4dd100c935271b21150ceddaf3c3e876
Instruction ID: e985e1bcd37e2b6ae63eba7a7729a75c878b0c59e4073eee3eaae537e3261393
Opcode Fuzzy Hash: 3904485b0501d268d7756f141df1c10b4dd100c935271b21150ceddaf3c3e876
Instruction Fuzzy Hash: 8ED01276394314B7E664B770ED0FFD67E54AB10B10F0049267755EB1D0CDF0A881CA54

Function 00BF2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BF236C
PostMessageW.USER32(00000000), ref: 00BF2373

Part of subcall function 00BCE97B: Sleep.KERNEL32 ref: 00BCE9F3

Strings

Shell_TrayWnd, xrefs: 00BF2365

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a85a53ade4bd4abafd0825c10d5609479798fe214c055e985b4149e500448504
Instruction ID: fb97ad845171eb79dfad210004aed63f3588a220f35c25de6d56e7b9e29929d1
Opcode Fuzzy Hash: a85a53ade4bd4abafd0825c10d5609479798fe214c055e985b4149e500448504
Instruction Fuzzy Hash: 17D0C972385314BAE664A770AD0FFD66A54AB15B10F4049267655EB1D0C9F0A881CA54

Function 00B9BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00B9BE93
GetLastError.KERNEL32 ref: 00B9BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B9BEFC

Memory Dump Source

Source File: 00000000.00000002.2141432848.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.2141406677.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141509973.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141827763.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142002090.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: c71a7f3f5dbd128c6f1f225bb062ec7f7610e9942676fc625cd099182a1e1430
Instruction ID: c72df82b3246c9cd85e89eb56b331e5700b7a2513cf360ae79e47c44364e2594
Opcode Fuzzy Hash: c71a7f3f5dbd128c6f1f225bb062ec7f7610e9942676fc625cd099182a1e1430
Instruction Fuzzy Hash: 5941B13560060AABCF219F64EE84FBA7BE9EF41310F1441F9F959971A1DB308D01CB50

Analysis Process: firefox.exePID: 7684, Parent PID: 5612COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000002BBC39EB6B2 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000002BBC39EB717

Strings

>, xrefs: 000002BBC39EF7BF
A, xrefs: 000002BBC39EB70F
z, xrefs: 000002BBC39ECCF6
#, xrefs: 000002BBC39EC7F1
>, xrefs: 000002BBC39EC51C
>, xrefs: 000002BBC39EB779
4, xrefs: 000002BBC39EF799
z, xrefs: 000002BBC39EB74B
#, xrefs: 000002BBC39EB742
#, xrefs: 000002BBC39E9A85

Memory Dump Source

Source File: 00000011.00000002.3346202188.000002BBC39E9000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BBC39E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2bbc39e9000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: 6cc3471c707eb26ffd49f23f1d60f3d0168e14ef2de7cce6927e110a92977424
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: 65A3E531618A498FDB2EDF28DC852A977E5FB98700F54422ED84BC7251DF74EA028BC5

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2263277107.000021A9C5703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: )://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2262976067.00000FFD06603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: )://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2263277107.000021A9C5703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: )www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2263277107.000021A9C5703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2263277107.000021A9C5703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2262976067.00000FFD06603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195255379.00000224DC806000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2262976067.00000FFD06603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2322324504.00000224DA245000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2320834102.00000224DA245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: +www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2322324504.00000224DA245000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2320834102.00000224DA245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: +www.facebook.comX equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2302067048.00000224E647B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2277537659.00000224E647A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271503504.00000224E647A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2152000681.00000224E256D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274271030.00000224E2569000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2152000681.00000224E256D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274271030.00000224E252D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274271030.00000224E2569000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2294371681.00000224DC581000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294371681.00000224DC591000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2302067048.00000224E647B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2289641299.00000224E2557000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2152224861.00000224E2556000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274271030.00000224E2549000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2289641299.00000224E2557000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2152224861.00000224E2556000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274271030.00000224E2549000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2152000681.00000224E256D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274271030.00000224E2569000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2152000681.00000224E256D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274271030.00000224E252D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274271030.00000224E2569000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000011.00000002.3340679896.000002BBC3303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3340750130.000001BA0710C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.3340679896.000002BBC3303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3340750130.000001BA0710C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000011.00000002.3340679896.000002BBC3303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3340750130.000001BA0710C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2195255379.00000224DC806000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272123828.00000224E4EA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255667449.00000224E4E9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2294371681.00000224DC581000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294371681.00000224DC591000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2302067048.00000224E647B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2322324504.00000224DA245000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2320834102.00000224DA245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com5 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2320834102.00000224DA258000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321351112.00000224DA276000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comLMEM( equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2263277107.000021A9C5703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2322324504.00000224DA245000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2320834102.00000224DA245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comebs equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2337322140.00000224E45EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2316757565.00000224E45EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2294371681.00000224DC581000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296934694.00000224DBCFC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311965275.00000224DC5E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.5:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49938 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49937 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_583749b1-4fef-47bf-b3b8-0068aafd6966.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_583749b1-4fef-47bf-b3b8-0068aafd6966.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre